Exam question Antivirus – VPN – related

Access control
Application security
Current threats
human factors
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
Secure Coding
Web security
Hi I would like to offer a sincere thank you for reading this far. Im in deep trouble and need to answer a theory question for a presentation and would really appreciate any thoughts you can offer me. I only have the below information to go on and need to explain and present a soultion for the following Scenario: You have received an urgent call from one of the senior account managers. His new laptop has suddenly become very slow. It takes a while to open email, attachments and web pages. He is adamant he has done nothing to the laptop to cause this slow down and wants you to `fix it? The brief The laptop is relatively new and a good spec. (1gb Ram, 1.7ghz mobile processor, 80gb hard drive). The sales team are used to using laptops on the road, which could include using the VPN in hotels, coffee bars, and airports or at home. The laptops all have anti virus installed as standard. Access to the machine is restricted; CD drive and USB ports are locked down. However the sales team can install software on their laptops. The Presentation Please provide an overview of the steps you would go through to attempt to identify the product and make recommendations as to how to ensure the problem is mitigated in the future Any hints help or advice you can provide is deeply appreciated. Sprogg

Answer Wiki

Thanks. We'll let you know when a new response is added.

Ah, right up my alley – and I do thank you for being up front about this being an assignment. We’ve had other folks who have tried to get us to do their homework for them.

The key thing you have to understand is some terminology which is often bandied about without distinction. The distinction doesn’t matter to most folks who don’t actually have to fix these “little situations” up.

That said, there are 3 general classes of pests – with lots of room for overlap.
– Viruses (usually attached to some file or another)which infect the target computer when the file is opened.
– Worms – which travel on their own, and attack known network vulnerabilities in various operating systems and applications.
– Trojans – which look attractive, but actually contain a nasty surprise – hence the Trojan Horse reference.
– Spyware and related threats (often all of the above and then some) which get installed when the user visits a malicious or infested web page – which might otherwise be quite legitimate, or is a common mis-spelling of a well known web site.

I’d go into more detail, but that’s not the focus of your question. So let’s move on to “product” (or more accurately “pest”) identification.

Most of the major anti-virus vendors provide 2 things with their base product: on-line updates and a “rescue boot disk” of some sort.

I cannot count the number of times that I have encountered a system with Anti-Virus software installed which has never been updated. So making sure the Anti-Virus definitions are up-to-date is step one, followed by a full system scan.

However, there are many retro-pests (not just viruses) which attack, disable, and otherwise hamper security software (updates/patches, virus updates, firewalls, anti-spyware, etc.), and to deal with many of those, you need the “rescue” boot disk which will perform a virus scan of the system without allowing the infected O/S to boot and take control.

Beyond that are many programs (some paid-for, some free) which will identify spyware, hijacking software, viruses etc. I’ve provided a fundamental list below. It’s not exhaustive because A)it’s late at night and I’m tired, and B)I’m an acknowledged tool freak, and download, purchase, and build any tool that I think might help me. But….

1) Spybot Search & Destroy (Free, but send a donation, I did)
2) HijackThis (Free, but send a donation, I did)
3) The excellent tools from SysInternals.com (Bryce Cogswell and Mark Russinovich) The stuff on their site is free, and the commercial versions may be purchased from Winternals.com (I have bought several of their commercial versions – do you see a trend here?) for autoruns, RootKitRevealer, FileMon, RegMon, etc.)
4) Stinger.exe from McAfee/NAI which is a cleanup tool for what might be termed the “current top 40” pests, although the actual number varies depending on what they see “in the wild”. Get that from http://vil.nai.com/vil/stinger

If none of these help, then you need someone like me – the trick being to find them in your local area.


