By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS
Head of F-PROT Technical Support, Yui Kee Co. Ltd.
Computer security can be divided into three areas: confidentiality (keeping sensitive information secret), integrity (ensuring data is correct) and availability (keeping the computer working). Computer viruses are a major threat to integrity and availability. The most obvious example is when the payload of a virus overwrites the system areas of a hard disk (eg. Michelangelo on March 6th), the computer is no longer available for use, and the data stored on the disk is lost. However, many less dramatic but more important examples exist, eg. some viruses randomly cause small amounts of corruption, by the time the damage is discovered the backups may also be corrupt.
There are currently more than 4000 types of virus, mostly written for DOS-based PC's, and the number is growing at around 7 new viruses a day. However, most infections are preventable. Recorded infections show most are caused by small number of viruses, that are recognised by most of the AV-packages available at that time. About half are caused by boot sector viruses that can be largely kept out by good user education and sensible use of CMOS options.
Protection must be tailored to the situation, this is related to the probability of being infected and the value of the systems and data to be protected.
An organisation should appoint a Virus Control Officer to design and implement it's anti-virus strategy. The strategy should address what protection remains when rules are broken: I visited a large Hong Kong corporation and, during a discussion with the EDP department, the provision of free licenses of anti-virus software for home use by employees was mentioned. The EDP staff responded that it was unnecessary because corporate policy forbid staff from bringing disks from home. Later, I talked with a secretary in the company who said that, yes, she knew it was against corporate policy, but everyone did it anyway.
A multi-layered strategy of protection will be most effective:
User education: This is vital, staff are unlikely to follow procedures they do not understand. A basic understanding of what viruses can and cannot do will help in getting clear, early reports. Ignorance can result in either inaction, when visible signs are ignored until the virus causes irreparable damage or panic when every change is seen as evidence of a virus.
Regular Backups: A good backup scheme is vital when recovering from many disasters, and it can limit the damage resulting from a virus outbreak.
Protection of PC's: Good anti-virus software, properly installed, will stop the vast majority of infections. The software must be kept up-to-date, in a large organisation this can be a major task in itself, but some packages include methods for simplifying updates, particularly over networks.
Regular Scanning: Some anti-virus software can automate scans at regular intervals, removing dependance on users starting scans. Some have sophisticated mechanisms so that an administrator on a network can distribute a task to all workstations, and receive reports back automatically.
Checksumming: Checksumming, or integrity checking, turns the problem of detecting viruses on its head. Instead of looking for code that is recognisably a virus, checksumming looks for changes in programs. This method is very good and does equally well at detecting known and unknown viruses. However, the system must be known to be clean when the package is installed, so it should be used in conjunction with a good scanner. It's weaknesses are that stealth viruses might be able to hide changes, and slow viruses get the user to O.K. the infection by only spreading when programs are being changed. Some anti-virus packages include a checksumming utility along with the scanner.
Protection of Home PC's: As already mentioned, infection via staff home machines cannot be ruled out.
Scanning of new software: Any program entering is suspect, regardless of source. There have been incidents involving many major software producers inadvertently distributing infected disks. There is also the possibility that shrink-wrapped software has been previously sold, infected, returned to the retailer and re-wrapped.
"Health Stations" at entrances: A machine placed at every entrance (eg. at the security post) can be dedicated to scanning all incoming disks. If this approach is used, do not forget that modems and other communications links bypass this moat.
Network protection: Networks can both assist the spread of viruses, and slow them down, depending on the setup. Once a program on a fileserver becomes infected, all the connected PCs can access the program and spread the infection. However, a properly set-up fileserver will only allow the administrator(s) to modify programs, greatly reducing the chance of infection. The level of protection here largely depends on the vigilance of the administrator. Running anti-virus software on the fileserver can provide an additional level of security. Several AV-software producers offer suitable scanners, usually NLM's for Novell Netware. By running in an entirely different operating environment, they are not susceptible to infection themselves, but they can scan every file on the server. They may have options for scanning programs every time they are executed, written or read, and for automatically scanning all files at scheduled times.
Additional Protection: The very best protection is achieved by using two, independent anti-virus products. One should be installed throughout the organisation, the second is used within the Systems group for double checking. AV-software producers are continually upgrading their products, and, at a particular time, the leading products will each detect some viruses that the others cannot. Virus writers often produce new variants by making small changes to prevent detection by a particular anti-virus package. A different anti-virus package will probably use a different detection method that will still detect the new variant.
Anti-virus protection is not just a matter of installing any old package and leaving it running. Regular updates are important, even for generic methods of detection because virus writers are continually searching for new ways to fool the detectors. The useability of the software is an important issue, the most sophisticated package is worthless if users remove it because it is slowing down their work or do not use it because it is confusingly complex. A useful package will be invisible to users until a virus is found, but will still provide powerful tools for the expert. Plan wisely, viruses are not a static issue.