The best way to battle viruses is still by using up-to-date antivirus programs and definitions from the major antivirus vendors. Depending on your risk and budget, a multi-layered approach covering desktops, servers and gateways in that order is best. Ideally, use a mix of products from different vendors, so that a flaw or missing signature in one product is covered by another. Obviously that adds to the cost and complexity of the solution, so that approach may not be feasible for everyone. There are a few "free" antivirus programs out there, but they are mostly for non-commercial use only.
There are frequent questions in the Snort-users mailing list about using Snort to detect viruses and worms. Using Snort for this purpose is not ideal, since by the time any IDS (intrusion-detection system) detects the infection it's already too late. In some environments (notably education) this may be your only option. Join the Snort-users and Snort-sigs lists, and
As far as prevention goes, again you need a layered approach that begins with policies and user education, and encompasses antivirus software, strict firewall rules and hardening all your hosts as much as possible. One particular challenge is the laptop user who plugs into an unprotected broadband at home, gets infected, then brings the infection back inside the firewall on Monday morning. You need to have an e-mail policy and make sure all users are educated about these dangers.
You may need to consider strict workstation policies, such as not allowing the local user to have administrative rights, and install software and so-called personal firewalls for laptops or even all users. Firewall rules and device hardening reduce the avenues by which worms may spread, as well as improving overall security. Vulnerabilities in software that is not installed are not a threat to your organization.
IPSes (intrusion-prevention systems) are another possible layer. These take the form of a gateway (like a firewall) or transparent bridge in the network, or as agent software on each host. IPSes aim to actively prevent activity perceived as malicious. It turns out that all malicious code tries to do is a relatively small number of things, so the idea is to prevent those things from happening, rather than reactively build giant signature or definition lists of known malicious code. The problem is that it's often difficult to distinguish between benign and malicious activity, and an IPS can actively break your network, host or application if you are not very careful (and maybe a little lucky). They are improving rapidly, so they may be worth a look.
Network segmentation or compartmentalization is another possible containment strategy. See Marcus Ranum's The Big Red Button from the February 2004 issue of Information Security magazine for a discussion.
Finally, to sell the idea to management you have to have the numbers, and you have to have management that is aware of infosec issues and risks. The latter is improving as more infosec issues hit the mainstream press and as various legislation with serious impact on corporations and/or senior management (notably Sarbanes-Oxley, the Gramm-Leach-Bliley Act, California's SB 1386 and HIPAA). "The numbers" are different for every organization and environment, but the idea is to show the costs of the last infection, predict the cost of the next one and then show that an once of prevention is better than a pound of cure. The various products above are capital expenses, but there are other things you can do such as education, device hardening, tightening up the firewall rules and possibly network segmentation which only require your time and effort. In the end it all comes down to risk. Can you afford to take the time to do this? Can you afford not to?
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in March 2004