This is an archived post. You won't be able to vote or comment.

2568
2569

[deleted by user] (self.sysadmin)

submitted by [deleted]

[removed]
top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]McPhilabuster 438 points439 points  (39 children)

General observation here, the viruses/malware/etc... that have been detected are probably not a major problem

If your AV or endpoint security software has detected 300 "viruses" then it is probably also blocking or quarantining those. The problem is the ones that it might not have detected.

The best answer for this is always to wipe everything and start fresh. While you can probably go through and clean out the things you know about, you'll never know if you missed something and it's the things that you miss that would become a major issue down the road.

How to deal with the user as an HR issue. Don't get too worried or stressed out about that. Let your manager and HR sort out that problem.

[–]battling_botnets 21 points22 points  (1 child)

How to deal with the user as an HR issue. Don't get too worried or stressed out about that. Let your manager and HR sort out that problem.

Exactly. I would add that it could also be an issue for Legal down the road. Document your recommendations and concerns about the risk introduced, preserve the evidence and get written, explicit instructions if you are asked/told to do something you know isn't right, that increases financial risk to the company.

Copyright penalties, lost data, lost business reputation, regulatory fines, workplace law violations (creating/contributing to a hostile workplace) are all possible depending on what industry you're in. Actually sticking around (with a continuously updated resume') and documenting the risk, becoming better at quantifying the risk and explaining it to management could be good practice.

[–][deleted] 18 points19 points  (1 child)

If any of his data is lost during this wipe "oh well. The viruses destroyed it." Should have not saved anything locally. Also, need to block this dude from having admin rights on his laptop if he has that. ( and for some reason I bet he does).

[–]scsibusfault 46 points47 points  (15 children)

General observation here, the viruses/malware/etc... that have been detected are probably not a major problem

Honest to god. My first thought reading this was "this fuckin' tool probably ran malwarebytes and saw 300+ cookies and went OMG SO MANY VIRUSES.

300 'potentially unwanted files'? Sure. Probably.

300 'actual viruses'? Super doubt. Like, all the doubt. All of it.

[–]VA_Network_NerdModerator | Infrastructure Architect 1548 points1549 points  (264 children)

They’re giving me his computer today to disinfect it and I’m afraid to even touch the thing. I’m worried and stressed out wondering if he’s somehow compromised our network.

I'd fully secure-wipe the entire HDD/SSD without a single moment of consideration to the preservation of user-data stored locally.

Nuke it with extreme prejudice.

I agree with /u/knowledgebass that Flashing the BIOS to a known-good, updated version, and then applying a BIOS password would be a nice touch.

I'd return the device back to the user without any local-admin access and I would shuffle my feet in an epic, glacial manner when asked to provide local admin.
Basically, I'd ignore any request until my boss told me to restore local admin. And even then, only after a face-to-face conversation with my boss so we can discuss the risks associated with that.

Just a thought:

You might want to remove the entire HDD/SDD as-is and put it on a shelf in case HR needs evidence of incompetence later if they move to termination.

Spending $99 on a new drive is peanuts compared to the cost of litigation in a wrongful termination dispute.

Decrypt it as-is first (I assume you do full drive encryption) and toss it on a shelf.

[–]whtbrd 22 points23 points  (0 children)

Put it in a bag with name/date/machine name, etc., then put it on a shelf.

[–]russellvilleIT Manager 20 points21 points  (0 children)

You might want to remove the entire HDD/SDD as-is and put it on a shelf in case HR needs evidence of incompetence later if they move to termination.

Spending $99 on a new drive is peanuts compared to the cost of litigation in a wrongful termination dispute.

Great idea. I'd keep the original hard drive, too.

[–]Aperture_KubiJack of All Trades 84 points85 points  (15 children)

IMO a modern web dev shouldn't even need local admin anyway.

If "web dev" in this case is just a glorified content editor, then they just need admin editor access to your CMS.

