On 9/4/2010 4:47 PM, Tim Wilson wrote: > On Fri, Sep 3, 2010 at 11:14 PM, Robert Nesius <nesius at gmail.com> wrote: >> >> Just wondering... do you update these machines all at once? And... are they >> on the same subnets? If so, have you explored using multicast packets? >> That's the direction I saw updates going at my previous gig. >> >> -Rob > > Rob, > > We're using the standard Windows update server system. (I have to > admit that I'm not familiar with the details of the process.) I don't > believe there's any multicast going on. > > We think that if we can make the distribution of the updates easier, > we'll be able to run the updates more often. We've seen a large > increase of in the number of malware infections in the last year > despite our enterprise-wide use of Symantec's anti-virus system. One > infection late in the school year put our summer workstation imaging > three weeks behind schedule. > > -Tim > > -- > Tim Wilson > Twin Cities, Minnesota, USA > Educational technology guy, Linux and OS X fan, Grad. student, Daddy > mailto: timothy.d.wilson at gmail.com aim: tis270 blog: technosavvy.org > Hi Tim, Have you looked into say an inline IDS/IPS? Snort may be something you may want to look into at your internet gateways (and possibly interconnect routers or vpn concentrator). I believe Snort can be used as an IPS using snort_inline which utilizes clamav as a detection preprocessor which can drop packets upon detection. Depending on your bandwidth this would probably need to be a somewhat beastly machine. Or, just start blocking friggan ad. networks. StarTrib and Pioneer Press have had plenty of intrusions upon their ad networks. Hope you get this solved so you can rest easy! ~M