Beating malware: Beyond antivirus software

A holistic approach to malware protection includes much more than antivirus software.



Contrary to popular belief, the most widespread computer viruses are not necessarily the most technically inspired. They are not the work of geniuses, and we are not powerless to prevent them. Viruses such as the Love Bug, Anna Kournikova, Sircam and Magistr do not rely on technical flaws to distribute themselves, but rather take advantage of the weaknesses in human nature.

Numerous users have succumbed to the promise of a picture of a scantily clad tennis star, or a love letter, or even just a document they wouldn't usually be allowed to see. Because these viruses aren't using technology to spread, looking for a purely technical solution is not the answer.

In general, antivirus software is good at its job, but it shouldn't be relied upon to provide a total defense. Many virus incidents could be easily avoided if network administrators -- and users alike -- adhered to a few simple steps that wouldn't cost them a penny. Even those viruses which do distribute themselves via technical weaknesses, such as Nimda, can be slowed by user savvy.

One of the easiest things to do is to stop using DOCs, which support the macro language. Pure Rich Text Format, which cannot enable macros, should be used instead. Some macro viruses intercept File SaveAs RTF and save a file -- which actually contains a DOC format -- with a .rtf extension. It therefore has to be *real* RTF without any complex material embedded in it. The people you deal with should also be asked to send you RTF or CSV files, as opposed to DOC or XLS.

Your CMOS boot-up sequence can also be changed so that instead of booting from drive A: if you leave a floppy in your machine, you boot by default from drive C:. This prevents infection from all pure boot-sector viruses. The CMOS can easily be switched back if required.

If you do use floppy disks, these should be write-protected before insertion into any computer other than your own.

If Windows Scripting Host is not needed, this can also be turned off. For instructions on how to do this please visit: http://www.sophos.com/support/faqs/wsh.html

There has been a recent increase in viruses using file types such as VBS, SHS and EXE to spread themselves. As it is unlikely that any company should need to receive these file types they should be blocked at the e-mail gateway -- irrespective of whether they are virus-infected or not.

Some viruses attempt to disguise their true nature by using "double extensions." Files such as SEXY69.MPG.EXE or AnnaKournikova.JPG.VBS may appear to be harmless movie or graphic files with a first glance at the filename. Again, these types of files should not be needed during the normal course of business, so should be blocked from entering an organization.

Having backups of critical data and information is also essential. It is, therefore, vital that regular backups are made and that they are checked.

E-mail alert services, such as the one operated at http://www.sophos.com/virusinfo/notifications are also useful as a warning against new, 'in the wild' threats.

You should also keep an eye on the vulnerabilities found and patches issued by Microsoft for their software. Both the recent Code Red worm and the Nimda virus exploited a security loophole in Microsoft's IIS Web server, despite the fact that Microsoft had issued a patch for this before the malware ever appeared.

Possibly the most important thing that users need to remember is not to run or open unsolicited executables, documents, spreadsheets, etc. If they receive anything which wasn't expected or if something is not known to be virus-free, it should be treated as a potential threat. Everything that runs within an organization needs to be virus-checked and approved first, and encouraging a paranoid attitude among your users will help to ensure that they adhere to this.

All of the most prevalent viruses of recent times -- the Love Bug, Anna Kournikova, Sircam and Magistr -- would have been complete non-events if users had done a double-take before they double-clicked. Even the progress of Nimda, the most recent addition to the troublesome tribe, could have been slowed if people stopped to think before launching attachments.

Similarly, a policy should also be enforced where downloading documents from the Internet is unacceptable, as this is also a favored vehicle for virus distribution.

Implementing a fully comprehensive antivirus strategy is not just about splashing out the cash on the software. No matter how effective the software is, it should still be enhanced by user education and common sense. Many viruses don't use technology to spread, so searching for a complete technological solution is not an option.


This was first published in October 2001

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close