1. PC MANAGER MEETING January 23, 2008

2. Agenda  Next Meeting  Training  Windows Policy  Main Topic: Windows AV Service Review

3. Next Meeting  Feb 20 th  Week Early!  Andy Rader – Talk on Networking diagnostic tools

4. Training  Office 2007 classes?  Pidgin classes

5. Windows Policy  Exemption Requests  Reviewing Captive and Service account definitions.  Moving to new forms software  Beta Service Packs/OSes and the Fermi Domain  No! Naada! Bad System Admin! https://plone4.fnal.gov/P1/WinPol/policies/Approved-os/

6. Main Topic  Windows AV Service Review  Why The Review?  Baseline Requirements  Current Implementation  Open Discussion regarding service

7. Why The Review?  AV Service has been available for over 1 year in present state  AV Baseline states: “All systems connected to the Fermilab network must follow the appropriate FNAL operating system or application baseline requirements for Anti Virus services.” …updating OSX and Linux baselines…

8. Baseline Requirements  Major Application  The service must be defined in a Moderate level Major Application  Support  99.9% uptime for both server hardware and software  Contingency plan outlining client maintenance for extended outages  24 x7 emergency signature update push and manual scans

9. Baseline Requirements  Server Updates  Signature/threat updates and program updates from Service Provider minimum 4 times per day  Logging Information  Clients and server must retain logging and history data for 30 days.  AV Service must interface with the Fermi Enterprise Management System  AV System must participate in central logging, alert and notification systems

10. Baseline Requirements  FNAL Managed Client Settings  Signature and program updates check FNAL AV Service or Service Provider minimum 2 times per day If FNAL Service is unavailable or client cannot access FNAL network, client must automatically check Service Provider  Clients must be configured for a full scan weekly. Cancelled or failed scans must be logged to the central AV Service.  Scans should check for spyware and adware  The software should attempt to clean the infection then quarantine it

11. Baseline Requirements  Real time protection must be enabled, but exclusions may be defined for special cases  Alerts must be generated to the local client and to the AV service  Clients must report virus scanning activity and alerts to the central AV service in real time.

12. Current Implementation  Ken Fidler

13. Antivirus – Central Facility  To support the majority of the Lab we have a Windows Cluster to run the Central AV infrastructure  A Central AV report server with a SQL database is also used to consolidate data from Beams and our servers  Custom code was created to enhance the central reports and alerting

14. PRT-AV-CLUST

15. Antivirus – Alert Flow Client Central AV Server CLOGGER Cd-sav-rpt \\prt-av- clust\av_logs Listserv E-mail Alerts sql Virus Definitions

16. Antivirus - Interfaces  Various tools/interfaces are available to Desktop Admins  System Center Console  Central AV Report Server  Client Logs  E-mail Alerts  Activity logs

17. Antivirus – Central Console

18. Central Report Server

19. Antivirus – Mail Lists  ---- Warning -------  '  A VIRUS was reported to our Central anti-virus facility.  '  Alert: Risk Repaired  Computer: Bobs-pc  Date: 1/20/2008  Time: 1:53:50 PM  Severity: Warning  Source: “C:\users\bob\mydocs\Diablo II\diablo2noCD108all\DLoad.exe"  User: bob-admin  Action Taken: "Leave Alone"  Virus that was found: "Backdoor.Graybird"  '

20. Antivirus – Mail Lists  Allows us to target key desktop support groups for their supported systems  Each major group has an assigned mail list  AV-ALERT-xx  All alerts go to the master list  AV-ALERT-ALL  Mail lists are archived  Mail Lists can be configured for Digest

21. Antivirus - Log files

22. Antivirus - Logs

23. Antivirus - History  CD has been using Symantec (formerly Norton) AV software since 1998  Initially AV software only on Servers  Besides CD, CD also supported Directorate, CDF, ESH, FESS, and LSS (now WDRS)  Individual Dept servers were the AV Parent Servers

24. Antivirus – SAV version 10  Symantec announces version 10 in Spring 2005  Version 10 had built-in features to report and centralize services  CD began plans to build a centralized AV system  CD worked with CST on our configuration (many DOE audits underway)

25. Antivirus – Upgrade to Ver. 10  Summer 2005 - Setup new central cluster  FALL 2005 - Created central log files, and alert system to accommodate various desktop support groups  Early 2006 - Migrated CD, Directorate, ESH, FESS, LSS (now WDRS)  March 2006 - Symantec announces 10.1 – (Central Report Server)

26. Antivirus – SAV 10.1  Summer 2006 – Began migration to 10.1 and migrated PPD, TD, and Dzero to our central facility  Summer 2006 – Began testing Report Server  Fall 2006 – Migration complete  Early 2007 – Production Report Server activated with Beams AV connected in  Late 2007 - Symantec announces version 11

27. Antivirus – Documentation  AV Baseline cd-doc-1460  Major Application  AV Risk Assessment cd-doc-1529  AV Contingency Plan cd-doc-1531  AV Security Plan cd-doc-1530  Central AV Website  http://www-css.fnal.gov/csi/win-av/ http://www-css.fnal.gov/csi/win-av/

28. Open Discussion  Some Thoughts  Apply policies based on Active Directory structure  Delegation of console interface  Small footprint  One package/console for all supported OS  Likes  Dislikes  Suggestions?