Last week, I hearth that an organization did not add antivirus agent to their PC image. They are formatting the PC with their image, then connecting to the network and waiting for the sccm installing the antivirus software to the PC. Also, for remote users working on the field, some contracted partners are formatting the PCs since these users cannot come to the company, they then join to the network via VPN after formatting and keeps working. Meanwhile, the IT team is waiting for the sccm install the antivirus software, but because of the VPN network, most of the time it fails. PC keeps working on the network for days.
While I was sharing this situation with some friends in the industry, some of them also said that it is a normal process for the organizations. So, I wanted to write this article.
A few months ago, I shared a post about falling of the AV. It is true that AV softwares are not very efficient in recent years. There are many other measures need to be taken to protect the endpoints. However, most of these measures are for APT attacks. As everyone says, and also I touch in the article, attackers’ profile and techniques has changed a lot, since the times AV was popular and successful. But, despite all these situations, nobody can say that AVs are not necessary anymore. Organizations does not face attackers that using highly advanced techniques and tools only. There are still many script kiddies and those trying to learn hacking. These people are always looking for easy vulnerabilities to hack. It is very great possibility they find you.
Another subject about AV, because of the hash databases downloaded, they can protect users for many of the malicious events, also while they are offline, or while they are not connected to the office.
Even, most of the AV softwares are improving themselves with behavioral and AI capabilities. So, these can also detect and stop some of the APT attack phases.
I am also curious your comments, but my opinion is an AV is still indispensable for all organizations. So, I want to some best (must) practices for using AV in an organization;
– An AV software should be installed on all devices. Clients should be periodically followed whether has AV on it or not. If it is possible, a NAC solution should be positioned and PCs that does not have AV should be blocked.
– AV solution should be centrally managed. So, updates can be managed centrally and out of date clients can be followed.
– Administrators should make sure all clients are sending logs properly. It is very important to response a suspicious situation quickly.
– AV software should be updated periodically. Meanwhile, administrators also should be sure that all clients are getting the latest updates properly.
– AV software should be included into the PC and servers’ regular images. When a PC formatted and re-installed, it should include AV before connecting the network.
– Users should not be able to disable the AV services and agent. Tamper protection and an uninstall password should be used and should be stored in a password management system.
– Malicious files should be blocked and quarantined to be analyzed by the administrators.
– Audit logs should be collected properly. Administrators should login to the software only by their own usernames. Generic usernames should not be used.
– Too many exceptions should not be given. If needed, exceptions should be given only as stated by the vendors.
– If including, host-based IDS should be enabled on the AV agent.