In our last blog we looked at the minimum feature set we’d recommend organisations look for in an antivirus solution. In this blog post, we look at best practices when configuring AV solutions.
No matter how effective the product, remember that an AV solution should only form part of the overall security control set. There are still, even with the best possible configuration, a number of ways in which the AV can be bypassed by attackers. However, as part of a defence in-depth approach, a best-practice AV configuration is strongly recommended. Here is our recommended check list for configuring your chosen solution.
- Deploy Tamper Protection using a strong, complex password. If using user credentials (for example, a Domain User account), configure the password to be long and complex, and ensure that the principle of least privilege is followed. This password should not be used for any other system or service.
- Limit the number of exclusions per deployment policy and be precise with file paths. Avoid using wildcards unless absolutely necessary (for example, with a database directory). In addition, too many exclusions will likely cause performance issues with the AV software. Use file hash values where possible when configuring exclusion policies.
- Deploy individual policies per server or at the very least, per server role. (For example, Domain Controllers should have their own policy, as should MS SQL Database Servers).
- Enable on-access (or real-time) scanning, ensuring also that heuristic scanning is enabled.
- Ensure that a full system scan is run regularly, don’t simply rely on the ‘on-access’ scanning. This full system scan should also include ‘on-access’ excluded locations. Exclusions are often used by attackers (or penetration testers) as drop-points.
- If possible, enable alerting for any detections from scanning and create email groups so that Support Desk and Security Teams are notified. Some products allow different alerts based upon whether a system is infected once, re-infected, or if an outbreak occurs.
- Ensure that AV logging is configured with appropriate alerting to the IT team. For example, should the AV be disabled or a virus detected then a follow-up process should start as soon as possible.
- Keeping AV definitions fully up to date is critical. The latest definitions and signatures should be applied as soon as possible after they are released from the AV vendor. Updates to the AV engine itself should be tested prior to full deployment in case any compatibility issues could arise.
- Restrict USB and other storage media from being accessible if the endpoint software has that functionality. Prevent ‘write’ permissions in order to reduce the risk of data loss and restrict any read permissions. This will prevent external data or files, which could harbour malware, from being brought into the internal network.
- Configuring different policies for mobile devices (laptops/tablets/etc) based upon location can ensure that a stricter environment is enforced when the user and their device is out of the office. It’s recommended to increase the scheduled scans so that quick scans are performed every two hours, with at least one full scan per day if an ‘external’ or ‘out-of-office’ policy is in use, along with completely restricting USB and external media access.
- Where possible look to use different AV solutions throughout the network to increase the likelihood of an infection being detected early. For example, use a different product on your servers and workstations. Again, consider a different product for email filtering and/or other network entry points.
Antivirus software, much like other products and services available, is used more effectively in a defence in depth approach to security. Due to variances in technology there will unlikely be a single AV product that can prevent everything, especially due to the techniques that exist for AV evasion.
For further recommendations about corporate anti-virus, refer to our other blog entitled “Scoping an Enterprise AV solution“.
Authored by Adam Govier, Security Consultant, SureCloud