Choosing Antivirus Software

Traditionally, virus writers have been presented as hacker-types – young, misguided individuals who are interested in seeing their viruses spread and in achieving notoriety. From the mid-1990s on, we have seen this stereotype break down, with the emergence of two further kinds of virus writer. These may loosely be described as the ‘professional’ and ‘unintentional’ virus writers. The former are drawn from the growing ranks of IT professionals – programmers, support staff and the like – who understand what they are doing when they create new viruses. The unintentional virus writers are often experienced computer users who over-extend themselves. This latter phenomenon is particularly linked to the huge growth, in the late 1990s, of macro viruses for the popular office productivity applications such as Microsoft Word and Microsoft Excel. Because of the ready availability of macro development tools in the products themselves, well-intentioned ‘experts’ would often unwittingly alter a known virus detected within their company while ‘researching’ it. As the newly-created variant was then not detected by their antivirus software, this new variant could (and often did) spread through the company and beyond. Antivirus software is designed to detect and protect against computer viruses. It protects data and the normal function of a computer and minimizes or eliminates time wasted dealing with virus infections. While most antivirus software is capable of detecting and removing common viruses, it is often unused or not kept up to date; leading to the spread of viruses.

In large corporate settings, tools to manage antivirus efforts are as important as the actual detection and cure of viruses. When antivirus products fail, it is not because they cannot detect viruses, but because they are too difficult to use and too difficult to manage.

TruSecure (formerly the International Computer Security Association or ICSA, itself formerly the NCSA) has been running an annual survey of virus prevalence in large U.S. organizations for several years. In 1998 nearly all the organizations surveyed reported a computer virus incident. This was a sharp increase from the previous year – a year in which viruses were estimated to cost U.S. businesses over $2 billion! This increase in virus prevalence is primarily attributable to two influences – the increased popularity of the Internet, and the rise of macro viruses. Further, it predates the first release of mass-distribution viruses, such as W97M/Melissa and VBS/LoveLetter, which since then, have only made matters worse.

Increased network connectivity makes the rapid distribution of viruses and other malware easy. This is predominantly due to new Internet-connected machines mostly running Win32 (32-bit Windows) operating systems, resulting in the development of a ‘computing mono-culture’. With a large proportion of the machines on the Internet running closely compatible OSes (and particularly with closely compatible network interfaces), we have an environment where a few careless users can unleash a flood of network misery once a malcontent develops the code and tricks a few naïve users into running it. Executable Internet worms, such as Win32/ExploreZip have taken advantage of the extensive interconnectedness of Windows users and the common use of particular e-mail client software.

Simple tricks, such as posting new viruses and trojans to Usenet news and representing the message’s attachment as a list of passwords to access pornography web sites have proven very successful. If you think this is too obvious a trick to fool most users, then think again - that is exactly how W97M/Melissa was initially distributed. More recently, similar ruses have also been used by the writers of ‘successful’ script viruses, suggesting their message attachments are photographs of (sometimes semi-clad) popular-culture figures such as female singers, actors and sports-people. Combining the power of commonly deployed Windows scripting languages (such as Visual Basic Script and JavaScript) with the availability of the networked Windows mono-culture described above, script viruses have also contributed significantly to the increased risk of becoming a virus victim. The release and explosive growth of VBS/LoveLetter early in May 2000 displays the ‘effectiveness’ of combining the force of these two factors.

Macro viruses, on the other hand, grew in prominence rapidly because they are embedded in files that traditionally are considered to be ‘just data’. Few users apply their usual concerns about malicious ‘code’ to ‘data’ files. This effect has been compounded by the fact that, at least in the corporate world, such data files are ‘naturally’ exchanged with much greater frequency than executable and script files. Again, the huge growth in interconnectedness, both within companies (through intranets) and between companies (across the Internet), also assisted the rapid increase in the exchange of potentially virus-infected ‘data’ files as e-mail became the ‘must have’ desktop computer tool of the mid-to-late 1990s.

This white paper will help you understand the key issues relating to choosing antivirus software; whether you are fighting viruses from your home office, or charged with establishing virus protection for a large networked enterprise. With a little knowledge and the right software, viruses and the damage they cause can be avoided.

Virus Detection
Viruses are detected by antivirus software in two ways; a full scan of your hard drive, or in real-time as each file is accessed. It is critical that antivirus software provide both these features, especially real-time protection. Full and real-time scans detect known viruses using scan strings (like virus fingerprints) that identify a program as (containing) a known virus. Some antivirus software also uses advanced techniques to identify potential viruses and will check memory and system files as well. The total number of viruses an antivirus software program can detect is known as its detection rate.

Many reviews of antivirus software start (and unfortunately end) with just a comparison of detection rates. While detection is an important consideration, it is just one aspect of the software. Detection rates will vary dramatically depending on the types of viruses used for testing. One program may detect 90% of several thousand test viruses while another may detect 80%. Results like these are not conclusive and can be misleading.

As of mid-2001, there are over 55,000 known computer viruses in existence but the vast majority are contained in virus research labs and have had little or no general distribution. A researcher named Joe Wells started the WildList, which has come to be considered the industry standard listing of viruses actually spreading and causing problems. The most important detection rate to consider when choosing antivirus software is its ability to detect and cure viruses in the wild.

In 1992 ICSA Labs (then the NCSA and now a division of TruSecure) established a certification process that provides a consistent and accurate means of comparing antivirus detection rates. This process favors anti-virus software that can detect viruses in the wild, requiring 100% detection of viruses on the WildList. Other viruses are considered to be less important.

