The Basics
Viruses are computer programs written to reproduce themselves.
This means they tend to spread from one computer to another.
They are commonly perceived (and often designed) to cause damage
by deleting data and performing malicious acts (while many would
argue that the impact supposedly benign viruses have on computer
performance could also be considered as destructive). However,
this is not necessary for a program to be considered a virus
Traditionally, virus writers have been presented as
hacker-types – young, misguided individuals who are interested
in seeing their viruses spread and in achieving notoriety. From
the mid-1990s on, we have seen this stereotype break down, with
the emergence of two further kinds of virus writer. These may
loosely be described as the ‘professional’ and ‘unintentional’
virus writers. The former are drawn from the growing ranks of IT
professionals – programmers, support staff and the like – who
understand what they are doing when they create new viruses. The
unintentional virus writers are often experienced computer users
who over-extend themselves. This latter phenomenon is
particularly linked to the huge growth, in the late 1990s, of
macro viruses for the popular office productivity applications
such as Microsoft Word and Microsoft Excel. Because of the ready
availability of macro development tools in the products
themselves, well-intentioned ‘experts’ would often unwittingly
alter a known virus detected within their company while
‘researching’ it. As the newly-created variant was then not
detected by their antivirus software, this new variant could
(and often did) spread through the company and beyond. Antivirus
software is designed to detect and protect against computer
viruses. It protects data and the normal function of a computer
and minimizes or eliminates time wasted dealing with virus
infections. While most antivirus software is capable of
detecting and removing common viruses, it is often unused or not
kept up to date; leading to the spread of viruses.
In large corporate settings, tools to manage antivirus
efforts are as important as the actual detection and cure of
viruses. When antivirus products fail, it is not because they
cannot detect viruses, but because they are too difficult to use
and too difficult to manage.
TruSecure
(formerly the International Computer Security Association or
ICSA, itself formerly the NCSA) has been running an annual
survey of virus prevalence in large U.S. organizations for
several years. In 1998 nearly all the organizations surveyed
reported a computer virus incident. This was a sharp increase
from the previous year – a year in which viruses were estimated
to cost U.S. businesses over $2 billion! This increase in virus
prevalence is primarily attributable to two influences – the
increased popularity of the Internet, and the rise of macro
viruses. Further, it predates the first release of
mass-distribution viruses, such as W97M/Melissa and VBS/LoveLetter,
which since then, have only made matters worse.
Increased network connectivity makes the rapid distribution
of viruses and other malware easy. This is predominantly due to
new Internet-connected machines mostly running Win32 (32-bit
Windows) operating systems, resulting in the development of a
‘computing mono-culture’. With a large proportion of the
machines on the Internet running closely compatible OSes (and
particularly with closely compatible network interfaces), we
have an environment where a few careless users can unleash a
flood of network misery once a malcontent develops the code and
tricks a few naïve users into running it. Executable Internet
worms, such as Win32/ExploreZip have taken advantage of the
extensive interconnectedness of Windows users and the common use
of particular e-mail client software.
Simple tricks, such as posting new viruses and trojans to
Usenet news and representing the message’s attachment as a list
of passwords to access pornography web sites have proven very
successful. If you think this is too obvious a trick to fool
most users, then think again - that is exactly how W97M/Melissa
was initially distributed. More recently, similar ruses have
also been used by the writers of ‘successful’ script viruses,
suggesting their message attachments are photographs of
(sometimes semi-clad) popular-culture figures such as female
singers, actors and sports-people. Combining the power of
commonly deployed Windows scripting languages (such as Visual
Basic Script and JavaScript) with the availability of the
networked Windows mono-culture described above, script viruses
have also contributed significantly to the increased risk of
becoming a virus victim. The release and explosive growth of VBS/LoveLetter
early in May 2000 displays the ‘effectiveness’ of combining the
force of these two factors.
