Antivirus and Desktop Security Policy

Purpose of Policy

While UCAR maintains an Internet security perimeter and Active Directory which protects many of our information resources, it is also necessary for us to implement security on our individual PC/Windows and Macintosh computer platforms in order to prevent them from being used by viruses, worms, ransomware, or other malicious software to attack internal or external information resources.

Antivirus Software

Antivirus Software is required to be correctly installed, configured, and activated on all Microsoft Windows computer platforms connected to the UCAR/ACOM network.

Antivirus definitions must be regularly updated. For computers that run Microsoft Forefront Security or Windows Defender on the CIT domain, the update cycle is automatic and automated as long as a computer is connected to the UCAR network. For systems on the CIT domain but not connected to the network, you may need to manually download updates regularly using Windows Update.

Regularly scheduled full scans must be made using your Antivirus software client. These scans must be performed no less frequently than each month. In some cases, the ACOM Systems staff may request scans, or may request more frequent scanning depending on identified threats at the time.

Microsoft Forefront Security or Windows Defender is the required Antivirus software for all Windows machines attached to the CIT domain.   Security related events are sent to the System Administrators as they occur.    Any use of other antivirus software in lieu of Microsoft Forefront Security or Windows Defender must be approved by the head of the ACOM Systems group.  Windows Defender is built into Windows as of Windows 8 and is included in Windows 10.

Spyware, adware, and malware are now detected by Forefront and Windows Defender. We supplement this detection technology with the browser plugin uBlock Origin which blocks malicious content at the browser level. Other adware/spyware detection/removal software may be used as long as it does not interfere with the operation of our current Antivirus solution.

Incidents and Detections must be reported to the ACOM Systems staff. In some cases, Antivirus software will flag adware such as might come with free software downloaded from the Internet. In other cases, the computer involved may be more seriously compromised. ACOM's policy for most incidents and detections identified as serious is to work with the UCAR security team for initial response and upon their approval reformat the disk and reinstall Windows with our base install. UCAR's policy for most incidents and detections may involve a more detailed forensic analysis of the compromise, in which case, the PC involved may be unavailable for several days until that forensic analysis is complete. An alternate workstation may be provided, configured with ACOM's base install, if such a workstation is available.

Visitor and lab machines are included in this Antivirus policy if they are connected to the any UCAR/ACOM network including the wireless guest network and VPN. The visitor's home institution or the visitor him/herself is expected to provide antivirus software and updates on non-UCAR owned equipment. The owner of a privately owned non-UCAR computer must provide antivirus software, maintain updates, and periodically run full scans for that machine.

Wired ethernet, guest, Wireless, and VPN are considered parts of the UCAR/ACOM network, and so machines that connect using these technologies are included in ACOM's Antivirus policy.

 

Windows and Mac OS X Operating System updates

 

Windows Critical updates must be applied to all ACOM-owned PC computers running Microsoft Windows. If the computer is not part of UCAR's "Windows Software Update Service (WSUS)" provided by the Active Directory and CIT domain, you must run Windowsupdate periodically to make sure that critical updates (particularly security updates) are installed.

Mac OS X security updates must also be applied to all ACOM-owned Macintosh computer systems running Mac OS X.

 

Monitoring and Enforcement

 

At any time, ACOM Systems staff may check for antivirus software, antivirus updates, and operating system updates. Antivirus software may be installed if not found on a system. Security updates may be applied if they are not found on a system.

Where a machine is identified as not meeting ACOM's antivirus policy, and where a computer is not actively participating in a security incident, a probationary period of 1 week will go into effect during which the machine must be brought into compliance. Should the machine not be in compliance at the end of the probationary period, it must be removed or isolated from the network. ACOM systems staff may take the steps necessary to bring the machine into compliance. Such a probationary period begins when an ACOM Systems Administrator has identified the noncompliance and has informed the owner of the system or lab in which the system is installed.

Active Incident Response

 

During an identified incident, ACOM must follow the UCAR emergency response policy at https://www.ucar.edu/csac/internal/policy/20070103-01/. During an active incident, any of the following may happen:

  • Disconnection from the network -- typically a machine will be disconnected from the network but left running as per the direction of the UCAR security administration team.
  • Retention of the drive for forensic analysis -- the UCAR security administration may request that we retain the drive(s) for forensic analysis. Should this happen, we will provide a new drive and a new operating system configured with our base configuration.
  • Retention of the computer for forensic analysis -- in some cases, the computer may be held for a period of time determined by the UCAR security administration team. Should this happen, an effort will be made to allocate a temporary replacement machine should one be available.
  • Interviews may be conducted by the ACOM systems staff and/or the UCAR security administration team in order to identify what led to the incident.
  • Supervisor notification may be required if the incident was the result of a violation of ACOM's or UCAR's computer use policies.

 

Exclusions

 

Unix systems in ACOM are excluded from Antivirus software at this time.  Computers which have a technical requirement to run without antivirus software running in memory (such as aircraft systems or lab systems behind firewall boxes) may have the antivirus software disabled during operations. Such computers must have their antivirus software enabled, however, whenever they connect to the wired internal UCAR/ACOM network.

UCAR/NCAR Share

                  

                  

ACOM | Atmospheric Chemistry Observations & Modeling