TOP 10
Return to the Top Ten Corporate IS Gotchas List
1. PATCHES
Install Security Patches to Correct Software Vulnerabilities
2. DRIVES
Set up Mirroring or RAID 5 to Protect Your Data
3. VIRUSES
Install a Managed Virus Protection Solution to Prevent an Epidemic
4. BACKUPS
Make sure your Backup and Disaster Recovery Solution Do Their Job
5. SPAM
Close your Open Relays to Prevent Spammers Abusing Them
6. FIREWALL
Implement a Firewall to Tighten Your Security
7. POLICIES
Make sure your Security Policies keep Intruders Out
8. NETWORK
Make sure your Network Design Won't Give You Problems
9. CABLING
Make sure your cabling and physical plant are up to your demands
10. DOCUMENTATION
Make sure all critical information is documented, especially software licensing information
3. Virus Protection

The Threat of Viruses
It used to be that viruses were fairly rarely encountered, back in the DOS days. They were little snippets of code that attached themselves to floppy disks, hard disks, or more commonly, applications. Most of them were relatively harmless, and they spread slowly, since their means of getting at a computer system were relatively limited. There was a very limited set of actions you could take that put you at potential risk of infection. Plus, systems were very different in how they were set up, which further limited the spread of viruses.

All that has changed with the recent introduction of integrated E-mail programs, standardized web browsers, and operating systems that hide the details of how they work from the end user. Now, you can get a virus just by double-clicking something in an E-mail you receive. Vulnerabilities exist in some versions of certain mail programs that can even infect a computer just by reading an E-mail message or visiting a web site. Sometimes simply by being connected to the Internet you can become vulnerable.

What is a Virus?
By virus, we're referring to any piece of code that replicates itself without interaction from the user, or without the user's intent or even consent. This includes other categories, such as worm files or even, to a degree, trojan horse programs. They can consume bandwidth, cause down-time on workstations or servers, damage data, and consume vast amounts of time from system administrators to remove them once they strike.

Defending Against Viruses: Virus Scanners
The question of how to combat this threat has been a long-running argument. While user education as to what actions make them vulnerable is important, the only truly effective way of preventing this threat is virus-scanning software that monitors incoming E-mail messages and file-transfer traffic.

Virus scanners such as McAfee's VirusScan and Symantec's Norton Antivirus are effective tools to not only detect and remove existing infections, but also to detect the viruses as they enter the system but before they have a chance to do any damage. The viruses are then either removed from the files or messages (if possible), or are 'quarantined' -- placed in a special holding area until an administrator can deal with them, if desired.

Updating Virus Definition Files
The problem with virus scanners is that of updating the definition files. Virus scanners work like an FBI's most-wanted list. They look for patterns in files that match definitions of viruses -- a fingerprint, if you will -- and respond to that. These files must be kept up to date, within a month at the outside (a week or even a day is better for a corporate network). Otherwise, it would be like a field office of the FBI not having the latest 'Wanted' posters. They wouldn't recognize the bank robber who got added last week even if he walked right into their office.

The problem, of course, is how to keep these updated. Both McAfee and Symantec have built in an 'auto-download' feature to their products. There are, however, several problems with using this on a corporate scale:

  • In many cases, each workstation must 'subscribe' for updates after the first year, requiring a separate credit-card payment for each machine. This presents a management and accounting problem for adminsitrators.
  • Each machine must have the ability to reach the Internet directly for the file transfer; proxy servers and firewalls can interfere with the process.
  • Users must leave their machines online during the time the update is scheduled to occur.
  • Network bandwidth is consumed for each transfer. Since the definition files are typically from three to five megabytes in size, one hundred workstations can consume up to half a gigabyte of transfer time on the network line. Since all of them typically download at nearly the same time -- and do so whenever an update is released -- this can cause severe bottlenecks on the corporate Internet connection.
  • Users can easily disable the virus scanning features and/or the downloading of new updates, and may do so if these updates pop up while they are working.
  • There is no good way for administrators to track the versions of updates installed or whether or not scanning is occurring as desired.
Managing Virus Definition Files
Each vendor has created solutions to this problem. McAfee has introduced McAfee ASaP, which automatically downloads, installs, and maintains each user's computer remotely from McAfee. Symantec has introduced Norton Antivirus Corporate Edition, which permits all workstations and servers to be centrally managed by one network server. The details of how each package works are beyond the scope of this document; check out the links below for information on these products.