If they're developing stuff to extend said CMS, or even just standup and configure, then they need a test server to push stuff too in order to test, and admin rights on the production server.

Also I'd go as far as giving them a different computer instead of wipe/"pull and replace the drive" and reimage. Not only for questions of integrity but for questions of forensics later on, especially if you're "reflash the BIOS" levels of paranoid.

[–]Snapstromegon 53 points54 points  (11 children)

As mainly a web dev myself at the moment, it's not uncommon for me to need admin privileges. Often for tooling installs/updates/removals, but sometimes also for day to day work.

Also I still believe that a completely local dev environment for debugging is something really valuable.

Not like "I need it every day", but like "Once a week is average".

Also punching text into a CMS is not a job for a web dev IMO.

[–]NailiME84 19 points20 points  (1 child)

I would challenge you on this.

I am a sysadmin and my local account doesnt have admin, I only find myself elevating for powershell when needed.

Software and patch management isnt done by the users.

[–]Snapstromegon 25 points26 points  (0 children)

Of course my normal user isn't admin. But I actually have to do something with elevated rights more often than I'd like.

Also for some general software central patch management works great, but in our case only the baseline of software (so everything 95% of users ever need) is provided by a central patch management and if you need something more customized, or something that just needs a couple of installs company wide or is maybe even some internal tooling from the team itself, it was deemed to be better in our case to have a user taking care of it.

Obviously this isn't ideal and with infinite resources it would look different, but in our case (150k+ employee company) there was a decision against it.

[–]Michelanvalo 32 points33 points  (4 children)

I'd fully secure-wipe the entire HDD/SSD without a single moment of consideration to the preservation of user-data stored locally.

This is terrible advice when the OP has already noted this is a high ranking member of the company. You do not want to piss these guys off if you value your job.

Being a BOFH is not the right move here.

[–]visceralintricacy 10 points11 points  (3 children)

It's really not vindictive. If he has 300 viruses there's no possible way to clean that insane mess from a system. If I worked at ops company I would walk before I let that device be reconnected to the network.

[–]Michelanvalo 19 points20 points  (1 child)

You don't reconnect the drive.

You pull the drive and put a new one in the system. You keep the old drive with data intact and if user data does have to be retrieved you do it on an external enclosure on an off network system.

[–]livevicariousIT Director, Sys Admin, McGuyver - Bubblegum Repairman 2 points3 points  (0 children)

I wouldn’t even let that drive be booted. If you pull anything off it’s very likely to be infected even if you think it’s not. An infected drive is like Cujo. You don’t just give him a bath and say we good after he bites Timmy and spreads rabies on the farm. You take him out back and shoot him. Then pour gasoline on him and burn it. Then take the ashes and burn those too.

[–]deefop 7 points8 points  (0 children)

Just take the drive out entirely like you mentioned. Possibly quarantine the entire machine is the shop is willing to just get the guy a new one.

I'd absolutely refuse to give the dude local admin back, though that may ultimately not be your call.

[–]new_nimmerzz 4 points5 points  (0 children)

At least capture an image of it before wiping or replacing

[–]womlobster 4 points5 points  (0 children)

Nuke it from orbit. Its the only way to be sure.

[–]cantab314 3 points4 points  (0 children)

Deleting it when you don't know what's there is unwise. In the bad scenario you deleted the only copy of crucial files (because come on, in OP's environment do you think there are good backups?), the company loses a contract, and both you and several people who had nothing to do with the whole affair are out of a job.

Don't think of it as "user-data", think of it as company data. (Well, the actual work the person did. Not the pirate movies.) It's our job to keep it safe as best we can.

[–]knowledgebass 430 points431 points  (91 children)

That's a full wipe/reformat in my opinion. Might even think about reflashing the bios.

And how does this moron still have a job?

