Protect yourself against the virus epidemic

With a single virus able to spread throughout a company as fast as a flu epidemic, it makes sense to install anti-virus software and ensure that staff abide by the security policy.

Establish a security policy
Before even looking at virus types and how to combat them, a company must have a security policy in place. Anti-virus (AV) products should meet this policy's requirements and not vice versa.

The products purchased should complement each other in order to combat the threats more effectively. Anti-virus scanners have their place in an organisation's security toolkit, but they can be used more effectively if you take the following precautions.

Boot sector viruses
Boot sector viruses infect a computer when the user boots or attempts to boot from an infected disk, whether or not the disk is a system disk. Once the computer is infected, the virus will load automatically on every boot.

The simplest way to avoid boot sector infections is to set the BIOS to boot from the hard disk first. Then, password-protect the BIOS to prevent anyone but qualified staff from changing the setting. Having done this, there is no way the virus can enter the system.

Many security products provide a utility to encrypt and prevent modification to system areas of the hard disk. By preventing modification, if a virus does infect the computer, the security software spots the changes and either returns the disk to its previous state, or informs the user of the problem.

File viruses
File viruses differ from boot sector viruses in that the virus can be present on the PC without the PC being infected. In order to activate the viral code, the executable to which it is attached must be run.

Once run, the virus loads into memory, then moves on to infect other executables, either by searching them out on the hard disk or waiting until they are started.

The standard solution is to run anti-virus software constantly in the background. However, this can be avoided by making simple changes to user behaviour. If the user cannot modify any executable that is already on the PC, the virus cannot spread.

Also, by preventing the user from adding any new executables to the system, they are prevented from transferring an infected file onto the PC in the first place. By protecting the executables already on the system, the user is protected from directly running infected executables from other media (CD-ROM, network drive, etc).

If correctly configured, NT file server can prevent modification to existing executables, but does not prevent the user adding new executables in the hard disk's data area.

Within their security policy, most organisations will have a statement that says users cannot modify or install software. If this is enforced, the risk of infection from file viruses is greatly reduced. And from the viewpoint of software licence compliance, if an organisation is fully compliant, then the list of software installed on a system cannot be changed.

Multipartite viruses
Multipartite viruses combine parts of both boot sector and file viruses, and can use both methods to spread and infect. The methods described elsewhere to handle both types of virus separately will also work together to prevent the infection and spread of multipartite viruses.

Trojan horses and logic bombs
A Trojan horse is a program which purports to be benign but actually causes damage in the background. Logic bombs are usually executables whose only goal is to cause damage - compared with viruses whose primary aim is replication, with damage as a secondary goal.

Since logic bombs are executables, preventing the introduction of new executables onto a PC prevents the damage that most anti-virus scanners cannot.

Macro viruses
Macro viruses function at the application level rather than the operating system level, and consequently are more easily transferred to different operating systems. Macro viruses use the automation features of many current applications such as MS Word and Excel, Lotus Ami Pro, Corel's Coreldraw and Photopaint.

An obvious but self-defeating solution is to prevent all macros from running, but this is impractical for most organisations. A better solution is to create a list of authorised macros which can be safely run and then disallow all others.

These approved macros can then only run if they have not been modified since they were approved (macro viruses can attach themselves to existing macros as well as existing documents with no macros). This takes the decision away from the user as to whether or not to trust a macro.

Malicious macros
A malicious macro is similar to a logic bomb but unlike a macro virus, in that it makes no attempt to replicate but will simply cause damage. Since it has access to the full power of the macro language, it can cause a wide spectrum of damage, from simply changing words randomly in documents to formatting the hard disk.

To avoid malicious macros, a security policy should only allow authorised and known safe macros to execute. Once again, virus scanners provide little or no defence against this attack.

Beta and untested software
Some argue that untested or beta software which could cause system crashes or conflicts with the installed software fall into the category of logic bombs and should not be installed onto a user's workstation before being thoroughly tested.

Encrypted email
With current anti-virus products, encrypted messages will either be quarantined or passed through. Unless a company has a system in place to decrypt these messages as they pass through the email gateway, the first place it is possible to check these messages for viruses is at the desktop. Just because an email is encrypted does not mean it is exempt from security policy.

Windows scripting language
The same macro language within the Microsoft Office suite is now used on the desktop and has the potential to produce macro viruses similar to those associated with Word and Excel. This means that a Windows scripting file on a website can be automatically downloaded and executed without user intervention or knowledge.

This isn't a serious threat, but could become as dangerous as macro viruses. The solution, as with macro viruses, is to permit only valid and authorised scripting files to run.

Java, Javascript, ActiveX
Although it is difficult (but not impossible) to write a virus in these environments, they have the potential to drop a virus into the local PC. Badly written or malicious code could cause the system to crash or lose data.

The threat from these is identical to the others: only the entry point has changed, so the methods already discussed will protect against unauthorised malicious code.

Anti-virus solutions
The main defence against viruses is the virus scanner. There are two types: the on-demand scanner which scans targeted disks when told to; and the on-access scanner which sits in memory and scans any object as it is accessed or used.

Scanners are not the only defence against viruses. A properly thought-out security policy can actually reduce the cost of purchasing scanners, if enforced to the letter.

Some anti-virus solutions limit what users can do to infect their desktops, such as controlling access to the floppy disk drive to prevent users bypassing virus checking procedures. There are also heuristic solutions: these watch for virus-like activity and require less frequent updates than virus scanners.

Defence in depth
Using the same AV product on desktops, servers and email gateways has a simple drawback. If a virus goes undetected through one of the entry points to the network, it will spread unhindered through the rest of network.

Using different or multiple products at each entry point will ensure that viruses have multiple barriers to get through rather than a set of identical ones.

Regularly scan all files
Because vendors of anti-virus software try hard to make their products score highly in reviews, scanning files as fast as possible becomes an inherent objective. By default, most AV scanners don't look in .txt files, for example, because the software assumes they cannot hold macro viruses.

However, a .doc file can be renamed .txt. Consequently, at least once a month, or when you update the AV software with the latest virus data, the software should scan all files on the disk, even if this takes longer than the normal scan.

Train your users
Whatever anti-virus software you use, and whether you use on-access scanning or scanning-on-demand, if your users are not correctly trained in how to deal with a possible virus outbreak, you face trouble.

Try distributing a Word document with an autoexec macro that puts up a virus-like message on some users' screens. If it takes longer than half a day for all suspicious copies to be reported back to your support department, some virus awareness training is urgently needed.