The ICSA Labs testing criteria are well designed and the testing process is thorough and performed by professional virus researchers. Look for the ICSA Labs Certified logo on antivirus software products and check the latest test results at http://www.icsalabs.com.

Performance
Like remembering to take medicine, remembering to actually use antivirus software is a necessary first step. It sounds simple but several factors contribute to unused antivirus software.

In order for antivirus software to check files in real-time, it must be fast and stable. In the Windows world, a Terminate and Stay Resident (TSR) program is simply not acceptable. TSRs are unstable and use conventional memory that people need for other programs. They also cannot work at all (in any useful sense) under NT or Windows 2000. A Virtual Device Driver (VxD) does not use conventional memory and is the ideal technology for anti-virus software under Windows 3.1, Windows for Workgroups or Windows 95. For NT and Windows 2000, a native 32-bit NT service is best.

Performance on a file server is just as important. Antivirus software for NetWare servers should support NetWare 3.x, 4.x and 5.x and fit into the NetWare Directory Services (NDS) model well. The NetWare Loadable Module (NLM) should have a utilization gauge that monitors server load and regulates the anti-virus software accordingly. NetWare applications should have the Novell ‘Yes Tested & Approved’ certification. On file servers, it is a very good idea to use back-up software along with antivirus software to ensure virus-free backups. After all, backups are your last line of defense. Consider antivirus and backup solutions that are designed to work together and if possible, are developed by the same company. Antivirus and backup products are notorious for interfering with each other. If the two programs are not integrated, backups may require too much time to complete overnight or administrators will have to schedule separate backup and antivirus scans; an inconvenience and a waste of time.

Management
Keeping antivirus software up to date is critical; more so than with any other software. Computer viruses are being written every day. Periodically, a new virus spreads rapidly in the wild and can end up on your desktop. Over the last few years we have seen this happen with WM/Concept, WM/Cap, W97M/Melissa, VBS/LoveLetter, and many others. Antivirus software that is not frequently updated will be unable to detect new viruses.

Fortunately, most antivirus software companies provide frequent (and often free) software updates. These updates include scan strings that can detect recently written viruses. Updates are typically available for modem download, from the World Wide Web, online services, or a company FTP site.

Remembering to update antivirus software for a home office is not too demanding, but keeping a large network up to date is a much more difficult task. Look for antivirus software that features automatic downloading of updates to avoid reliance on your memory and to save your time. Further, an automatic distribution feature is ideal for saving an administrator the additional time and effort of installing updates on networked servers and clients – the more automation the better. To save Internet bandwidth (from all your computers downloading the same updates from your antivirus vendor’s site at the same time), consider products that allow you to download updates to your own server(s) and have the client software update from there.

Other management features that an administrator should consider are the hierarchical grouping of servers and clients for centralized configuration, and scanning logs. Some programs even have an enforcement feature that monitors and enforces the use of antivirus software across the network, preventing end-users from altering the configuration of the scanner on their desktop machines. Remote installation and remote scanning are other important timesaving features. When a virus hits, alerting features should be extensive in order to reach the administrator, whether by network broadcast, fax, e-mail or pager.

Other Key Features
Depending on your needs, several other antivirus features should be considered.

If your company runs its own Internet e-mail sever (or an e-mail server that connects via an ISP’s gateway to the Internet), you should consider installing a virus scanner on that server. With the enormous increase in popularity of the Internet, and particularly with the prevalence of e-mail as a means of communication, stopping viruses at the e-mail server or Internet e-mail gateway can save a great deal of inconvenience. Catching viruses at the entry point to your network means your system administrators or internal technical support staff need not spend time answering calls from users unsure what to do when they get a warning from their desktop realtime virus scanner that an e-mail message they have just received contains a virus.

If you or your staff download files from the Internet, make sure the real-time protection catches any file when it is written to your hard drive. Also, ensure that it supports an option to scan for viruses in popular compressed file archives, such as ARJ, LHA, LZH, ZIP and Microsoft Compressed. Another option to consider here is requiring all Internet web-browsing to be done through a (caching) proxy server. Such a setup has the firewall configured to only allow the proxy server to make external HTTP requests and the client browsers configured to relay their requests through the proxy server, where the incoming files can be virus scanned and blocked if found to be infected. This has similar advantages, in terms of network management and support staff savings as the e-mail gateway scanner option. A very similar configuration can also be implemented for external FTP file transfers if your users need to transfer files by this protocol.

Critical system files and boot sectors should be saved to a diskette. If an unknown boot sector virus strikes and cripples your computer, you can boot from the diskette and recover from the disaster. Network administrators should look for programs that save client system files to the server, this avoids undue reliance on users keeping track of all their recovery diskettes. A Windows interface and its ease-of-use are important to consider. You are not likely to spend too much time using your antivirus software, but this does not mean it should be difficult to use. Actually, it's quite the opposite – when you need to do a full virus scan, the software must be simple to pick-up and use. Online help and an online virus encyclopedia can also be useful tools. Users of Windows 95 and later should also look for direct integration with the Windows Explorer for quick and easy virus scanning on any folder or file via right-click, context menu options.

Network administrators should focus on features that simplify the management and updating of a network of antivirus software users. They should look for a solution that meets current and future needs in terms of cross-platform support and integration with their other network solutions. Hands-on testing is essential!