5 FAH-2 H-860
ANTIVIRUS PROGRAM
(CT:TEL-68; 06-25-2018)
(Office of Origin: IRM/OPS/ITI/SI)
5 FAH-2 H-861 POLICY
(CT:TEL-68; 06-25-2018)
a. In accordance with 12 FAM 600, all Department
information systems must be protected with approved virus detection and
prevention programs. IRM/FO/ITI/SI/IIB
(Systems Integrity Division, Information Integrity Branch) provides antivirus
software and documentation to all bureaus and field posts free of charge. The
Setup and Installation Procedures Handbook, included with the software, answers
procedural questions about installation. Contact IRM/FO/ITI/SI/IIB at (202) 203-5172 or visit the Virus
Incident Response Team Web site for more information.
b. Employees and contract personnel may obtain
antivirus software from their domestic bureau or post's systems office for home
usage to prevent malicious code from migrating to the office environment. Home
use of antivirus software procured by the Department is only authorized for
Department of State employees. When employment is terminated, the software
must be removed. Diplomatic privilege and various host-country custom laws may
prohibit locally employed staff (LES) or third-country nationals (TCNs) from
installing Department of State-procured antivirus software on privately owned
PCs. Also, vendor contracts sometimes require country-custom review. If not
prohibited by host-country law, copies of antivirus software may be requested
for FSN/TCN use through the antivirus program. See the Virus Incident Response
Teams Cables Help Guide Web page. Licensing, reproduction, and distribution
of antivirus software for domestic and post usage abroad are the responsibility
of the antivirus program staff, IRM/FO/ITI/SI/IIB.
Information Programs Center (IPC) personnel must install and update antivirus
software on all computers maintained by the IPC (i.e., TEMPEST computers and
non-TEMPEST classified computers within controlled access areas [CAAs]).
5 FAH-2 H-862 UNCLASSIFIED SYSTEMS
(CT:TEL-37; 08-30-2013)
a. IRM's Antivirus Program Office, Virus Incident
Response Team (VIRT), automatically updates antivirus definitions to enterprise
(i.e., OpenNet and ClassNet) machines on a daily basis. Each post/site/bureau
is required to have a group update provider (GUP) assigned to properly receive
the updated signature files. A GUP can be a workstation or a server.
b. Unclassified, non-networked, standalone computers
(i.e., not connected to any other computer) may be updated by downloading the
most current signature file from the antivirus website or the software vendors
website on the Internet. The signature file should be copied to removable
media that contains no sensitive information. The local computer hard drive
and removable media containing the signature files must be scanned prior to use
on any other Department computer. Scanned removable media may be used to copy
the signature update files to other unclassified standalone computers.
c. Unclassified networked computers not connected to
OpenNet (i.e., laptops or computers on a dedicated Internet network (DIN)), or
access to the Internet may be updated as stated or automatically from the
vendors website in the same manner recommended for home users. At critical technical
and/or HUMINT threat posts, consult 5 FAH-2 H-863,
Classified Systems.
5 FAH-2 H-863 CLASSIFIED SYSTEMS
(CT:TEL-68; 06-25-2018)
Downloading of updated virus signature files from the
Internet or Internet-based bulletin boards for classified systems is
strictly prohibited. Virus signature files and software updates for
Department-approved antivirus applications must be downloaded from the Intranet
AV Website link for use on classified systems or for unclassified systems at critical
technical and/or HUMINT threat posts. File transfers to classified systems
must be done in accordance with 12 FAH-10 H-410.
For all posts abroad, IRM/FO/ITI/SI will
send original program and updated antivirus signature files via classified
pouch in the care of the information programs officer (IPO), information management
officer (IMO), or a cleared U.S. citizen employee. Upon use, the Department-supplied
AV media must be labeled with the highest classification of information
processed on the classified system and cannot be returned for unclassified use.
5 FAH-2 H-864 VIRUS INCIDENT REPORTING
(CT:TEL-37; 08-30-2013)
If a virus is discovered, send a report via email to mailto:virus2@state.gov
and VIRUS@state.sgov.gov (classified) and a courtesy copy to the Computer
Incident Response Team (CIRT) DS/CS/MIRD CIRT at mailto:CIRT@state.gov or cirt@state.sgov.gov.
The report should include the following:
(1) Name of virus and occurrences;
(2) Location of computer/network (bureau, post, or
office);
(3) Origin of virus infection;
(4) Infected equipment type (standalone
equipment/devices, networked equipment/device, or peripheral, e.g., thumb
drives, CDs, etc.);
(5) Type of software used to eradicate the virus:
(a) Specific application version (e.g., SEP or ScanMail);
(b) Signature file installed (date and/or sequence number);
and
(c) Scan engine installed (date and/or sequence number);
(6) Losses incurred (defined as loss of equipment,
software, or computer system downtime);
(7) Point of contact for follow-up support; and
(8) Remarks.
5 FAH-2 H-865 THROUGH H-869 UNASSIGNED