First published: 28th March 1996
Many people are concerned about the possibility of downloading a virus from the Internet. There are good reasons for this, the Kaos-4 incident, where a new virus was distributed through the newsgroup alt.binaries.pictures.erotica, is well-known, and there are other examples, most recently, Tanpro.524 was distributed in newsgroups in February this year, and Tanpro.749 and Tentacle were distributed in newsgroups this month. Tanpro.524 was confirmed to be in the wild in Hong Kong yesterday.
To be clear about the problem, all the viruses mentioned above are DOS viruses, that can affect users of DOS-compatible operating systems: Windows, Windows 95, NT, OS/2, or even DOS emulations on Macs or Unix. They are using the Internet as a means of transmission. There is the possibility of Unix viruses, and the security of Java and JavaScript is still under hot debate, but these are not immediate problems.
The transmission of DOS and Windows viruses via the Internet is an immediate problem and there are two strategies of defence:
Building a Wall
This strategy derives from the Firewall defence against crackers, everything that is transferred from the Internet is checked at a barrier and rejected if it is found to contain a virus.
This is a good first step, if you can build a wall without holes. I know of two products in this category.
Mimesweeper is purely directed at email attachments. All email for your site is passed through a gateway machine running Mimesweeper, which decodes the mail attachments and passes them to a virus-checking program (F-PROT is one of the options that can be used with Mimesweeper). This is fine if email is the only Internet service used at your site.
The other product I know of has only just been announced. As I understand, it operates as a proxy for various services, including FTP, HTTP (for the WWW) and email. It can handle ZIP, UUencode and MIME file formats. This is quite impressive.
However, the breadth of file formats and transfer methods used on the Internet is overwhelming. What about ARJ, tar and a hundred other compression methods? I understand that the FTP proxy collects the whole file and decodes for checking before transferring it to the recipient, this is necessary because it would be next to impossible to identify a virus that is split across individual packets, especially if it was compressed. However, I personally often transfer files using S-modem in a telnet session - you cannot store-and-forward a telnet session.
The final blow to this idea is, ironically, security. There is a big thrust towards secure communications on the Internet, with PGP, SSL and other methods. These give assurance that the message transmitted will only be read by the intended recipient, and this includes not being read by any virus-checking firewall. The key here is different types of trust, a conventional firewall defines how you want to communicate with people outside - should they be able to access your corporate database? However, a virus works by subversion, yes, I might trust a business contact and make a multi-million dollar deal with him, but would I trust him to know if he has a macro virus on the machine he uses to send the PGP-encrypted contract?
Protecting the Desktop
There is one thing that we can be certain about a virus, that it cannot do anything until it is executed. To be executed, it cannot be ZIPed, UUencoded or PGP encrypted, it must be decoded. Therefore, we can build a much more secure barrier by checking files as they are created, copied and executed on the recipient's machine. This form of protection has less compatibility issues: does your virus firewall interwork with your conventional firewall. It involves less costs, you do not need to dedicate extra hardware to the task, it is performed on the existing desktop machines.
F-PROT Gatekeeper has always been able to detect viruses on copying and execution, from version 2.22 it also detects viruses on file creation, thus infected files are discovered much sooner - when the file is downloaded or extracted.
A wall strategy does offer administrators simplicity - they have a single point of control. However, F-PROT Professional offers communication via the network, virus reports are automatically sent to the administrator. The administrator can also configure and start scans remotely.
For individual Internet users, people in companies without a leased line and home users, there is no choice. They cannot install a mail gateway or firewall to protect themselves. Protection at the desktop is the first and last defence.
Conclusion
Protection at the point where the Internet enters an organisation is not without merit, but it should be regarded as a supplement to, not a replacement for, a strong defence in the real battlezone, the users desks.
Allan G. Dyer 28/03/96 (This paper was first released at a press conference held by Yui Kee Co. Ltd. on 28/03/96)