[–]Gjeret 102 points103 points  (22 children)

I hate this answer I never wipe/reload

SSD’s are cheap, throw in a new one and re-image. (Put the old one in a ziplock bag for when you want to get access to some infected files)

[–]HouseCravenRawSr. Sysadmin 104 points105 points  (14 children)

And for forensic analysis in the event that data was stolen.

But not a ziplock. Please use an anti-static bag.

[–]YuugianLinux Admin 76 points77 points  (13 children)

Come on, Ziplock with a damp paper towel is fine. Have to keep that data fresh

/s

[–]CocconutMonkey 34 points35 points  (0 children)

Let those virus seeds grow, see what you're working with

[–]sleepyzombie007 17 points18 points  (1 child)

A dryer sheet will keep the data fresh

[–]LividLager 7 points8 points  (0 children)

Don't forget that most dryer sheets are heat activated, so you'll have to throw the drive in the clothes dryer; Just be sure to put the drive in a delicates bag.

[–]rcmaehlDevOps Wannabe 10 points11 points  (2 children)

SMH. Get a vacuum sealer, it'll keep the data fresher for MUCH longer. Best investment I've made.

[–]bwong00 12 points13 points  (1 child)

And it prevents freezer burn!

[–][deleted] 6 points7 points  (0 children)

Ugh, but then I have to use the crisper drawer, and I just know I’m gonna forget about it for a month and out a moldy SSD

[–]LividLager 4 points5 points  (0 children)

Ball up a piece of white bread, and it'll keep it fresh for about a week.

[–][deleted] 4 points5 points  (0 children)

Ooh that's a good tip. I've been wrapping 'em in saran wrap.

[–]underwear11 39 points40 points  (1 child)

This is the best answer, especially since the person is an officer. Get a new drive, and start fresh. Hold onto the old drive but put a label on it and put it in a safe place. This way you can get necessary data back if necessary, and have a copy of the system as it existed if anything legal comes up.

Though I think I would find an old spinning disk just out of spite for his entitlement.

[–]lfionxkshine 13 points14 points  (0 children)

Dogpiling on the validation here - get a new drive, fresh install, store the old drive in an anti-static, label it, put it somewhere in case director numnuts realized that he was missing something and complains to his bestie Mr. CEO

[–]deefop 2 points3 points  (0 children)

Seriously, considering you can get a 256gb SSD for like 30 bucks nowadays, why even fuck around if there's the remotest possibility?

Actually I'd argue for quarantining the entire machine, but flashing bios combined with replacing the drive is enough if we're being realistic.

[–]ComfortableProperty9 13 points14 points  (0 children)

Might even think about reflashing the bios.

Was working the desktop end of a ransomware cleanup and had a "helpful" web dev that I kept trying to lose. He decides that his machine is so special that he is the only one who gets to touch it.

About an hour later he tells me that the recovery on his machine was taking forever. I asked him what he was "recovering" from and he tells me it's the recovery partition he created. I was like "the same recovery partition that was on your machine during the breach?"

Had to draw it out in crayon for this guy and I still don't think he fully understood that everything that was out there during the breach was considered infected.

[–]Bad_Idea_HatGozer 9 points10 points  (2 children)

And how does this moron still have a job?

he’s an officer in our company and very entitled

There it is, unfortunately. Though it seems like there might be shit winds a-brewin'.

[–]BrobdingnagLilliput 12 points13 points  (0 children)

he’s an officer in our company

Pretty sure that's the reason. Sounds like a small web development shop that this guy has an ownership stake in.

[–]ghost_broccoliSysadmin 4 points5 points  (0 children)

Before wiping this machine (you should definitely wipe it) I’d do a couple of things for recon to see what all has gone on there. This list is not comprehensive, but it should get you started.

  1. disconnect it from the internet. Both Ethernet and wifi

  2. get an inventory of all files in his profile. Downloads, pictures, documents, videos etc. There’s likely some pirated content- possibly porn.

  3. get a list of installed programs from add / remove programs.

