Antivirus Policy and Procedure Best Practices

Antivirus Policy Best Practices

The primary purpose of the anti-virus solution or software is to guard against malicious software or scripts by blocking or quarantining this software that is identified, and alerting administrators that such action has taken place. The solution would detect and report on different types of malicious software that may be introduced or attempted to be installed on the systems and network, including endpoints such as mobile devices, desktops, laptops, servers, etc.

Where should antivirus software be installed?

An enterprise level anti-virus solution should be installed on all systems and devices (e.g. servers, laptops, desktops, mobile devices).Anti-virus software should also be deployed on the network, including internet gateway, servers and end-user systems for protection from malicious code. The anti-virus solution should be properly maintained and updated accordingly.

Centrally managed, up-to-date anti-spam and anti-malware protection should be implemented at information system entry/exit points of the network and on all devices.

How often should it scan?

Scans for malicious software packages or scripts should be performed on boot and at least every twelve (12) hours. The anti-virus solution should perform periodic scans on electronic/optical media, files received over networks, electronic mail attachments, downloads, and web traffic to identify and remove malicious software. Anti-virus or anti-malware software should be installed, running, and updated on all devices to conduct periodic scans of the system to identify and remove unauthorized software. Antivirus should be centrally managed and can’t be disabled by the users.

Malicious code that is identified should be blocked, quarantined, and an alert is sent to the administrators. Audit logs of the scans should be kept for future references (e.g. audit, forensic investigation).

What about systems not commonly affected by malware?

For systems considered to be not commonly affected by malicious software, periodic assessments should be performed to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

Compliance Best Practices

End-users of devices should be restricted from installing unauthorized software from external networks such as the Internet. All employees and contractors should be appropriately trained and made aware of their responsibilities or restrictions of installing unauthorized software.

Unauthorized software on information systems should be promptly identified and prevented from executing in accordance with the list of authorized software programs and rules authorizing the terms and conditions of usage. Systems should employ an allow-all, deny-by-exception policy to prohibit execution of known unauthorized software. Reviews and updates to the list of unauthorized software programs should be performed annually.

The Sender Policy Framework (SPF) should be implemented by deploying SPF records in DNS and enabling receiver-side verification in mail servers to lower the chance of spoofed email messages.

Anti-exploitation features (e.g., Data Execution Prevention [DEP] and Address Space Layout Randomization [ASLR]) should be enabled on operating systems, if possible. Anti-exploitation protections should be applied to a broader set of applications and executables by deploying additional capabilities, such as the Enhanced Migration Experience Toolkit. The requirements should be fully assessed by the organization prior to implementation due to potential difficulties (compatibility issues, etc.). The information system implements safeguards to protect its memory from unauthorized code execution.

Network-based anti-malware tools should be used to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.

Additional Guidance

At a minimum, the antivirus standard should include the following:

  • Virus protection should be installed on every machine on the network.
  • All anti-virus clients, servers, and gateway products should be kept actively running and capable of generating audit logs at all times.
  • The master installation of the software should be enabled for automatic updates and periodic scans, and the servers should also have these features enabled.
  • The master installation should automatically push updates out to the systems and devices on the network.
  • Update to e-mail gateway, server systems, and end-user systems should occur within one (1) hour of receipt of software updates.
  • Specific actions should be taken to protect against mobile code performing unauthorized actions. Mobile code protection should be implemented and regularly updated to include anti-virus and anti-spyware.
  • Automated controls (e.g. browser settings) should be in place to authorize and restrict the use of mobile code (e.g. JavaScript, ActiveX).
  • Rules for the migration of software from development to operational status should be defined and documented by the organization hosting the affected application(s), including that development, test, and operational systems must be separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system.

What is spyware and why is it dangerous?

Spyware is a type of malware that gathers information without the user’s knowledge or consent. It then reports that information back to the malware author who can use it for any type of purpose. It might be identity theft or gaining access to financial accounts or even in some cases, espionage. Spyware uses many different techniques.

Keystroke loggers capture every key a user presses. Then they might report everything back to the malware author or they might monitor visits to certain websites and capture the usernames and passwords used to access banks or other sensitive sites. Some spyware monitors web browsing. This might be used to later target advertising to that user or report back on user activity. And finally some malware actually reaches inside a system and searches the hard drive and cloud storage services used by that user, seeking out sensitive information. It might search for social security numbers or other details that could be useful in identity theft.

How does ransomware attack work?

Ransomware blocks a user’s legitimate use of a computer or data until a ransom is paid. The most common way of doing this is encrypting files with a secret key and then selling that key for ransom.

An example of that is the CryptoLocker ransomware. CryptoLocker had a major outbreak starting in 2014 and continues to be prevalent today. It usually arrives in a user’s inbox as an attachment to an email message and when the user opens that attachement, CryptoLocker encrypts many files on the hard drive using strong RSA encryption. These might include office documents, images, etc. These files are most important to end-users. The decryption key for those files is kept on a controlled server under the control of the malware author. And the user is given a deadline to pay a ransom of several hundred dollars.

Should you pay? Now your first response might be to say no, you don’t want to benefit the malware author. But it’s a very difficult question when it’s your files that have been encrypted and are no longer accessible.
A recent survey showed that over 40% of those infected with CryptoLocker actually did pay the ransom. And an analysis of Bitcoin payments shows that the malware authors have received over $27 million to date.

Fortunately, there are things that you can do to prevent malware infections on systems under your control by following the recommendations and best practices in this article.

If you need help creating this policy or developing other policies and procedures, we can help. Contact us today!

Suggested Reading:
Network Security Best Practices and Checklist;
Security Monitoring and Reporting Best Practices;
How To Implement Security Auditing and Logging