Larry got infected by a Virus, the aftermath…

Well.  I honestly didn’t expect to get traction on my post about getting infected with a virus, but I guess sending a politely worded complaint to the CEO and Chief Software Architect of Microsoft gets things done J

On Monday, I received a fascinating response from the CIO which was truly enlightening.

The bottom line is that I was infected because it’s not possible to keep a network as big as Microsoft’s 100% virus free.

There are 285,000 Windows machines running on the Microsoft network at any time.  Microsoft runs constant scans and forces patches on all unpatched machines within a set timeline (24 hours for emergencies, 14 days for critical updates).  Microsoft’s IT department gets patches to more than 99% of the machines on the corporate network within 8 days of the announcement of a critical vulnerability via either voluntary patches, SMS deployed patches, logon script patching or port shutdowns (if none of the previous things work).

The problem is that it’s impossible to get to 100% compliance.  Machines get constantly added to the network from mobile employees (sales force, etc), contingent staff (temporary workers), new hires, etc.  There’s also the problem of the machines in the conference rooms that run the projectors – they’re often turned off, which means that they don’t get updated.  And when they’re brought online, they’re vulnerable until the vulnerability scanners pick them up.

Last week (when I was infected), Microsoft’s IT department detected 330 machines on the corporate network that were vulnerable to Sasser.  249 of them had their network ports shut off; the other machines were force-patched by one of the techniques above.

My problem was that Sasser propagates VERY quickly.  Which means that during the time my machine was vulnerable, one (or more) of the 330 machines that was vulnerable also was infected.  So even though 99.98% of the machines on Microsoft’s network weren’t vulnerable to the patch, enough were to cause me grief.

One of the key takeaways from Ron’s email was that the IT department strongly suggests that people use Remote Installation Service to upgrade their machines instead of using my technique of rebooting from the unpatched XP CD that they’ve been carrying around for years.   The RIS images that OTG deploys have most of the patches deployed on them already, so if you reinstall via RIS, your machine won’t be vulnerable.

The truly frustrating thing for me is that I truly wish I had known that our RIS technology supported a non destructive reinstall option (as Saurabh Jain pointed out).  If I had known about that, I would have tried the RIS option to reinstall XP SP1 without reformatting when I decided to back out the interim XP SP2 build.

One other fascinating tidbit in the email is that apparently there are some releases in the future that will render the network even more secure.  Unfortunately I can’t talk about them L, because I don’t believe they’ve been announced yet but in the future vulnerable machines won’t even be allowed to get on our network.


Comments (11)

  1. Kevin Jump says:

    I work for a university in the UK and we have the same problems keeping our network virus free, more so in some respects. Universities are much more liberal places than companies and “Academic freedom” is the dreaded phrase that limits a lot of what we can do.

    The product you can’t talk about sounds a lot like Cisco self defending networks (

  2. Dave says:

    "The bottom line is that I was infected because it’s not possible to keep a network as big as Microsoft’s 100% virus free."

    It would be if the network was running Linux… 😉

    (Sorry, couldn’t resist)

  3. BJ says:

    nah, GNU/Linux is perfectly capable of sporting worms. IMAP is especially friendly to them.

  4. Adam says:

    It doesn’t have to be all about technology.

    Policy can go some way to controlling this stuff too.

    In previous companies i’ve worked at, we adopted information security policies in line with BS7799/ISO17799 which filled in the gaps left by SUS/SMS etc..

  5. In our case, we’re using the technology to back up the policy – the policy is that each machine needs to be patched when an announcement is made that a patch is available (plus or minus – not all patches are required).

    The technology is used as a backstop against the policy. Policy without enforcement is worth the paper it’s printed on.

  6. David Candy says:

    As patching is not necessary in XP to remain secure.

    Disable NetBIOS over TCP/IP (as should be the default, and is in 9x) if an internet connection.

    Enable firewall (but has only become necessary in last two years) if an internet connection.

    Set OE to be in Restricted Zone.

    Set Office to Mediun security.

    And I would make laptop users pay for any infection. This takes care of "training" and will make users be intelligent.

  7. David, what does disabling NetBIOS over TCP/IP do to increase security?

    It doesn’t affect file&print services, since they run natively over TCP. As best as I can figure, the only thing it does is to force DNS as your name resolution mechanism instead of using WINS (or B-node recognition if you’re not using WINS).

    For an outward facing machine, disabling file&print services on the outward facing network adapter makes a huge amount of sense (because it reduces the attack surface of the machine).

    But I don’t see how disabling NBT helps.

  8. Joku says:

    On an OT note, having NetBIOS on the default setting can cause very "weird" behaviour, probably related to my static ip setting. In short: When applications were given an ip address and they wanted to try resolve the ip to a dns name, very odd 10 second "lag" occured every time. Problem was simply that since I had multiple active network adapters (vmware virtual adapters), I had forgot to check the NetBIOS settings and whenever ip was being resolved and the ip did not have proper DNS name, windows went to look for the name in the vmware virtual networks. Could be I got something wrong here, but disabling the NetBIOS on the vmware adapters helped.

  9. I’ve had really mixed success with multiple adapters and name resolution (either DNS or WINS).

    I have a 2nd network in my office for fjord testing, when I’m using the firewall (which has a DHCP server in it that issues IP addresses in the 192.168.x.y range), AND my normal connection to corpnet, name resolition is spotty at best.

    If I’m using autoip, things aren’t nearly as spotty. I don’t know why though.

  10. Peter Torr says:

    David: The average user should have Office in "High" (or "Very High") modes, and just use the "Trust installed templates and add-ins" checkbox if they have unsigned add-ins or recorded macros in / personal.xls.

    If you write Excel macros inside individual workbooks and don’t have a cert, Medium might make sense for you.

Skip to main content