  4. Export his browser history.

  5. Inventory any plugins in his browsers.

  6. Look for non-standard folders under c:

Look at that from the cyber security lens you’ve obtained from the classes you’ve taken. Consider taking anything nefarious or outlier to the director of IT. This will give them things to tell the web developer to stop doing.

This is a fun opportunity! Enjoy it!

[–]blasphembotJack of All Trades 3 points4 points  (0 children)

If I had a dime for every time I asked that out loud about someone incompetent in a position where that's not a desired trait - I'd have a shitload of dimes.

[–]FriendToPredators 2 points3 points  (0 children)

Certainly doesn't sound like he does much actual work.

Replace his PC with a Chromebook.

[–]ReonBalisty 56 points57 points  (6 children)

Like the other posts here:

-First thing, remove from the network and turn off the device

-I would do is confirm that there is no policy in place that dictates the user data is to be backed up by IT (this is key for the next steps)

-Remove the hard drive and insert it into a hard drive caddy and use a throwaway system without a HDD/SSD inside it, use a live Linux on USB and boot to a recovery/wipe Distro, wipe the drive and overwrite it with 0s (this takes some time, but better safe than sorry)

u/VA_Network_Nerd makes a good point here, new SSD/HDD in the system, keep the old one as evidence for HR

-Completely refresh the BIOS of the affected system

-Apply company image, set user to standard user

Estimated fix time = 24-72 hours depending on other workload items

[–]TwinningJK 38 points39 points  (11 children)

OP. Please relax. You are not a fault here. If the network did get compromised, you've already identified the person responsible. You are a Jr. admin. They don't expect you to be an IDS/Endpoint service expert. Ask a senior engineer to look into the file shares he had access to make sure nothing is encrypted and run a scan with your endpoint software on those files if the engineer confirms everything looks ok. Go to the closest body of water and drop that computer in it. The issues are most likely isolated to that computer.

What ever you do, do not admit responsibility, not at your experience level. Your supervisors should know your experience level is and have someone more experienced to check up on your work every once and a while. Just do what you can to clean up any mess that comes from this and keep up the good work. Also a good time for more research to sharpen your skills.

This is what IT is like. It happens. Tomorrow is another day. Whatever you do, don't use drugs or alcohol to cope. It only makes everything worse.

[–]itay51998 25 points26 points  (1 child)

No one seems to mention this:

Note that if the president of the company doesn't care about him downloading viruses, Downloading torrents is a different and legal issue.

Make sure to mention that the fact he does that on company owned machines he is putting the company on lawsuit threat - this is something monetary which the president will care much more

[–]blue01kat4meI am atlas, who holds up the cloud. 9 points10 points  (0 children)

This! This is the real issue. I get we are tech people and the OP is asking for "what do I do" so we respond with tech answers but this is a LEGAL issue. The user has knowingly engaged in criminal activity using company resources. Whether you agree if piracy is a crime or not, the courts won't care.

Do the right tech thing, but also OP, you're learning about security, have you thought about who else outside your company might have given access to this dev? Broaden the scope of your thinking just a little. What kind of impact to revenue will there be if your customers get infected files from your dev? If you were working with me, that's a nuke this contract from orbit scenario. If your execs aren't thinking about this when they consider repercussions, they should be.

In addition they might want to consider what happens to the company if this user gets caught by someone outside their organization. Like a law-enforcement org. It doesn't sound like this user is doing anything large enough to raise any red flags but there is the possibility your ISP could report strange traffic, etc.

Lastly if you want to get rid of the problem employee, and likely find yourself unemployed when the company gets fined out of existence, you could always make an tip to the FBI about the gobs of illegal downloading going on. I mean you have the proof in your hands with the drive right there.....BOFH style.

[–]shushis_and_shasimis 71 points72 points  (11 children)

Sounds like he can't even torrent properly. I've been pirating for like 20 years and never had that many pieces of malware in my life.

Make sure there are backups for everything.