Macro viruses, on the other hand, grew in prominence rapidly
because they are embedded in files that traditionally are
considered to be ‘just data’. Few users apply their usual
concerns about malicious ‘code’ to ‘data’ files. This effect has
been compounded by the fact that, at least in the corporate
world, such data files are ‘naturally’ exchanged with much
greater frequency than executable and script files. Again, the
huge growth in interconnectedness, both within companies
(through intranets) and between companies (across the Internet),
also assisted the rapid increase in the exchange of potentially
virus-infected ‘data’ files as e-mail became the ‘must have’
desktop computer tool of the mid-to-late 1990s.
This white paper will help you understand the key issues
relating to choosing antivirus software; whether you are
fighting viruses from your home office, or charged with
establishing virus protection for a large networked enterprise.
With a little knowledge and the right software, viruses and the
damage they cause can be avoided.
Virus Detection
Viruses are detected by antivirus software in two ways; a full
scan of your hard drive, or in real-time as each file is
accessed. It is critical that antivirus software provide both
these features, especially real-time protection. Full and
real-time scans detect known viruses using scan strings (like
virus fingerprints) that identify a program as (containing) a
known virus. Some antivirus software also uses advanced
techniques to identify potential viruses and will check memory
and system files as well. The total number of viruses an
antivirus software program can detect is known as its detection
rate.
Many reviews of antivirus software start (and unfortunately
end) with just a comparison of detection rates. While detection
is an important consideration, it is just one aspect of the
software. Detection rates will vary dramatically depending on
the types of viruses used for testing. One program may detect
90% of several thousand test viruses while another may detect
80%. Results like these are not conclusive and can be
misleading.
As of mid-2001, there are over 55,000 known computer viruses
in existence but the vast majority are contained in virus
research labs and have had little or no general distribution. A
researcher named Joe Wells started the
WildList,
which has come to be considered the industry standard listing of
viruses actually spreading and causing problems. The most
important detection rate to consider when choosing antivirus
software is its ability to detect and cure viruses in the wild.
In 1992
ICSA Labs (then the NCSA and now a division of TruSecure)
established a certification process that provides a consistent
and accurate means of comparing antivirus detection rates. This
process favors anti-virus software that can detect viruses in
the wild, requiring 100% detection of viruses on the WildList.
Other viruses are considered to be less important.
The ICSA Labs testing criteria are well designed and the
testing process is thorough and performed by professional virus
researchers. Look for the ICSA Labs Certified logo on antivirus
software products and check the latest test results at
http://www.icsalabs.com.
Performance
Like remembering to take medicine, remembering to actually use
antivirus software is a necessary first step. It sounds simple
but several factors contribute to unused antivirus software.
In order for antivirus software to check files in real-time,
it must be fast and stable. In the Windows world, a Terminate
and Stay Resident (TSR) program is simply not acceptable. TSRs
are unstable and use conventional memory that people need for
other programs. They also cannot work at all (in any useful
sense) under NT or Windows 2000. A Virtual Device Driver (VxD)
does not use conventional memory and is the ideal technology for
anti-virus software under Windows 3.1, Windows for Workgroups or
Windows 95. For NT and Windows 2000, a native 32-bit NT service
is best.
Performance on a file server is just as important. Antivirus
software for NetWare servers should support NetWare 3.x, 4.x and
5.x and fit into the NetWare Directory Services (NDS) model
well. The NetWare Loadable Module (NLM) should have a
utilization gauge that monitors server load and regulates the
anti-virus software accordingly. NetWare applications should
have the Novell ‘Yes Tested & Approved’ certification. On file
servers, it is a very good idea to use back-up software along
with antivirus software to ensure virus-free backups. After all,
backups are your last line of defense. Consider antivirus and
backup solutions that are designed to work together and if
possible, are developed by the same company. Antivirus and
backup products are notorious for interfering with each other.
If the two programs are not integrated, backups may require too
much time to complete overnight or administrators will have to
schedule separate backup and antivirus scans; an inconvenience
and a waste of time.
