Malware Defensive Strategy

Hello everyone,

This is a basic overview of the reasonable malware defensive strategy that everyone in business should have.  Some will have more, but no one should have less.  This basic information is likely known by all, or so I thought but this week I learned different.  So what I describe here is a defense in depth to minimize impact from malware.  This is about educating everyone so that you can talk about this and understand what you need.

1 – Firewall

I like to do this one first if I am starting from scratch.  Most firewalls today will allow you to enable, or add, the ability to watch incoming HTTP / FTP for malware.  This is often called inline proxy.  It is designed to stop inbound threats from using HTTP to penetrate your defenses.  In the old days, and still sometimes today, we blocked all external web mail providers to help minimize this threat (meaning people inside the company checking something like Google or Hushmail and opening up spam that infects their office PC so blocking access to external mail providers to prevent that).  In addition, I like to make sure the firewall scans outgoing to since I think we need to be responsible Internet citizens.  But make sure all unnecessary stuff is blocked – so for example, only the mail server should be able to go out on port 25 and not anything else.

2 – Workstations

Here we use anti – malware software.  It can be configured in a variety of ways, but generally we need it to watch real-time for threats, neutralize and quarantine them.  Centrally configured and managed is important, as well as scheduled scans that have randomized start times to minimize impact to the company as a whole.  Hopefully the software you use has some sort of smart system so that during the schedule scan it only files it has not previously scanned.

3 – Servers

Here too we use anti – malware software.  It is often configured similarly to workstations, but generally it watches real-time for threats, but it often also watches any CIFS share for threats as well. Centrally configured and managed is important, as well as scheduled scans that have randomized start times to minimize impact to the company as a whole.  Hopefully the software you use has some sort of smart system so that during the schedule scan it only files it has not previously scanned.


Some things to be aware of that can change what is described above.

  • Depending on your anti – malware software you may have additional options:
    • It may provide firewall or intrusion detection / protection software.  This is a good thing to have but it increases administration from a little to a lot, but if you can manage it then you should consider strongly using this extra security option.  It will perhaps stop malware from impacting, but it might also stop malware from spreading too!  This is particularly good on machines that occasionally or frequently leave your defenses and wander in the wild west know as the world.
  • If you are using VMware virtualization you have some excellent options to improve resource usage, security, and performance by offloading your anti – malware activities from the workstations and servers.  Most anti – malware vendors have an option that works with vCNS or NSX.  This is an excellent option as it is more efficient, but also means your workstations or servers are not as impacted and you have less management points!
  • It is critical to keep your anti – malware software updated, as well as the definitions too.
  • The anti – malware software works – generally speaking – with two different methods – signatures and anomalous behavior.  This is quite important to understand.  Signatures means the vendor has seen the malware before and have analyzed it and can recognize it again – and stop it.  That is excellent, and in the past caught most malware, however today it is reported to catch much less.  Anomalous behavior is something that appears to be malware but it is not identified as malware so it is very tricky but it is very important.  You need to use both of these capabilities today to have any chance of blocking malware.

4 – Next Steps

Even if you do everything right above, and use the best software with the toughest settings, you will still be impacted so there are other things you need to do so that you minimize impact.

  • Practice least privilege.  This means that all your users should work normally as normal users and not domain admins.  When they need to do domain admin, or root stuff, than they use that account but not all of the time.  This means if one of your admins lets something in, there is a chance it will spread as a user, and not with the rights of an admin.
  • Keep your operating systems updated.  No matter if they are OSX, Linux, or Windows, they need to be kept current.  Patch as patches are available.  If you are a big company, and have someone testing them, that is great, but get the patches out as soon as possible.  They will make sure problems in the operating systems are not available for exploit.  This is, of course, a never ending race.
  • As mentioned above, keep your anti – malware software current, the applications themselves, and the definitions.
  • Keep your applications patched to.  This is particularly important for the applications that are very common like Flash, Acrobat Reader, and Microsoft Office.
  • Have good security.  Use AD, or file system security to secure what needs securing.  This is not just operating system level, but in apps too.  People should only have access to what they need access too.  Again, this will stop the spread of malware.
  • Have good backups, and know how they work.  Know how often they work too.  You will need to be familiar with your backup tools as you might need to do a security type restore one day and you should understand clearly from when you are restoring.
  • One of the things I like to do is use the logs.  I have everything I can configure to report to syslog configured to do that.  Which means storage, networking, firewall, security apps, Windows, Linux, applications, vCenter, ESXi, and anything else.  That allows me to easily watch or investigate.  I also make sure I have consistent time everywhere so that I can track things in the logs.  This will help me track where things started and that is often very handy indeed.

5 – Education – Very important!

This is the most important thing.  Again, even with everything above, you still may be impacted one day.  So you must teach your users so that they are the final protection.  Some things to talk with them about are:

  1. Don’t click on, or open, or download, anything they don’t understand.
  2. Their bank will never ask them to type in their password, or ask them for their PIN.
  3. They should know how to do updates, and backups on their own system.  Maybe they wait for notice from IT, or maybe they do their own updates but whatever the system they need to do it, and understand how to do it.

I hope that this helps, and if you have questions let me know.


=== END ===

Leave a Reply