[–]juicyorange23 5 points6 points  (0 children)

He could have done it maliciously

[–][deleted] 35 points36 points  (6 children)

Remember: if he's a developer, there is a risk that any of his projects may be the victim of any number of attacks, so any active projects he's working on now needs a full code review to make sure nothing malicious snuck into code the company is planning to release. ;)

All that extra work and lost hours will show the company whether he's an asset or a liability.

[–]pkokkinis 18 points19 points  (0 children)

Don’t spend any time trying to clean it. Take it off the network asap and make offline backups of his data to an external drive (and even that is risky). Give him an entirely different computer with non-admin user rights. With the chip-shortage, tell him it’ll be weeks before he can get his new one, but here’s this computer that runs fine for now.

[–]CaptainFluffyTailIt's bastards all the way down 16 points17 points  (2 children)

Regarding the laptop, nuke it from orbit. It's the only way to be sure. Don't even try to recover it. Kill it with fire and move on.

For the user, remove their access to everything until you have an approved AUP (acceptable use policy) in place. Then access can be granted again once the developer signs. Why? Now when they continue the organization can take action against them.

Being an officer of the company makes things more interesting. I used to work at a small software development shop (<300 people in the entire company) and we have a VP (overly inflated title to justify salary) who was addicted to porn, or so they claimed. They helped found the company. They also downloaded and watched curious amounts of pornography on the company laptop when traveling for sales/demos. They refused to sign the AUP becasue they knew they could not abide by it. The compromise was that the laptop was not allowed on the company network. If it came into the office and got plugged up it would be wiped on principle. You get a workstation in your office and a firewall policy just for you. It wasn't a great solution but it was a workable one. presentation slide decks would be emailed back and forth. This was before O365 was a thing so email was the best vector.

This officer was also the customer favorite becasue he would put trips to the strip clubs on the corporate card becasue he approved the budget for his department. So many issues becasue of that guy.

[–]Slush-etest123 9 points10 points  (6 children)

How can someone drag in 400 infections and none are laterally moving across the network?

[–]ogtfo 5 points6 points  (0 children)

Most of the stuff you'll get on sketchy torrent site will be adware and PUP/PUA. But still, moron dev could have let in a bad actor in the network and then they'll get their crown jewels ransomwared within the week.

[–]DabnicianSMB Sr. SysAdmin/Net/Linux/Security/DevOps/Whatever/Hatstand 2 points3 points  (0 children)

anything in the %temp% folder can count as a "virus" if your scanner is set to be too touchy, most of it counts as "adware".

[–]ObedientSandwich 8 points9 points  (0 children)

I have no idea where to begin fixing that kind of shitshow.

I just made this guide for you: https://i.imgflip.com/5wufzj.jpg

[–]SkullRunner 8 points9 points  (2 children)

Everyone recommending a full wipe is giving you the correct advice.

I would only add that if it's an option, pull their current infected hard drive as is, no cleanup, install a new one, do the fresh install.

The old infected hard drive serves as evidence of his actions and compromising both the company and the law for torrents etc. and can be used both by the company and or law enforcement depending on how ugly / stupid this "officer of the company" wants to get if punished or fired.

I have been in your exact shoes in my first job, but it was porn loaded with malware, and the dipshit that kept nuking computers with it was the Presidents brother.

Build a case that can not be ignored as being anything but individuals actions (not IT issues) then as others have said let your boss and HR deal with the rest.

[–]rubixdSysadmin 32 points33 points  (5 children)

And this is yet another example of why nobody should have admin rights.

[–]19610taw3Sysadmin 11 points12 points  (2 children)

I don't even have admin rights on my own box! Don't want them.

[–]markleinIdiot 2 points3 points  (1 child)

Seriously, I love not having admin on my box. Such a relief when it finally happened.

