Problem solve Get help with specific problems with your technologies, process and projects.

Expert advice: How to cost-effectively battle viruses

This tip is JP Vossen's complete response to an Ask the Expert question on cost-effective antivirus strategies.

The best way to battle viruses is still by using up-to-date antivirus programs and definitions from the major antivirus vendors. Depending on your risk and budget, a multi-layered approach covering desktops, servers and gateways in that order is best. Ideally, use a mix of products from different vendors, so that a flaw or missing signature in one product is covered by another. Obviously that adds to the cost and complexity of the solution, so that approach may not be feasible for everyone. There are a few "free" antivirus programs out there, but they are mostly for non-commercial use only.

There are frequent questions in the Snort-users mailing list about using Snort to detect viruses and worms. Using Snort for this purpose is not ideal, since by the time any IDS (intrusion-detection system) detects the infection it's already too late. In some environments (notably education) this may be your only option. Join the Snort-users and Snort-sigs lists, and read the archives for more information.

As far as prevention goes, again you need a layered approach that begins with policies and user education, and encompasses antivirus software, strict firewall rules and hardening all your hosts as much as possible. One particular challenge is the laptop user who plugs into an unprotected broadband at home, gets infected, then brings the infection back inside the firewall on Monday morning. You need to have an e-mail policy and make sure all users are educated about these dangers.

You may need to consider strict workstation policies, such as not allowing the local user to have administrative rights, and install software and so-called personal firewalls for laptops or even all users. Firewall rules and device hardening reduce the avenues by which worms may spread, as well as improving overall security. Vulnerabilities in software that is not installed are not a threat to your organization.

IPSes (intrusion-prevention systems) are another possible layer. These take the form of a gateway (like a firewall) or transparent bridge in the network, or as agent software on each host. IPSes aim to actively prevent activity perceived as malicious. It turns out that all malicious code tries to do is a relatively small number of things, so the idea is to prevent those things from happening, rather than reactively build giant signature or definition lists of known malicious code. The problem is that it's often difficult to distinguish between benign and malicious activity, and an IPS can actively break your network, host or application if you are not very careful (and maybe a little lucky). They are improving rapidly, so they may be worth a look.

Network segmentation or compartmentalization is another possible containment strategy. See Marcus Ranum's The Big Red Button from the February 2004 issue of Information Security magazine for a discussion.

Finally, to sell the idea to management you have to have the numbers, and you have to have management that is aware of infosec issues and risks. The latter is improving as more infosec issues hit the mainstream press and as various legislation with serious impact on corporations and/or senior management (notably Sarbanes-Oxley, the Gramm-Leach-Bliley Act, California's SB 1386 and HIPAA). "The numbers" are different for every organization and environment, but the idea is to show the costs of the last infection, predict the cost of the next one and then show that an once of prevention is better than a pound of cure. The various products above are capital expenses, but there are other things you can do such as education, device hardening, tightening up the firewall rules and possibly network segmentation which only require your time and effort. In the end it all comes down to risk. Can you afford to take the time to do this? Can you afford not to?

For more info on this topic, please visit these resources:
  • Featured Topic: 21st-century firewalls
  • March 2004 Information Security magazine: Anatomy of a risk assessment
  • Security Tip: Keys to an effective virus incident-response team
  • This was last published in March 2004

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.