Makes me laugh when companies are paranoid about security yet use outdated software. Working in the NHS our tech department are so precious about security (and rightly so) but use IE9 and Adobe Acrobat 9 and take an age to deploy Windows Updates. OK IE9 might still be getting security updates but Adobe have stopped for Acrobat 9

Edited by bobble_bob (Mon 20-Apr-15 13:37:33)

How secure are Routers - most hacks will be automated. The biggest risk is if the DNS setting has been changed at which point broswing web becomes dangerous, but then web browser and their plugins (Acrobat, java etc) flaws are biggest risk to most people who don't click attachments

We had a virus spread at work via shares - basically it hid all folders on shares and replaced them with an executable with same name and standard folder icon - it was obvious with show hidden folders and all file extensions visible, but to most people it looked like the files were vanishing and they run the virus when they tried opening a folder. The Ant-virus wasn't detecting the issue, well if they insist on Symantec what do they expect

Edited by Kenneth (Mon 20-Apr-15 20:47:20)

Did anything actually happen as a result of her disabling the AV? How did they detect she had disabled it and how did all this come about?

How big is the company?

Where does it state in the acceptable user policy she must not disable the antivirus?

In reply to a post by Rygar1:

I should add this lady is not IT illiterate, she is aware of common threats from email links/attachments, free software, phishing etc.

Typo? I read it as she IS illiterate -- and I figured that is why she actually disabled it. I mean if she was IT illiterate maybe she was the victim of a scam phone call and they told her to disable it, because she doesn't know what she is doing she assumed it wouldn't be a problem. Or maybe she just clicked loads of mouse buttons and accidentally disabled it.

Surely that is what you meant, right?....

Staff using a company laptop should not have admin permissions to allow them to disable security software. IMHO, they shouldn't even have the ability to install any software or hardware either. It's a work tool and the IT department should lock it down to be able just to do what the employee needs to do for their job and nothing more. If staff want a PC to do their own thing, then they should buy their own for home use.
Having said that it's entirely fair that their employment contract specifically states what they can and can't do with it. If she has broken that contract then more fool her. However she can argue that the company is complicit by not locking down the laptop. Most major organisations don't give admin rights. They should work on the assumption that most staff and users are IT dumbos.

How far can you take the "contract doesnt states x" argument? For example its probably not in a contract that you cant open the case up and start installing your own hardware, but an employer wouldnt take kindly to you doing that

Edited by bobble_bob (Mon 20-Apr-15 22:13:25)

That's a fair point. Probably covered by a general condition that the user takes good care of the laptop, uses it just for business and make no unauthorised hardware or software changes to it. However you have to assume, probably wrongly, that an employee has some common sense when it comes to IT. Assuming that the laptop is on a server based network, then you can control everything that a user can or can't do via Active Directory. That's what the company has done wrong in not locking it down. If you give staff a gun AND the bullets you've got to assume that that someone will shoot themselves in the foot.

No. With hindsight giving the background to this issue was probably a mistake as its served as a distraction to the real reason behind my post but in for a penny in for a pound. A known false positive activated the AV and stopped her from doing an important time critical task. This was the reason she disabled it. No computers or animals were harmed during the disabling of this software.

Its a small company and the management dont know anything about IT. They used to have a bloke that did their IT but it wasnt his actual job there, he just knew most about it and got lumbered. He left a few months ago so they got this 3rd party to look after their needs. Not knowing much about IT the management take whatever this company tell them as gospel.

Some fairly specific technical claims are being made i.e that her actions put the company's systems at serious risk of LAN/VPN virus infection & attack from hackers. All I'm saying is that one remote user disabling AV for an hour isn't as big a danger as they are claiming. Firewalls anyone? Its not like she connected via a USB modem on windows 95.

I was looking for any info on viruses that jump directly from drive to drive as I'd often heard this but never experienced it. I've since read up on conficker as one such example but I still believe that most viruses these days dont exhibit such behavior. I was also looking for any good links/articles that may say something along the lines of "if you are behind a router & software firewall and you dont do anything silly, chances are you will be safe from hacking" Just something she could show her bosses to try and make them understand it wasnt quite as bad as support are making out.

Think you may have a real problem trying to find proof, that there is little or no risk, because as we all know what is not possible today in the world of IT could quite realistically be possible tomorrow. Never say never, springs to mind. Even the smallest vulnerability can be a risk.
I'd say her best bet if it comes to disciplinary is to say that if they don't want staff to be able to disable security software then they should lock down the laptop so that it's not possible. In other words the company is complicit in the "crime". That should work at a tribunal if it came to it, which I hope it never does. Hopefully they will see sense and back down.

I wouldn't bother looking at the technical issues. That's the IT company's job.

Until now, your friend has had to disable AV temporarily in order to carry out her duties. This needs to be stated in writing. If her actions are not acceptable to her employer, then they must provide a way for her to do her work without disabling AV. If they refuse to do so and fire her, then she can claim for constructive dismissal. If, on the other hand, she is disciplined either formally or informally, she should make a written complaint since her actions were entirely reasonable.

It is the IT company's job to provide a workable solution as directed by her management.

The question is whether she contacted the IT support when the file was blocked as a false positive - and how could she be 100% certain it was indeed a false positive?

The actual risk was probably relatively low. However, if people "get away" with this then more and more people do it and it will end up with people routinely disabling the protections. Personally I would throw the book at anyone who knowingly turns off security measures without first getting approval to do so. At the very least she could have raised the issue with her line manager to get their approval.

The problem is that many people do these things without understanding that there are risks and that is how issues start.

Viruses can and do take down whole companies and cost large sums to eradicate. Some viruses are incredibly good at spreading through a network via relatively unknown exploits (SQL slammer is a worm that caused mayhem in a number of companies).