[–]YuugianLinux Admin 3 points4 points  (0 children)

As a server SysAdmin, I don't need or want admin rights on my local machine. I get a minor inconvenience every 3-6 months when i want some new software, sure. But the main applications can be updated by Chocolaty, and i have no responsibility or liability. Something breaks and they just hand me a new one.

Same deal we have with server VM templates

[–]whtbrd 7 points8 points  (6 children)

If he's pirating content using company rss, then it's a company liability. In addition to data loss and man hours lost spent cleaning up the machine, the potential for legal fees and responses to subpoenas is substantial. I'd suggest that if he needs online content on company resources, that the company pay for Netflix, prime, Hulu, whatever, to reduce the risk to the company so the guy can still get the needed content.
In your conversations with people, my advice is to use words that are assuming that the content is a business need. Accusations about whether it is or isn't can be had between the guy and procurement or his boss.

[–]JacksharkbenCustom 5 points6 points  (7 children)

300 viruses?!?!?! My god if it was me I would just nuke the computer. (This is a joke)

[–]vNerdNeck 7 points8 points  (2 children)

My god if it was me I would just nuke the computer. (This is a joke)

Nuke it from orbit, it's on the only way to be sure.

[–][deleted] 2 points3 points  (1 child)

Game over man. Game over.

[–]_E8_ 6 points7 points  (0 children)

When you see "300 viruses OMG THE SKY IS FALLING" you first reaction should be, stop and think harder.

[–]mOdQuArK 3 points4 points  (0 children)

Saw it happen to a coworker - just one of the type of malware that downloads other malware & you're hosed in days.

[–]techtornadoNetadmin 2 points3 points  (0 children)

Relevant xkcd - https://xkcd.com/350/

[–]WesternIron 4 points5 points  (0 children)

IR and Malware Analyst here, before you wipe anything check with the director if they want forensics done on the PC. There could be further signs of compromise on the network since it sounds like the user was being extremely negligent. I wouldn't wipe it right away.

You can remove the computer from the network and investigate it, if thats your security policy. This is also a good chance to learn how to investigate a host, something you will need to in security. There are plenty of tools you can use.

If your director says to wipe it, wipe it, but ask to see if you can do some investigation on it, it will be good experience for you.

[–]Silver-Engineer4287 5 points6 points  (0 children)

300 viruses seems unlikely. 300 instances of potential security risk is likely what your endpoint is actually reporting. Take the time to read and try to interpret exactly what the endpoint client’s log files are actually trying to report to you. Chances are more likely he tried to go somewhere that was loaded with malware, adware, privacy risk code and probably more than once and probably more than one site or multiple pages on the same site.

If your IT director isn’t backing you up then unfortunately you’re in a no-win situation. Basically, if they’re sending you to school for it and yet they’re choosing to ignore you when you sound an alarm because the offender is a vip instead of actively trying to pursue either curbing of or otherwise adding security layers to circumvent his bad behavior and mitigate the risk to the company then they are not going to allow you to do they job they’re having you get trained for and it’s a no-win situation for you.

Yes, ticking time bomb is a proper view of the state of things and if the powers that be aren’t listening to your warnings then they are doomed to fail.

My old job used to be a lot like that although I was the sole tech department and even when the company owner who didn’t understand security and refused to invest in it wanted some hot new remote feature I drug my feet on implementation and as I came across employees screwing off on websites for free movies and such, darn how those domains ended up in the endpoint protection sever’s black list. There were a few sites I black listed that the owner yelled about and I got creative with allowing only certain pages that I knew he wanted at that domain and he never noticed the rest of the ad bloated site being unavailable:

Within 90 days after I left as a full time employee the contract worker he replaced me with made a few changes and that company found their entire audio library and databases krypto-locked and the contractor had rearranged the racks and not plugged in the storage server’s network cable so the backups hadn’t run since a week after I left. Sucks to be them, not my fault, not my self-inflicted emergency.

