Computerworld - I've always been proud of my security team's antivirus defense and scathing in my criticism of other companies that have had virus problems, believing as I did that any organization can eliminate virus problems by using a simple, layered defense like ours.
We deploy antivirus software on our desktops, on our file, Web and e-mail servers, and at the e-mail and Web gateways. We even use an outsourced e-mail scanning service. We use a range of vendors' products and update signatures daily. I'm proud of that system.
But then, pride goes before the fall.
It started when the PC support team reported that a user said he was receiving a weird e-mail message. An antivirus software pop-up had been reporting a virus on the user's machine since Thursday. Now it was Monday, and he was just calling it in.
This wasn't good. We have centralized desktop virus reporting, so we should have known about the problem right away and informed the user, not the other way around. What went wrong?
The central antivirus server had been decommissioned for an upgrade from Windows NT 4 to Windows 2000, but the new build had problems and now no central server was online. Instead of getting the new server working and then turning off the old one, someone decided it would be quicker to just rebuild the old one. With decent server and gateway protection, this person presumed we'd be OK without the server for a few days. Then those few days stretched into weeks.
Stupidly, I'd taken the complete lack of alerts from this server to mean that there were no problems to report, when in fact it indicated a failure in our reporting infrastructure.
We managed to track the infection to a new user whose machine didn't have antivirus software. This flies in the face of our antivirus policy. How could it have happened?
The support group's process for new builds is to install Windows and the applications and then push the antivirus configuration from the central antivirus server -- which was down for rebuilding.
Not only did we not have central reporting, but also we had no protection on new machines rolled out during the two weeks the machine was down. What caused me to miss this? In a word, complacency. We hadn't had a virus outbreak for two years, and we had lowered our guard.
Fortunately, the previously deployed client software was configured to download updates from the Internet as well as the central server, so at least the
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