Management
Keeping antivirus software up to date is critical; more so than
with any other software. Computer viruses are being written
every day. Periodically, a new virus spreads rapidly in the wild
and can end up on your desktop. Over the last few years we have
seen this happen with WM/Concept, WM/Cap, W97M/Melissa, VBS/LoveLetter,
and many others. Antivirus software that is not frequently
updated will be unable to detect new viruses.
Fortunately, most antivirus software companies provide
frequent (and often free) software updates. These updates
include scan strings that can detect recently written viruses.
Updates are typically available for modem download, from the
World Wide Web, online services, or a company FTP site.
Remembering to update antivirus software for a home office is
not too demanding, but keeping a large network up to date is a
much more difficult task. Look for antivirus software that
features automatic downloading of updates to avoid reliance on
your memory and to save your time. Further, an automatic
distribution feature is ideal for saving an administrator the
additional time and effort of installing updates on networked
servers and clients – the more automation the better. To save
Internet bandwidth (from all your computers downloading the same
updates from your antivirus vendor’s site at the same time),
consider products that allow you to download updates to your own
server(s) and have the client software update from there.
Other management features that an administrator should
consider are the hierarchical grouping of servers and clients
for centralized configuration, and scanning logs. Some programs
even have an enforcement feature that monitors and enforces the
use of antivirus software across the network, preventing
end-users from altering the configuration of the scanner on
their desktop machines. Remote installation and remote scanning
are other important timesaving features. When a virus hits,
alerting features should be extensive in order to reach the
administrator, whether by network broadcast, fax, e-mail or
pager.
Other Key Features
Depending on your needs, several other antivirus features should
be considered.
If your company runs its own Internet e-mail sever (or an
e-mail server that connects via an ISP’s gateway to the
Internet), you should consider installing a virus scanner on
that server. With the enormous increase in popularity of the
Internet, and particularly with the prevalence of e-mail as a
means of communication, stopping viruses at the e-mail server or
Internet e-mail gateway can save a great deal of inconvenience.
Catching viruses at the entry point to your network means your
system administrators or internal technical support staff need
not spend time answering calls from users unsure what to do when
they get a warning from their desktop realtime virus scanner
that an e-mail message they have just received contains a virus.
If you or your staff download files from the Internet, make
sure the real-time protection catches any file when it is
written to your hard drive. Also, ensure that it supports an
option to scan for viruses in popular compressed file archives,
such as ARJ, LHA, LZH, ZIP and Microsoft Compressed. Another
option to consider here is requiring all Internet web-browsing
to be done through a (caching) proxy server. Such a setup has
the firewall configured to only allow the proxy server to make
external HTTP requests and the client browsers configured to
relay their requests through the proxy server, where the
incoming files can be virus scanned and blocked if found to be
infected. This has similar advantages, in terms of network
management and support staff savings as the e-mail gateway
scanner option. A very similar configuration can also be
implemented for external FTP file transfers if your users need
to transfer files by this protocol.
Critical system files and boot sectors should be saved to a
diskette. If an unknown boot sector virus strikes and cripples
your computer, you can boot from the diskette and recover from
the disaster. Network administrators should look for programs
that save client system files to the server, this avoids undue
reliance on users keeping track of all their recovery diskettes.
A Windows interface and its ease-of-use are important to
consider. You are not likely to spend too much time using your
antivirus software, but this does not mean it should be
difficult to use. Actually, it's quite the opposite – when you
need to do a full virus scan, the software must be simple to
pick-up and use. Online help and an online virus encyclopedia
can also be useful tools. Users of Windows 95 and later should
also look for direct integration with the Windows Explorer for
quick and easy virus scanning on any folder or file via
right-click, context menu options.
Network administrators should focus on features that simplify
the management and updating of a network of antivirus software
users. They should look for a solution that meets current and
future needs in terms of cross-platform support and integration
with their other network solutions. Hands-on testing is
essential! |