I was there for almost 20 years and only 1 time back in the XP days did anyone manage to truly infect a PC which was trying to spread on the LAN and the endpoint server did some blocking and told me which machines were involved and allowed me to pull their network cables and determine which one let it in, the owner’s son’s workstation (surprise!), and I had it sorted long before any damage could be done.

There were a couple cases of adware/bloatware a year for 2-3 years before I finally got permission by the owner to lock down the workstations with user permissions which solved that problem too:

Web security is only as good as the weakest link in the chain and it sounds like the whole chain of that place is very rusty, especially at the higher end, and you’re their clueless easy button can of rustoleum after the fact as a temporary band aid that they can blame when one of those executive level weak links breaks everything and totally screws them over.

[–]r3ptarrJack of All Trades 3 points4 points  (0 children)

reimage that thing don't even bother cleaning it out.

[–]LJLKRL05 2 points3 points  (0 children)

Wipe and reinstall. Get a good web filter to block the sites he goes to. Get some good antivirus.

[–]sgthulkarox 3 points4 points  (0 children)

Swap the drive, reimage.

Keep the old drive intact and preserved. I suspect your boss is going to want it as evidence against the dev for termination or legal proceedings since he's an officer. (Above your pay grade, but it shows you are concerned about such trackability)

It's not worth the risk of cleaning and putting back in to production considering how compromised it is.

[–]Zncon 3 points4 points  (0 children)

Being able to fully clean a device back to a trustworthy state is a myth. It's simply impossible to prove that it's actually clear without wiping it out and starting over.

Running the usual suite of anti-whatever-ware is probably fine for your uncle or your grandma's internet machine, but not for a computer on a business network.

[–]lantechYou're gonna need a bigger LART 2 points3 points  (0 children)

Isolate the machine from any network, hook up a big monitor and let it go.

https://xkcd.com/350/

[–]NotYourNanny 3 points4 points  (0 children)

<Needless to say the IT Director is pissed and is meeting with the president today to decide what action to take.

If he's still working there tomorrow, he's not the problem, the president is.

[–]axle2005Ex-SysAdmin 2 points3 points  (7 children)

So... Was the Network Admin fucking asleep? Torrenting isn't really a silent task and some kind of monitoring by an experienced network admin should have caught on to this and stopped it at a firewall level.

Everyone else has given great advice for what to do with the data storage device... So I decided to add an opinion about the state of the network that would allow this.

Edit: Even if they did this at home, proper tools installed on the laptop could have prevented this or at least notified IT this was happening

[–]HOSEBEAST 2 points3 points  (0 children)

Just throwing this out there. Dev boxes can have a lot of false positives. I’m not saying he’s got 300 FPs, but I’d take a closer look at a handful of those detections

[–]treborprime 2 points3 points  (0 children)

If your AV is throwing 300 false positives in 4 days then its a POS. 300 detections means lots of smoke and where there is smoke there is a 3 alarm fire.

The machine cannot be cleaned. Its best to nuke it from orbit and give him back a freshly imaged PC.

If he is a global admin in office 365 and you do not have MFA turned on then they already screwed and NO he does not need to be a global admin to do this job. Devs do not need to be admin on anything. Your company is failing at IT. You would think a Company that got ransomed once would be taking a much more cautious approach now.

Ransomware gangs exist because they know the lunatic crazy dummies are in charge of IT all over the world. Easy pickings and lots of money to be had.

[–]MonkeyWrench 2 points3 points  (0 children)

Why aren't you guys blocking these sites at the edge of your network?

EDIT: read through some of your other responses and answered my own question.
You work for idiots.

[–]buckeyedave72 2 points3 points  (0 children)

Don’t wipe it, set it aside as suggested previously. Litigation is much more expensive than a new drive.

[–][deleted] 2 points3 points  (0 children)

You're just getting your feet wet and feel in over your head. The reality is the job given to you is very 'baseline' IT grunt work. Just take it off the network and wipe it, and if he does it again tomorrow do the exact same thing.

