The Anti-virus Times

The Anti-virus Times recommends

Set strong passwords for all user accounts under all operating systems you use (at least eight character, using lower- and uppercase characters as well as digits and symbols.)

Block the unused user accounts.

Enable a security policy that will not allow users to set weak passwords and define a password expiry date. This will prevent attackers from using leaked credentials that may have been used on a compromised computer. Password policies are configured using the GPO (Group Policy Objects): Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy.

Use the Account Lockout Policy (also accessible via the GPO) to define how many times an incorrect password can be entered before the account gets locked. Doing so will prevent attackers from cracking passwords.

Enable automatic updates and install all available updates. First, ensure the security update MS17-010 is installed.

Use the firewall to ensure a remote connection can only be established for specific addresses.

If other hosts connect to the machine remotely, change the default listening port for RDP connections. You can do this by modifying the registry.

Use protection against port scan attacks and audit your services that use network connectivity and make them inaccessible outside your infrastructure.

Consider revising your RDP access policy by making Remote Desktop connections possible only over an encrypted tunnel and ensure your servers are accessible from other networks only via a VPN tunnel.

Only use the current version of Dr.Web software -- Version 12 is the latest.

If you use a corporate anti-virus solution, take advantage of the application control feature. It lets you configure a list of allowed and blocked applications (the programs permitted to launch and those that aren't), further enhancing your infrastructure's security.

When you're online, never toggle off the file monitor SpIDer Guard or the preventive protection.

To prevent anti-virus components from being disabled, protect your anti-virus settings with a password. The anti-virus settings password and user account password must not match. To learn how you can protect anti-virus settings with a password in a corporate Dr.Web solution, please refer to the documentation.

Do not permit users in your network to disable the anti-virus's components or modify its settings. In corporate Dr.Web solutions, user permissions can be changed in the Control Center: go to Anti-virus Network →, select a host or a group and click → Permissions.

If a computer is connected to the Internet, the anti-virus must be updated at least once an hour. Ensure virus database updates are being downloaded and installed.

Don't overuse scan exceptions: do not add folders containing temporary files and application files to the list.

Attackers often disguise malicious executables by adding a fake .doc extension to file names. Disable the option to hide extensions for known file types. This way you will always see what kind of file you are opening. Go to Start → Control Panel → Folder Options → View → and clear the Hide extensions for known file types checkbox.

Back up your valuable information regularly to media on which no data can be written from the system where the original files are stored.

Enable the security audit policy on the Windows servers being accessed from the Internet (Local security policy → Local Policies → Audit Policy) and analyse security logs regularly to promptly discover attempts at gaining unauthorised access to the system and take action. You can find detailed information about security audit events here.

And one last thing. The situation we've described above may be part of a planned attack on your infrastructure. Doctor Web is always ready to assist organisations in investigating malware-related incidents.

To find out more, visit this page.