Conficker: Should steps taken in group policy to secure against virus remain?

windows malware group-policy

We got nailed two weeks ago by Conficker, I ran through the 26 step checklist from Mircrosoft on my own computer, as well as on our domain server. It says near the end to reverse all the changes, but I kinda like the changes (Disables Autorun and some other settings).

Is there anything in that fix that'll come back to haunt me down the road?

Also, maybe the group policy never took effect, I couldn't quite tell. Do your policies have to be placed on computers or users (or does it matter?) for this fix?


Can you scale back your protections against Conficker?

The article you linked has a lot of good practice, that in my humble opinion, you should keep. Isolating old hosts from the evil internet, having your boxes patched with up to date AV, and keeping AutoRun disabled are good ideas. Strong password rules with regular rotations is probably the most controversial change if you're not doing it already since it will require institutional changes. But auto-patching has been default behavior in Windows since WinXP SP2 and auto-run defaulting to off will be in Win7.

Whether it's time to deactivate the group policy is going to be based on whether you feel you still have potetially infected systems in your environment. If you rebuilt and patched everything, it might be time.


Yes, there are some group policies which help stop Conficker from spreading.

There is a Microsoft support article: Virus alert about the Win32/Conficker.B worm. Look for the "Prevention" section.

This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Conficker.b variant" section of this Knowledge Base article to manually remove the malware from the system.


If you want a good protection against Conficker, you can configure you computer or router to use OpenDNS. They maintain a list of site that spread conficker and block them right away.

You can also block many other things with it like a majority of spyware site, scam, phishing etc...

This is very useful and it add a major security layer on your network.

Related

possible SYN flooding on port 80. Sending cookies
Apache RewriteMap with URLs containing space doesn't work
How to whitelist a user agent for nginx?
When a VirtualBox VM's Adapter is set to NAT can a VM access the Host computer?
Is there a license / royalty free DRM available for protecting and distributing content? [closed]
Why is it that 32bit Windows XP can only address 3GB [duplicate]
Recovering files from laptop with XP that won't boot
How can I install the Linux version of USBView (the USB device viewer)?
BSOD trying to migrate Windows XP from a physical to a virtual machine
How to host different machines with different subdomains?
Under Mac OS X, can I choose to use the Wireless connection for some specific traffic and the Wired connection for the rest?
How to find disk usage of folders in Windows [duplicate]