Keeping an organization free of viruses is a never-ending task. As soon as one can comfortably combat one kind
of malicious code, another variety rears its ugly head.
In the late '80s and early '90s, boot-sector viruses were the rage. In the mid to late '90s, macro-based viruses popped up. Now, Win32-based worms are the main offenders. However, recent worms like Nimda have signaled the start of a new era of infection: blended threats, malicious code that spreads in multiple ways, not just via e-mail.
Software vendors have responded in kind to the threats with everything from antivirus software that automatically updates signatures, to heuristics-based scanning that looks at code's "behavior" to see if it's bad or not.
The fact of the matter is antivirus software is still the first line of defense for organizations against viruses.
Where to put antivirus software?
There has been a trend toward running antivirus scanning software at the server or gateway level rather than just at the desktop. These installations make maintenance like updating signature files much easier (compare updating new definitions for a single mail server with updating hundreds of desktops).
Yet, the move to the server level has had some consequences. For example, employees checking Web-based personal e-mail accounts circumvent any antivirus protection that a server- or gateway-based scanner would provide. Many experts credit part of the success of the recent Klez.H worm to employees checking their personal e-mail accounts at work.
Companies have found AV at one entry point isn't enough anymore. More and more are installing scanners from different vendors at the gateway, server and desktop levels. This strategy protects against infection at any level.
Last year, the Nimda worm spread through many companies because workers logged into the corporate network with their infected laptops, said Robert Lonadier, president of RCL & Associates, a Boston-based analyst firm.
The more the merrier?
Some companies are so concerned about viruses that they use more than one antivirus product. They may install one at the gateway, another at the e-mail server and yet a third at the desktop.
The theory behind this practice is that if Brand A antivirus misses a worm then Brand B will catch it. Timothy Bruess, network manager at Learning Resources, Inc. in Vernon Hills, Ill. uses both McAfee antivirus software and The Cleaner from MooSoft. One time, the Cleaner caught a Trojan horse that McAfee had missed, he said.
There are downsides to this approach like maintaining each product and paying the software licensing fees for each. The fact of the matter is that antivirus scanners are not that different in terms of what they will catch, Lonadier said. Most have signature files for viruses within hours. "Information about viruses tends to flow freely around their labs. There is a willingness to share information," he said.
But one shouldn't discount the feeling of security such an approach brings, Lonadier said.
The first to be hit?
An underlying concern of many companies, especially those that use more than one antivirus product, is being hit by a virus before an antivirus definition is created. Having more than one product helps a company get the updated definition as soon as possible.
Antivirus software vendors can turnaround an updated signature file in literally minutes in a lot of cases, but some users will still be hit by a virus.
Those situations are the Achilles' heel for signature-based antivirus, some would say. The technology is reactive. The malware has to hit before protection can be created.
Heuristics, or behavior-based antivirus software, is a way to potentially stop malicious code that might sneak through before a signature file is created. Essentially, heuristics scanner looks at the behavior of the code to determine if it's malicious or not.
In fact, many of the major signature-based antivirus vendors have some heuristics in their scanners.
"Heuristics are good to clean up the initial stream. But there will always be data content, which is questionable and needs deeper analysis," said John Schwarz, president and COO of Symantec at Security Decisions in June. "Therefore we'll need signature-based antivirus for as long as I can see."
Lonadier also thinks signature-based antivirus software will be around for a while to come. "There is some interesting technology out there that has a role, but I don't see them completely replacing signature-based antivirus software in the near future."
To strip or not to strip
Another recent development in virus management has been stripping certain files and attachments out of messages at the gateway. For example, removing screensaver files (.scr) at the gateway would prevent worms like MyLife from even getting to mailboxes.
Security folks love being able to intercept viruses before they are even seen by end e-mail users. Such a maneuver circumvents social engineering, which entices users into opening a virus in the first place.
Experts suggest stripping .scr, .pif, .bat and .com files in addition to executables at the gateway. Some would even suggest blocking attachments written in VBScript. In a lot of cases, attachments of such file types don't have a legitimate business use and are popular for viruses. Additionally, files with double file extensions (such as ".scr.txt") also are popular for viruses.
Yet Lonadier calls this approach too simplistic, as there will always be exceptions to rules. Moreover, he sees virus prevention as a matter of policy and education, not of technology.
Tools can help enforce corporate policies and automatic virus file updates. But user education is still a very important piece of the equation, Lonadier said.
End users need to learn not to open attachments unless they know what specifically they received and from whom. Additionally, users must resist forwarding e-mails unless they are exactly sure what it is, he said.
About the author: Edward Hurley is a news writer for SearchSecurity.com.