Implementing avast! platform into infected infrastructure

First of all, i was not sure where to place this topic, ADNM or Server, since both are objects in the entire setup.

Infrastructure
The environment targeted consists of 8 servers, all Windows 200(0/3) based on a W2K Domain (to be upgraded in the nearby future). There are up and about 100 client computers, of which over 75% is a Notebook (running WXP or in a few cases W2KPro).

AV Setup
The current AV setup is covered by our friends of McA___, based on a Small Business Edition (configuration is destined to be outdated, since the organization has grown rapidly). A proposal was issued to the management where 5 software suppliers were offered in a comparishment, out of which avast! was chosen as the new AV platform.

The new avast! platform is build up from scratch, thus a complete new server was purchased for the purpose (amongst other) of AMS and DNM in the environment. The OS is W2K3R2std. avast! Server edition was installed with some plugins required in the future setup (non TS). DNM was installed together with the AMS option onto this server (not part of the existing infrastructure as a member at this point). DNM was based on .NetFW 3.0 and MS SQL 2005 Express edt. The mirror is up and running, ready to supply the VPS and VPU’s to new clients.


[b]THE CHALLENGE[/b]
How to roll out the managed clients onto all other servers, workstations and notebooks with the knowledge of an infrastructure being infected by several viruses and Trojans at this very moment (where the former AV platform is unable to perform a cleansweep of the environment)

In short:
What is the best practice to implement the new platform onto the existing infrastructure without being infected during the installation of the avast! software?

Rebos I would do something like this I believe.

Take all computers offline. Then scan each computer with the http://www.avast.com/eng/avast_bart_cd.html then after each computer is clean you can safely install ADAM and push out the clients to the computers.

The bart CD as far as I have looked at it is a live cd that can clean computers from virus and trojans but you can read more on the page above.

Hi,

This solution was tested at first in a test environment, but with a breach of some worms and Trojans on the live environment we also applied this solution to the productive environment. It helps, it really does, but as all computers need to be in-house at the same time, there’s your difficulty. So when releasing one or more clients (without the DNM Client) the infections rule the prodcution environment.

The BART solution will be purchased in a single license option to support the enterprise solution being implemented this very week (scraping off the residue’s of McA___ non working small business solution applied for several years ;D)

The new mail server alone has already been protected by the 60 day trial (about to be upgraded by the purchased enterprise license required) version of avast! server edition with plugins.

OK, your provided information/solution was thought over and is on the list of options to implement.
Any other solutions / approaches?

Sorry for jumping in so late.

So… this is indeed an interesting problem, and I’m quite curious how successful we will be trying to solve it.

The success rate of the whole operation depends on what malware are we talking about, exactly. That is, how it propagates (if at all).

The normal procedure would be like this:

  1. install the managed clients (avast netclient or netserver editions) across the network - typically by using a deployment task (remote install)

  2. run a boot-time scanning task on all machines (preset the task to delete all infected files it finds).

This should basically do the trick unless the malware 1) uses some sophisticated techniques to spread over the network, or 2) is unknown to avast.

Please keep us updated.

Thanks
Vlk

I just thought, give the guys a challenge ;D
Nevermind the jump-in-time, you jumped, that’s the important one.

OK, so if i release the clients by using DNM and issue a bootscan i would normally tackle the known stuff

One of the problems encountered by avast! BART CD (on trial) is a reporting of:

  • pagefile-216
  • pagefile-202

Both are unknown on the viruschest (or this chest has a double layered surface, of which the trapdoor cannot be found by me) and i can’t find relations with other AV application suppliers’chests
What i did find out, is when the reported items are deleted with BART and the client is restarted using the Windows environment it is installed with, it runs for about half a day without problems… and than another infected client hits the network and we’re back to start :cry:

What do you mean, exactly, by “Both are unknown on the viruschest”?

BTW “pagefile-216” and “pagefile-202” are names of viruses as reported by avast?

???
They are reported by BART CD v2.
The viruschest will have me start a search, but does not come up with one or more hits on related viruses and or trojans

The normal procedure would be like this:
  1. install the managed clients (avast netclient or netserver editions) across the network - typically by using a deployment task (remote install)

  2. run a boot-time scanning task on all machines (preset the task to delete all infected files it finds).

This should basically do the trick unless the malware 1) uses some sophisticated techniques to spread over the network, or 2) is unknown to avast.

I do have a problem with this procedure;

As known, the clients are possibly infected (more fact than fiction) and i learned from other AV suppliers in practice you can release a AV scanner application, but once infected, all other software installed after the infection is immediately infected during installation. So what certainty i have with the bootscan option if the client is released to an infected OS?

Is the safemode on clients an option (manually install the DNM client version)? :-*