Win XP or win7?  ad-aware is great for detecting ad-ware/spyware related threats but may not detect more advanced programs.  I've never actually used avast.  I currently use NOD32 and that runs pretty well, they have 2 flavors, Internet Suite and their AV only.    Windows 7's firewall is decent enough.  It has much more advanced features than the standard XP firewall.  With keyloggers you really want to watch the traffic going out, its one thing if they are just logging but if you see traffic leaving your system when you have nothing running, well then you got a problem.

Standard XP firewall doesn't offer much other than inbound traffic exceptions.  Get a hold of RawDump or Wireshark and get a scan of your traffic when nothing is running.  Wireshark will give you a nice live feed of the data as it is happening.

Also for future preventive measures you can work with this Powershell script that will copy a new hosts file to your system with a blacklist of bad domains. 

http://www.sans.org/windows-security/2010/09/14/hosts-file-block-domains

Oh back to AV, Microsoft's free AV - MS Security Essentials - is pretty decent, I've had it catch bad stuff where others have not.  And its free for non-commercial use.

Good luck!

Came across this site: http://seussbeta.tripod.com/data.html might be of some use.

Are you looking to detect it?  Most current AV software should pick up on it unless the attacker buried it in a rootkit with anti-AV measures.  Most enterprise installs of AV contain heuristic scanning which can sometimes pick up on them.  Also are you looking to detect physical keylogging devices?  You may also want to look into some rootkit detection software (rootkit revealer comes to mind).  It might pick up on rootkits that may be hiding keyloggers.

Another way to try and detect is by utilizing more advanced firewall rules.  Be sure to block outgoing traffic, might even want to do a block all on the specific system and let all traffic hit the wall.  Run a local packet sniffer on the interface (rawdump is nifty or Wireshark).  That way you can see if any apps are trying to send out traffic even though you have nothing opened.  Its not the keylogger that is the troubling part, but the data it is sending.

hope this helps.  Now you got me a little more curious on the topic...

Very true, the day I decided to focus on security was the day I realized that I was doing it part time as a system admin and consultant.  But now I have a reason to make it my full time job.  We all practiced security 101 during our early careers, that is if we were doing our jobs right.  But in the case of certain Sys Admin jobs or consulting gigs, the clients just want you to make sure things stay running, and sadly that is all the client wants to pay for no matter how much you push for better security and such.  At least now, when I am asked my opinion on something, as a security consultant, people will listen and usually do.  Then again it has become easier to push security focused projects due to the ever growing breaches being caused by groups such as Anonymous and Lulzsec. 

Security as a profession is certainly not an entry level area, if you want to be good at it, you need to have some experience in those areas you want to protect.  Like building a web server and securing a web server are two different things.  Think about it

I am in a similar boat.  I will actually be starting a new job and one of the projects will be to setup a malware analysis lab.  My plan will be to use a separate ESX host, fully segmented/isolated from the production network.  Build the victim systems and snapshot the whole lot. 

Thanks for the book recommendation, going check out the kindle sample and most likely purchase it depending on the content.  Sometimes technical books don't translate well to kindle.  But you can at least download the DVD contents using an SVN client and grabbing the google code repository. 

I also used the following site to gather certain tools for this job: http://zeltser.com/malware-analysis-toolkit/ there are some additional links to certain specifics.  For my home lab I will probably be converting my present Desktop to an ESX host once I get my new system.  Install a 2nd NIC for management of ESX and utilize the other for the VM network or just setup my laptop to manage it therefore still keeping it fully isolated from the home systems.

The big question is... If something fails, can you bring it back up?  How long can you be down before it hurts business?  What systems are you replicating?  Are you hoping to restore from bare metal?  Is there any virtualization in use on the network?  Ok, so that is more than one question.  But like dynamik recommended, you need to have a formal risk assessment done before planning your DR.  That will make it much easier if you know what needs to be up in a certain amount of time.  Then you are spinning your wheels on less critical systems.

And of course testing testing testing, once you have the plan in place.  Its no good if you don't test.

For the OP (who probably went on his merry way after not getting the "easy money" answer)... Might want to focus on getting a networking gig, you got your CCNA so put that to use.  Work your way up the ladder.  Network Engineers make decent coin eventually and if you make you way further into the Cisco realm and obtain higher certs you may be making more than the pen testers. 

If you want the six figures well get the experience and shoot for that CISO spot.  If you seriously want to get into full time hacking, well get yourself a lab and start where you might be strongest, networking.  Plenty of exploits out there that attack networking equipment.  Be aware of those, learn how to thwart them and in turn you learn how to execute them as well.  Then move onto trying other tools.

I 2nd vmware.  I typically run my testing lab from my main system since it has all the juice.  I also run a Hyper-V environment on my Win2K8 box.  VMware typically gives you the option to run the systems in their own standalone network, bridged or straight through.  VMware workstation will run you about 190 (ouch thought it was cheaper) bucks.  If you want something for free you can run with Virtual Box, it also allows for snapshots. 

The beauty of running these labs in VMs is certainly the snapshotting ability but also you don't need any additional monitors or keyboards to build them. 

But to answer your initial question, if you don't need internet and you just want to use your Linksys as a switch for them.  You don't need anything fancy.  Just configure them with their own network range using static IPs.  For instance if your Linksys network is 192.168.0.0/24  set your lab up to use 172.16.1.0/24.  you can configure a gateway but that won't really matter.  If traffic is only going between hosts on the 172.16.1.0/24 network, they won't even go to the linksys gateway.

If you did need your linksys to route traffic from those lab systems, well you would need to flash it with DD-WRT or Tomato.  Tomato allows you to specific additional routes for internal hosts.

Hope this helps.

