Mistakes I: Using Home Computer Software on Business Machines

We’ve all done it…we grab a copy of Norton Antivirus™ to install on our brand-spanking new office machine thinking this will keep me safe…Resist this urge, here’s why.
AV Comparison

The Problem

Most over the counter antivirus products are now designed to protect you from many forms of Internet assaults, but they do not operate well over a network. On your business network you want a product that persistently watches over everything going in and out of your machine and the other machines that may be sharing the network. If you don’t take this precaution, your network could be at risk of being taken over by what’s refered to as a “Hacker Collective”…and that is no fun!

The Solution

Use a corporate grade antivirus protection program that is built to work over a network. This will give you added protection. You’ll be doing more checks and scans to everything that goes in and out of your system. Your home software doesn’t care that your machine has a trust relationship with your central file server and that it’s already doing its own scans. AV Blaster Home Premium Plus a popular home product will blindly scan files all day long and check that all your network traffic is clean. It will continually scan your web pages for problem… Check your e-mail. And on and on.

But your network hardware, that you paid good money for, is already doing most of this for you.

Have the proper systems in place to do the job right. Your goal is to have security from the outside world, tight controls on internal security, and everything running fast with as little effort as possible. Corporate products are designed to “just work” without requiring the person at the computer to know anything and they send any event to a central event console so you don’t need to go to machines to find out if there’s an issue.
Enfold I.T.’s recommended plan of attack is to:

  1. Set up a corporate firewall to protect you from the outside world. This is your first line of defense against people trying to get in. This negates the need to have powerful software firewall on each machine. The default Windows™ firewall will work just fine to keep out stray connections as long as your main firewall is taking the brunt of the attacks. Don’t skimp on this. If it says Linksys® on the front, it’s not the right tool for the job.
  2. Use a corporate antivirus product, like Symantec® Endpoint Protection, or Nod32® Corporate. They are all priced comparably with the home versions but include automatic distribution (so all machines get virus protection installed when they join your network) and central monitoring/configuration. Now you can track who’s getting viruses, which machines are protected, and you can change the filtering setting remotely. Plus you can lock it down so that people can’t just turn it off.
  3. Don’t scan everything. Hear me out on this one. Most virus protection products just do what they are told. By default, this is usually to scan everything. While fine on end user machines, on servers this can be a problem. Take a server running Microsoft™ SQL Server, Exchange™, or Quickbooks™; these applications have a set of large files that get constantly read and written to. There are no known exploits that can make use of them and scanning them can greatly slow down access.
  4. Use operating system permissions to keep out problems. Many viruses spread by finding unprotected file shares and replacing files. Don’t let end users share out their “C” drives. Certainly don’t let them share anything that won’t use a password to protect the share. Microsoft has a program that checks for many of these issues, the Microsoft Baseline Security Analyzer. It’s fairly easy to use and is a good thing to run every month to check for these types of issues.
  5. Use UAC. With Windows 7 out in full force the much maligned UAC feature stops a huge number of attacks. You should read the little pop-up and dark screen of Windows announcing, “Do you mind if this program is given enough permissions to destroy your computer?”
  6. If your users don’t install software and should be locked down, consider application whitelisting instead or on top of virus protection.

We tie all this into our monitoring system so we know when issues arise and can respond. You’ll need to setup alerts or just check on it weekly to make sure things are OK.


Protect yourself at the office:

  • Use the centrally managed offerings from the various virus protection vendors to save yourself a lot of grief down the line.
  • Configure the software correctly for the machine it is running on. Exclude large databases or files that can’t be used to compromise your system.
  • Let the network firewall handle the brunt of the network protection. Let the default OS firewall do the local protection.
  • Get a network firewall that can handle scanning for malware. The home firewalls are ill-equipped to do this.