Antivirus and Desktop Security Policy

Revised 3/21/2007

Purpose of Policy

While UCAR maintains an Internet security perimeter and Active Directory which protects many of our information resources, it is also necessary for us to implement security on our individual PC/Windows and Macintosh computer platforms in order to prevent them from being used by viruses, worms, or other malicious software to attack internal or external information resources.

Procedures and Rationale

Antivirus Software

Antivirus Software is required to be correctly installed, configured, and activated on all Microsoft Windows and Macintosh OS X computer platforms connected to the UCAR/ACD network.

Antivirus definitions must be regularly updated. For computers that run Norton Antivirus Corporate Edition on the CIT domain, the update cycle is automatic and automated as long as a computer is connected to the NCAR network. For systems on the CIT domain but not connected to the network, you may need to manually download updates regularly using the Symantec Antivirus client.

Regularly scheduled full scans must be made using your Antivirus software client. These scans must be performed no less frequently than each month. In some cases, the ACD Systems staff may request scans, or may request more frequent scanning depending on identified threats at the time.

Symantec Antivirus Corporate Edition is the required Antivirus software for all Windows machines attached to the CIT domain. This software provides ACD Systems staff with a management console to help identify viruses or malicious software within the ACD network. Any use of other antivirus software in lieu of Symantec Antivirus Corporate Edition must be approved by the head of the ACD Systems group.

Spyware, adware, and malware are now detected by Symantec Antivirus Corporate Edition and by the Windows Vista operating system. We supplement this detection technology with software called "Spybot Search and Destroy". Other spyware detection/removal software may be used as long as it does not interfere with the operation of Symantec Antivirus Corporate Edition.

Incidents and Detections must be reported to the ACD Systems staff. In some cases, Symantec Antivirus will flag adware such as might come with free software downloaded from the Internet. In other cases, the computer involved may be more seriously compromised. ACD's policy for most incidents and detections identified as serious is to reformat the disk and reinstall Windows with our base install. In some cases, it may be sufficient to remove identified files and applications associated with the malicious software. UCAR's policy for most incidents and detections may involve a more detailed forensic analysis of the compromise, in which case, the PC involved may be unavailable for several days until that forensic analysis is complete. An alternate workstation may be provided, configured with ACD's base install, if such a workstation is available.

Visitor and lab machines are included in this Antivirus policy if they are connected to the any UCAR/ACD network. The visitor's home institution or the visitor him/herself is expected to provide antivirus software and updates on non-UCAR owned equipment. The owner of a privately owned non-UCAR computer must provide antivirus software, maintain updates, and periodically run full scans for that machine if the machine is to be connected to any UCAR network including VPN.

Wired ethernet, guest, 802.11b Wireless, dial-in RAS, and VPN are considered parts of the UCAR/ACD network, and so machines that connect using these technologies are included in ACD's Antivirus policy.

Windows and Mac OS X Operating System updates

Windows Critical updates must be applied to all ACD-owned PC computers running Microsoft Windows. If the computer is not part of UCAR's "Windows Software Update Service (WSUS)" provided by the Active Directory and CIT domain, you must run Windowsupdate periodically to make sure that critical updates (particularly security updates) are installed.

Mac OS X security updates must also be applied to all ACD-owned Macintosh computer systems running Mac OS X.

Monitoring and Enforcement

At any time, ACD Systems staff may check for antivirus software, antivirus updates, and operating system updates. Antivirus software may be installed if not found on a system. Security updates may be applied if they are not found on a system.

Where a machine is identified as not meeting ACD's antivirus policy, and where a computer is not actively participating in a security incident, a probationary period of 1 week will go into effect during which the machine must be brought into compliance. Should the machine not be in compliance at the end of the probationary period, it must be removed or isolated from the network. ACD systems staff may take the steps necessary to bring the machine into compliance. Such a probationary period begins when an ACD Systems Administrator has identified the noncompliance and has informed the owner of the system or lab in which the system is installed.

Active Incident Response

During an identified incident, ACD must follow the UCAR emergency response policy at https://www.ucar.edu/csac/internal/policy/20070103-01/. During an active incident, any of the following may happen:
  • Disconnection from the network -- typically a machine will be disconnected from the network but left running as per the direction of the UCAR security administration team.
  • Retention of the drive for forensic analysis -- the UCAR security administration may request that we retain the drive(s) for forensic analysis. Should this happen, we will provide a new drive and a new operating system configured with our base configuration.
  • Retention of the computer for forensic analysis -- in some cases, the computer may be held for a period of time determined by the UCAR security administration team. Should this happen, an effort will be made to allocate a temporary replacement machine should one be available.
  • Interviews may be conducted by the ACD systems staff and/or the UCAR security administration team in order to identify what led to the incident.
  • Supervisor notification may be required if the incident was the result of a violation of ACD's or UCAR's computer use policies.

Exclusions

Unix systems in ACD are excluded from Antivirus software at this time. While Mac OS X is a variant of Unix, Mac OS X systems are not included in the category of Unix systems in this paragraph and must run a supported version of Symantec Antivirus.

Computers which have a technical requirement to run without antivirus software running in memory (such as aircraft systems) may have the antivirus software disabled during operations. Such computers must have their antivirus software enabled, however, whenever they connect to the UCAR/ACD network.