I'd never seen so many viruses before... I wished I had a memory stick with a write protect switch as whenever I used it to transfer antivirus software etc I ran the risk of it being infected.
Up to date virus definitions are essential here more than anywhere. At the school we used NOD32 as the school had a license for the Enterprise version which like many Enterprise versions allows the download of the virus definitions to a central location from where the client computers can get their updates. Thus minimising the use of the limited bandwidth to the internet.
For personal computers AVG Free or Avast Home can be used. As the school I was at had a very slow dial up connection I tried to keep a reasonably up to date copy of the virus databases on my computer and updated it whenever I had a good internet connection. With AVG you can download the latest virus definitions from http://free.avg.com/download-update
With Avast the updates are at http://www.avast.com/eng/updates.html
One of the most common ways of infections is through USB disk drives and Autorun so we have turned off Autorun on all the client computers. The article "How to correct "disable Autorun registry key" enforcement in Windows"
(http://support.microsoft.com/kb/953252)
is the most recent article on Autorun that I could find and explains why when I first tried editing the registry keys/group policy it didn't work! Note you can't use group policies on XP/Vista Home editions.
On computers that are infected with a virus starting up in safe mode will give you the best chance to disinfect them.
Reenabling registry editing
Many viruses disable editing the registry to make it difficult to remove their payload. I use regtools.vbs from http://www.dougknox.com/security/scripts/regtools.vbs
Reenabling Find/Search
This script will reenable the Find/Search functions: http://www.dougknox.com/security/scripts/find.vbs
Reenabling Task Manager
One virus I came across disabled the Task Manager and also if you then reenabled it and did manage to start Task Manager would kill the Task Manager if you weren't quick enough to kill the virus - this is why it is recommended to start in Safe Mode where only the basic Windows functions are started.
The registry key is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
\System\DisableTaskMgr
Set it to 0 to stop the disable ie enable Task Manager.
Note with Vista you will need to run the scripts above with administrative privilege.
Startup Errors
Many times I would come across a computer that would give error messages when starting up. These would indicate that a program wasn't able to start as files hadn't been found. Usually this was caused by an infected computer having startup entries that pointed to viruses that had previously been deleted by an antivirus program.
Here is a list of places that I discovered invalid startup programs, you need to check in both HKLM and HKCU
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\Software\Microsoft\Windows\CurrentVersion\RunServices \Software\Microsoft\Windows\CurrentVersion\Run \Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\RunOnceEx (XP)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This one is a favourite the userinit.exe should be there but you can add others in a comma separated list:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
Then of course there are the more obvious places:
Documents and Settings\All Users\Start Menu\Programs\Startup
Documents and Settings\"username"\Start Menu\Programs\Startup
(If you have upgraded from NT, then the path is Profiles\"username"\Start Menu\Programs\Startup
Spybot S&D will automatically clean up many of the registry problems detailed above ans is available at:
http://www.safer-networking.org/en/download/index.html
Sunday, 25 January 2009
Windows Update Alternative
When I arrived I came equipped with XP Service Pack 3 thinking that I would be able to just download the most recent patches once I was here... then I discovered that I could at best get a download speed of 1.8K :-(
Now, I know I could have gone with the WSUS setup as the school does have a Windows 2003 Server but I was also doing work at NETS (Namibia Evangelical Theological Seminary) where they didn't have that luxury.
After a bit of research I found heise Security's Offline Update. I have been using this for a while and apart from one hiccup on an XP system back in the UK have found that it does exactly what it says on the can.
You can download the software (free of charge) from http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml
The first step is to unpack the zip file to a disk that has enough space to hold all the updates that you want to download (My folders which contain the updates for W2K3, XP, Vista, Office 2003, IE7 and .NET framework total just under 5GB without the iso files).
Browse down the resulting folders to the ctupdate4 folder and run UpdateGenerator.exe:
You can just about see I have selected Windows XP English, Windows Server 2003 English, Vista and the .NET framework. There are also options here for creating ISO images which can then be transferred on to CD/DVD's (depending on the size). There is also a Tab for Office Suites:
Once you click on start it is pretty automatic unless you are running it on Vista when it requires a couple of user interventions due to the User Account Control during the Office download. You will see a number of cmd windows looking something similar to this:
The first time you run this it will take hours especially if you include the Sevice Packs. When it completes you will see a confirmation:
Then depending on your situation you can either mount a network drive or burn the ISO images to CD/DVD and then run the UpdateInstaller from the client directory on the computer you want to update.
What you see will depend on what is installed on the client computer, select the extras you want to update and click Start, I haven't tried the Automatic Reboot so I don't know whether the warning is a common problem.All that remains to do now is to work out a way of making the clients on my school network run the Offline Update occasionally.
Subscribe to:
Posts (Atom)