I agree with the recon most decent firewalls will immediately drop your scan packets so you need to get a bit smarter than the FWs.  Recon some targets, web servers, email servers, any type of forward facing system will do.  There is no sense to scan an entire range of the most obvious targets have an opening. 

Then again if they have a very large range of public IPs, then that might mean they are one-to-one NATting the internal systems and perhaps some workstations might be present.  Doubtful, but hey you never know.

So did they engage you to do a pen test??  There are no terms for this engagement?  In the future when you get some experience under your belt, do yourself a favor and get a more specific list of deliverables.  No sense doing additional work if it is out of scope.  And you want to make sure you are cleared for compromising a system and that it is in writing so you don't get burned. 

Also who hired you to do the work?  Was it someone that has the proper authorization?  Typically the person setting up the engagement needs the written authorization from the owner/President/CEO of the company to engage in such activities.  That way all are aware that this is going on.  Don't want to get wrapped up in some internal power struggle only to find out you are the scape goat.

Good luck!!

Is that were these gray hairs are coming from??  hmmm damn them!  Thanks for the links WCNA.

So of course this side project will be put on hold since they will be decided what mystery projects we will have ti do before the year end.  And even better, got a "temp" manager for the next few months and he's another MBA hopeful with little relevant experience and seems to enjoy micromanagement.  Oh well makes for a good reason to make sure the resume is updated.  :-p

That's too bad Andy.  I have determined that I will probably focus on pushing for a better organized network and in the meantime I can continue running SEP's logging on its App/Device control feature.  Sadly our Network engineer is very protective of his duties and gets very defensive when we want to make changes to it.  We think its because he doesn't know how to utilize VLANs. 

I just need to word my proposal so that the managers realize that we don't need any new flashy tools, we just need to utilize the ones we have efficiently.

140 workstations, 100 or so servers.  It probably is a pipe dream though even if I can implement part of the plan, I'd be happy.  Man some days I wish I could get the chance to build from the ground up. 

Man I love reading Sil's posts, always very informative.  I feel your pain alucian, thankfully getting tools I need isn't too difficult, most of the time it comes down to cost.  Right now we actually have in the budget for a decent vulnerability scanner.  The problems I am having is that our current Security officer hasn't done a risk assessment since he has been there, the most current is something like 6 years old.  When he does do any reports, he doesn't like to share with us unless we ask him and CC everyone and their mother.  It took him 2 months to hand us the pen test we had done.  His reason was because he didn't see anything that was high risk on it.  Meanwhile we get it and there are a bunch of 10 scores for a number of internal vulnerabilities.  Simple stuff to fix, but still, not his call in my opinion.  Though if he knew anything beyond what he reads in white papers, then maybe he would have figured it out.  So my pain is that we have an ISO that knows nothing about about the network and he's been their longer than me.  I've been there less than a year and know more about the network than most of the current staff.

Whoops, turned that into a venting session.  Sorry bout that.  Here's my next question, why did they pay for training for your OSCP if they don't want you to have the toolkit used to assess the network?  Do they plan on allowing you to perform regular pen tests?  Or did they have you take the training so you can be more aware of what to look for in the event you are being attacked?

Yeah I've been running the Application and Device control feature in SEP in a logging only mode and it captures quite a bit.  Found a great article on it as well.  Our environment isn't too riddled with random pieces of software.  For most people Office, IE, Adobe, Java and our special in-house applications are it.  I think it is quite possible to do and I will eventually be testing on a small group.  As for the networking side, that is definitely possible, but management has always had us put it on the back burner for whatever their monthly crisis is.

If anything, the research portion will be a good thing for me even if it doesn't get implemented at my current place of employment.

Not sure where this fits since its not just about malware or firewalls.  Anyway I just finished about a 3 month project to get my organization (that I've been at for 6 months or so) caught up on years of back patching.  Unfortunately the ISO's words of wisdom consisted of "install all patches because they are old"  regardless of whether or not the patch was deemed critical by MS or whether they had posed any risk to the organization.  "Even this DVD/CD no-autorun patch for our servers that no one can get physical access too and we don't frequently load media in..."  "yes because its old..."  but I digress...

So while waiting for all those patches to load, I did a lot of twitter reading and found that a number of pros have been recommending that we truly learn our network and what is running on it to better protect it.  I mean its a simple enough concept, one would think you should know this anyway.  Unfortunately when a network is built in spurts to accomplish a large increase in demands for resources, some things get pushed aside, mainly documentation.  This is what I walked into 6 months ago.  In that 6 months I had a full inventory of both servers and workstations, documentation on the functions of all the servers.  That lead to me being able to decom a bunch of systems.  Awesome when you ask someone what this does and they stare at you blankly (and they've been there for years).  So, we turn it off and see what breaks!   There I go again so back on track...

So whitelisting, awesome concept, I am currently working on a plan to implement this concept little by little.  I have been setting up the AV policies to utilize the IDS/IPS features to whitelist applications and prevent certain directories from being written to, that should cut down on instances of Fake AV, which are rare but do happen based on the nature of user profiles.  I am also in the process of getting data for implementing egress on our firewalls.  The next big chunk will be to actually utilize the nice expensive switches and really segment the network, not just block it off for organizational purposes.

So the reason I am posting, I am curious to see if others are taking the advice and beginning to implement similar plans, or if you have already done so.  I'd be interesting in getting some feedback and even any difficulties you may have had with certain parts of the implementation.  Also how did you get management to buy into it?  The team lead in our department has been trying to get NAC implemented but it keeps getting cut and he's also been trying to secure the VLANs better but keeps getting pulled to do other projects.  The management doesn't seem to get that all the patching in the world isn't going to protect you from a determined party and that we should be spending more energy at know what belongs on our network than blindly securing systems.

Sorry if this was long, but sometimes the mind shoots into overdrive. I look forward to your comments!!