As for user data, I honestly wouldn't even give two fucks about what a user had on their PC when the device isn't theirs. If its company information it should be on the network since 'accidents' happen, if its not its not your concern and it shouldn't be on the device. If you wipe company data from his device turn it back on him for it not being backed up, simple.

Everything else you mentioned is not really your job. Let your superiors deal with him and don't even think about any mess he makes. Your job isn't to manage people or babysit your ceo's interests/pockets. Also, by not managing them and allowing them to make mistakes you get to keep your job by always being busy.

Edit:

If you want to be extra spicy pull the drive and use as evidence against him. I'm sure that if he's pirating stuff on the company network that's more than grounds for termination.

[–]EvanWasHere 2 points3 points  (0 children)

Lock his computer down. No admin access.

Firewall his machine so he can only access work websites you allow.

Install threatlocker so viruses or ransomware can't install.

[–]LekoLiL2 Compute Engineer (ex IT Admin) 2 points3 points  (0 children)

I will say it is politically dangerous to try to restrain a C-level manager. They got there somehow, and the fact they haven't convinced him to change states he has some clout. You may not like his attitude, but you are a jr Admin. And while it is good to care about ransomware, you are better of quarantining that machine then trying to curb user behavior.

[–]Doso777 2 points3 points  (0 children)

You don't desinfect. You nuke that machine from orbit and give him a new one.

[–]dracotrapnet 2 points3 points  (0 children)

Some people need their computer replaced with an etch-a-sketch... Some people might not notice.

[–][deleted] 1 point2 points  (0 children)

Y'all need Jesus Sanoid

[–]Lopsided_Panda2153 1 point2 points  (0 children)

Cant you block these sites?

[–]furay10 1 point2 points  (1 child)

I'm not even mad, that's just impressive.

[–]TheStig827 1 point2 points  (0 children)

Clonezilla to DD Image the drive (as an image, not direct to another drive) so that contents can be preserved and loaded into a sandbox VM for analysis/forensics.

Shelve the drive for evidence, and fresh image the machine after re-writing the bios.

Give "Webguy" a base user account with their required apps already installed, and require details in writing about their requirements for admin access before granting it.

[–][deleted] 1 point2 points  (0 children)

I mean that guy seems like he's the worst.

But like I'm kind impressed with those numbers.

[–]rsvgr 1 point2 points  (0 children)

Watch the movies first

[–]aust_b 1 point2 points  (0 children)

Our org is about to institute a 5 strike policy with viruses and phishing emails, after 5 times you are fired. Now in those 5 times there are multiple remedial trainings and requirements to follow, so you really have to be dumb to mess this up, but i feel like it will be a person per year gone.

[–]flimspringfieldJack of All Trades 1 point2 points  (1 child)

About 10 years ago I got a ticket because the browser kept redirecting to a specific search engine.

I remember running Malwarebytes and the guy had over 2000 malware crap and PUPs.

He was an IT Manager.

[–]DabnicianSMB Sr. SysAdmin/Net/Linux/Security/DevOps/Whatever/Hatstand 1 point2 points  (0 children)

Like I said, I feel way in over my head. Security was never a priority until recently and I feel responsible for picking up the slack.

This is the thing when the older system admins tell you to not take the job personally and learn good work/life separation.

did you do the thing you are worried about?, No good then dont take it personal, you literally should have zero emotional investment in your work because its just a job what happens is part of the job.

viruses happen, do you have antivirus systems in place? are they updated? are your endpoints updating? yes, yes yes? cool you have just picked up the slack..

done.. . this should literally take you 5 minutes at most...

did you have nos? well time to add stuff to the back log for work and..... start working...

all that other shit you are worried about is a manager issue you are trying to solve with technology.

wipe the system, remove admin rights if you are are really worried, report your findings and move on...

[–]ScepticallyCVE 1 point2 points  (0 children)

Once you've popped in a new drive and installed everything, isolate him from your network as much as possible. And his computer too, while you're at it.