Network Security: Anti-Virus Do's and Don'ts
Viruses cost businesses money, and the threat is not going to go away any time soon. The interoperability between applications only makes it easier for virus writers to release viruses that can spread quickly and quietly without the user's knowledge.
Understanding anti-virus software
Anti-virus programs (also known as AV scanners) are often misconfigured and out-of-date and do little or nothing to protect the systems on which they're installed.
All AV scanners, including products like Norton and McAfee, work with a database that contains information about viruses; this information is called the virus fingerprint or signature. The database needs to be updated frequently so that it contains the most up-to-date virus information. Did you know that anti-virus vendors generally offer updates well ahead of a mass infection? That's because viruses are often detected and reported several weeks to months before end-users are aware of them. However, because people do not keep their scanners updated, a virus can quickly reach epidemic proportions. Then there is the inevitable mass scramble to get to the vendors' Web sites to download the updated files, which sometimes overwhelms the Web sites and further delays updates.
Of course, some virus epidemics have been due to the fact that the virus exhibited completely new code and behaviors that the scanners did not have in their database. The database is based upon existing viruses and behaviors previously seen. This is a significant weakness of AV products that vendors try to overcome with the use of hueristics — a method of anticipating and examining behaviors.
Following are some basic anti-virus rules to follow.
- Do have a written anti-virus policy that details the responsibilities of management and staff, how anti-virus is to be maintained, and specific instructions on what to do in an emergency.
- Do make sure that anti-virus software is installed on every machine, even if the machine is not capable of running e-mail. Viruses can sit undetected in files on any machine.
- Do update anti-virus signature files and scanning engines regularly. A weekly update is good, although daily is better. If your company has a central anti-virus server, it can install updates on other machines on the network. However, a computer must be turned on for this to work. If a machine was not turned on at the time of the update, it will have to be updated manually.
- Do run the anti-virus program in full-time, background, automatic, auto-protect, or similar mode.
- Do enable scans of the memory, master and boot records, and system files upon start up of every machine. It doesn't take long for an anti-virus program to complete these scans and it's just plain silly not to enable these features.
- Do configure the anti-virus program to scan all files — not just executable programs. Viruses come in all sorts of files and just scanning executables is not enough.
- Do enable the anti-virus heuristic controls (if they are available). A heuristic scan takes longer, but not so much longer that it makes much difference to users.
- Don't allow Windows Scripting Host (WSH) to run on machines that don't need it. Although some Windows programs need WSH to run, most machines can have this removed without harm. WSH controls the Visual Basic Language and many viruses have been written with it. By removing WSH, the virus can't operate.
- Do enable Macro Virus Protection in all your Microsoft Office programs.
- Do disable the Preview Pane view in Outlook and Outlook Express. Some viruses can be launched by simply previewing them, even if the message is never opened. Disabling this feature saves you a lot of grief.
- Don't allow your e-mail programs to "auto open" attachments.
- Don't open attachments from people you don't know or attachments that seem suspicious.
- Do configure your e-mail programs to display messages in plain text only if HTML formatted e-mail isn't necessary. This is especially true for Web-based e-mail as there have been a number of vulnerabilities found in using HTML-enabled e-mail.
- Do educate all your users on the dangers of e-mail attachments and viruses in general. Also educate users about virus hoaxes and how to tell the difference between real and imagined threats.
- Do use the security features that come with the product. This includes preventing general users from being able to make changes in the program. Some users try to turn off the virus detection and you don't want them to be able to do that.
- Do educate your users about the anti-virus program you are using and how it works. This helps eliminate confusion, and staff will be less likely to try to disable the anti-virus program on their desktop machines.
Emergency! What to do
Okay. The worst has just happened and you think your network has been infected with a virus. The first rule is don't panic!A virus infection has happened to others and was bound to happen to you at some point. Hopefully you anticipated this and have an Emergency Response Team ready to operate. An Emergency Response Team should be part of your Security Policies and is composed of experts who can take over in an emergency.
If you don't have an Emergency Response Team, don't panic! Here's what you do:
1. Identify what infection you have.
You may have to do some research on an anti-virus Web site if your anti-virus program can't specifically identify which virus has entered your system. If your anti-virus program has all of its updates, it should be able to identify the virus. If your anti-virus program has not been updated recently, do that immediately.
2. Locate the source of the infection.
Scan all machines on your network to pinpoint which machines have the infection.
3. Quarantine all infected machines.
Take them off the network so the infection can't spread. That could mean physically unplugging the offending machines from the network or, if the infection is rampant, taking the entire network offline. You don't want to risk infecting others inside or outside of your network.
4. Eliminate or "cure" the infection.
Run your anti-virus program on all infected machines. Sometimes the anti-virus program can't reverse the infection, which means that you'll have to manually disinfect all machines. To manually disinfect a machine, you have to change registry settings or reinstall a portion, if not all, of the operating system. The anti-virus vendor's Web site should have specific disinfection instructions. If there is no information on the Web site, don't hesitate to give them a call.
5. Don't bring the machines or the network back online until you are sure all traces of the virus are gone.
This means scanning all machines AGAIN.
6. Have a staff meeting and tell everyone what happened, why it happened, and what you had to do to fix it.
Make this a "lessons learned" excursive and not a meeting to point fingers and place blame. You may discover a whole bunch of things you did correctly, too. View this as an opportunity to make sure it doesn't happen again.