Discuss This Question: 7  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Dfng2002
    Bob has a very good list and its very well put, also thank you for being honest about it being school work. Lavasoft has a good spy ware remover that is free also, adaware 1.06 personal. Does very good at removing hy-jackers and such other spyware. The composition as you can tell is being left to you. You have some very good tools in front of you, now its time to do your research for your project. Bob gve you a good list and a very good start. good luck with your project.
    15 pointsBadges:
  • EricHarris
    Good lists, so far. I would broaden Bob's comment about AV software that has never been updated by extending it to the machine in general. Is the BIOS the latest? Has the OS had all of it's patches installed? What about the applications? What about drivers for various things, such as network adapters? Is there an active firewall? Is it configured properly? Hacking has become more professional and "commercialized" in the last few years and, as a result, it has become far more necessary to be paranoid about potential threats. To protect a computer, the user needs to make conscious decisions about how much risk is acceptable. "Does this message appear legitimate?" "Do I want to risk going to this website without knowing more about it." "Where did this software come from and do I trust the source?" The increase in threats comes as much from people making unconscious decisions, that is doing things when they don't know the risks, as anything else.
    0 pointsBadges:
  • Richl01
    a couple more things to test the network connection also ( I might try this first) check the cable, and maybe take the laptop to a different area and see if the logon speed stays the same. bad cables can cause some issues. 2 check his profile is he saving everyting to his desktop? 3. check if any other programs are loading at startup like weather or stock tickers. these can cause delays. I would check viruses and such last 1. because as computer experts in Biz we should always make sure the anti virus and spy ware is updated on all computers in our care. granted some do slip by but if you nail down the network as much as you can and still let users get the work done. second unless needed by the sales force take away permisions to install software!! as a last resort get a email scanner so most viruses do not get to the users.
    0 pointsBadges:
  • Sprogg2001
    Thank you all for your replies so far, you have given me some great information and a good start. To be totally honest this is an exam question that has been sent to me by a Security company where I applied for a junior technical role. I attended the 1st interview and was invited back for a second interview. This entails a 15 min presentation before my would-be boss and 2 company directors. What really threw me off on the question were the terms "Identify the product..." I though it was a grammar error and supposed to be identify the problem, where I immediately panicked because there was too little information to go on. As soon as Bob mentioned product = infection the light switched on! Further examination of the question revels that they are more interested in my analytical approach and troubleshooting skills than an actual answer such as open antivirus--> update---> scan--> delete... sorted!!! Have a beer! I have to explain my actions and why I suspect it?s a virus/malware. I can?t really say it?s a hunch that it?s a security problem because you?re a IT security company So I have been working away at it and roughly come up with a trouble shooting approach It?s a security problem because Symptoms Slow laptop, webpage email and attachments are also slow. Assumption Virus or worm is trying to propagate through machine/network/email and address book contacts using up laptop resources and network bandwidth. Follows known indications of virus/worm behaviours IDENTIFICATION 1) Check status of anti-virus software if it is working correctly then got to step 2 else re-install antivirus software 2) Ensure latest definitions are up to date 3) Check for OS security updates and install if necessary 4) Run full virus scan 5) If detected attempt to delete refer to antivirus vendor for removal instructions if necessary using virus rescue disk or other vendor approved tools or software. Sounds good so far and I was going to go on to resolution and mitigation but.... The line between spy ware and Trojans viruses and all forms of malware are really blurred and confusing how can I be sure that it isn?t other forms of malware or a combination of virus or worm or virus and spyware or virus and trojan. I?m struggling to find a single approach that can take all these factors into consideration, just blindly scanning for them is not enough I have to "follow the bread crumbs" from symptom to problem to solution I know how to fix all of these I just don?t know how to explain how I knew they were there! please let me know your thoughts on this comments would be greatly appreciated constructive or otherwise.
    0 pointsBadges:
  • Tastech
    All of the above comments are very good. I thought I'd add my thoughts as well for you. The reported problem can point to heavy network traffic, hence anything using the network is slow. So check for trojans etc as above, but also check whether the laptop is not synchronising data with the server. This could include Outlook, folders or some replicating application. I've had Outlook syncing with an existing Exchange account to a new PC virtually make a PC useless for several hours before. Good luck with your assignment
    0 pointsBadges:
  • BrantWellsTFC
    Everybody has some excellent explanations and hints. One thing more that I would add: If it turns out that it is a virus, it very well could be propagating through your network. If the user connects via a VPN connection, then that means they are 'plugged in' to your network from wherever they are at. I *HIGHLY* recommend network sniffing tools, such as Ethereal, for monitoring network traffic. Even if you are in a network that tries to thwart sniffing, you can still see traffic coming to / from your machine, and will still be able to identify where the (potentially damaging) traffic is coming from. See Ya! ~Brant
    0 pointsBadges:
  • Bobkberg
    This has been an enjoyable thread to follow. Brant Wells has brought up a particularly good point about sniffing tools (Ethereal et al), so I'd like to push that one step further and recommend ongoing IDS. I use Snort at home with the bleeding snort malware rules, and use Juniper in other places. These are of great help in spotting infectious traffic - particularly once tuned well. Bob
    1,070 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: