LinkBack URL
About LinkBacks
Reply With Quoteandyturpie (7th December 2009)
Hi Gang,
For weeks now we have been chasing around a pesky virus (artemis) and are considering a ban on all USB sticks/removable drives. As we are an RM school we would like to recommend some off site storage for the girls/teachers to use. Would love to hear if other schools have followed through with this?
Also did you open up all machines and physically remove connection from mainboard, or use BIOS configuration?
How did the teachers and pupils react to the decision of banning them?
Feedback much welcome!
Regards,
Andy Turpie
how is it being spread? if it is the autorun.ini, then can you not just disable autorun.ini by gpo, thats all we did at my place, and although the virus is still there, its just no run.
Toby
Good but that seems pointless. Why do people need access to memory sticks they all i assume have access to a school email account and can attach send files via that.Originally Posted by tobyglenn
We have just blocked all drives so that even when its plugged in it wont recognize it as a mass storage device.
Hi Toby,
Our school has over 500 desktops and 115 teacher laptops, the virus is caught by our McAfee, but leaves a mess of the registry with startup looking for two dsjkhfkjsdhf.exe program entries (example there). This upsets the teachers on classroom pcs as they have to click okay twice after they log on to get rid of the message. We are chasing this around a large site would prefer to kick off a full rebuild of all PCs and ban USB usage and start afresh.
Dan,
Good point - They have access to Easymail with attachment facilities. How did you block the ports, as we would need two live for keyboard and mouse?
Andy
What about students that don't have Internet access at home?
Hiya,
I understand where you are coming from, our virus did not work like that, so i understand where you where coming from, at the time when we had ours, sophos didn't even know of the virus, we had to send them samples of the files for them to fix. but all the virus did was spread itself via usb's and there was a dll on the machine that just infected the drive if it could write to it. the email thing is one way around it. but at the school i was at, at the time had lots of darling students that tended to pull the network leads out and when reconnected the network drives did no reconnect untill log off and the student could not save there work anywhere as they had a mandatory profile, so we had to pop around with a usb stick and save it to that for them, then reboot machine and log in, save work to network!
block the drives rather then the ports e.g block E: F: etc, but leave the ones you use for mapping drives toGood point - They have access to Easymail with attachment facilities. How did you block the ports, as we would need two live for keyboard and mouse?
Toby
They could work at school, just like the students who don't have a computer at home.
Also worth finding out if you actually have any without PC/internet access before worrying about that - from a recent survey, we know we have 100% broadband penetration (but we are a fee-paying urban school, so it may be different for you).
I've been experimenting with a program called USBDLM for sometime now to resolve a problem with our USB drives using network drive letters, rendering the USB drive unusable. It worked perfectly, but could even be configured to scan for viruses before the drive is made accessible to the user. Not tried this functionality yet (in testing). It can bypass Windows autorun which would help with limiting the damage caused by a network aware virus on a USB stick. Plus it has a wide feature set for limiting specific devices (works with digital cameras, card readers, external HDDs and more - check the site), renaming and encryption.
I also use software restrictions to limit where executables run from, limiting exes to run from known locations only (search the forums for more info)
Depends on your site requirements and policies for data usage and security but as USBs are cheap, versatile and just work (mostly), it makes them ideal for moving and using data anywhere, unfortunately.
We had a similar viral outbreak here a couple of years ago.
We had problems rolling out Sophos, and when it was present it would detect the virus and prevent it running, but couldn't remove it.
My solution was writing a VBS to notify me of infections. (The virus in question always generated a specific file in addition to random ones (C:\Windows\inf\svchost.exe)
From there it was just a matter of cleaning it up (used a program called Replacer that was intended for replacing system files, then terminated the process) and innoculating repeat infections, (by disabling autorun and setting deny permissions on the local executables).
we have blocked all USB media for years 9 to 11 as they seemed the only users causing problems. we have ranger administrator and it was very straight forward to setup a block. aslong as you have a good VLE/email system it shoudnt be a problem. we also have sharepoint access to students home directories. The only issue is students who do not have internet at home.
We use GFI endpoint security. It's not cheap but does the job well
Hi,
You can disable all USB storage devices by pushing out a registry merge in you workstation custom settings in the RM Console. The value that you need to change is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UsbStor
In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and you are done.
We have a temporary ban on USB storage here for the same reasons!
Hope that helps.
andyturpie (7th December 2009)
Thanks Stuart, thats the route we might go down - nice one!!!!!!!!!
Andy T
Could you keep me/us posted on how you get on with this as this sounds like a useful solution to a few issues that have plagued me in one or two schools.
If nothing else, getting the AV to scan the drive and kill off any autorun chicanery BEFORE anything goes in the system that would be a real plus.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