One point of interest, however: Symantec's Norton Antivirus Corporate Edition permits the server to download all updates, then distribute them dynamically to client workstations as those workstations log in. The workstations retrieve their updates from the server, not from the Internet, which seriously cuts down the problems of Internet bandwidth usage and the necessity of each workstation needing a connection to the Internet.

Viruses and Linux/Unix
Linux and Unix do not seem to be as severely affected by viruses. There, it's similar to the older DOS software: it's important to make sure you trust the source of software you receive. Trojan horse programs can be a problem, though self-replicating viruses are usually limited to 'worm' programs that can be protected against via security patches (see item '1' above).

Viruses and Servers
Servers also need protection; if a server does not have virus protection, then it can act as a vector for infection of multiple workstations. Norton Antivirus Corporate Edition can be installed on any Microsoft Operating System, including server systems. McAfee requires the use of their NetShield product for server systems. In addition, companies that run their own E-mail system, such as Microsoft Exchange, are strongly encouraged to purchase a scanner that integrates with Microsoft Exchange. For McAfee, this is the GroupShield product; for Symantec, Norton Antivirus Corporate Edition for Microsoft Exchange can be purchased as an option with Corporate Edition to integrate full virus scanning into the E-mail server, stopping viruses before they can even reach a client computer.

E-mail Viruses
Most new viruses seem to spread themselves using E-mail as a vector. They attach .EXE or .VBS files to a message and then transmit themselves to those in a user's contact list. Users should be educated not to click on files containing these extensions, and in addition should also uncheck the 'Hide file extensions for known file types' checkbox in Windows Explorer to make sure the full filename with extension is displayed.

However, there is a known bug in Microsoft Outlook and Outlook Express that permits certain file types displayed in Preview mode to be automatically executed. The user doesn't even have to open the attachment. While this is technically a security patch, so many viruses use it that it is relevant to mention it here. The bug affects users of Microsoft Outlook and Outlook Express. With newer versions of the software, the older holes are corrected, but newer ones can be introduced.

Macro Viruses
Certain viruses spread by attaching themselves to Microsoft Office documents. They make use of the built-in macro programming language of Microsoft Office products in order to replicate themselves. Almost all versions of Microsoft Office, at present, will notify the user if they attempt to open a document that contains macros, and users should be cautious about doing so from untrusted sources or if there is no good reason for a file to contain macros (most should not).

However, there is a bug in Office 97 and 2000 and their components that permits software containing macros to bypass this checking and alerting. Microsoft has elected not to release a patch for Microsoft Office 97 for this feature. Full documentation of this bug and the patch to correct it can be found at:

http://www.microsoft.com/technet/security/bulletin/MS01-050.asp

http://www.microsoft.com/technet/security/bulletin/MS01-034.asp

Recommendations
Virus protection is important. Very important. Each virus-related incident, even if no irreplacable data is lost, generally requires at least an hour of an administrator's time to remove the virus -- sometimes much more. The extra time to troubleshoot problems caused by a virus infection, even before the problem is diagnosed and removal initiated, can also be significant.

It's sad that some people spend time creating these destructive pieces of software, requiring so much work, effort, and expense on the part of others, and it's sad that virus scanning software is a necessary expense. But nonetheless, the grim reality is that it's an essential tool in your company's arsenal of defensive precautions.

Additional Resources
Norton Antivirus Corporate Edition http://www.symantec.com
McAfee ASaP http://www.mcafee.com
This page Copyright ©2003 by Enter-Networks.Net. All Rights Reserved. All trademarks referenced herein are trademarks of their respective vendors. Prices and features listed subject to change without notice. All prices are in US Dollars.