against Computer VirusesCopyright (C) 02/1995 by Howard Fuhs
In any advisory conversation regarding information security the question invariably arises how it is possible to protect the data of the organisation against computer viruses in an efficient and economically sensible manner. Unfortunately, it is not a simple matter to give a comprehensive answer to this question because too many individual factors need to be taken into consideration when designing a solution. It does not make sense to purchase an off-the-shelf system, which does not consider important internal factors. Only adaptable systems and solutions show any promise. One thing must be made clear to the persons in an enterprise making these decisions: No matter how the proposed solution looks on paper, it will not offer a 100% protection against computer viruses. A certain risk will always remain. It is the purpose of the chosen solution to keep this risk as small and as acceptable as possible.
This article will focus on factors which in practice are important to consider in order to reduce the risk of contracting computer viruses in an organisation. Considerable differences between the theoretical proposal to a solution and the practical measures to be taken often exist when it comes to implementing preventive measures.
As already mentioned the implementation must on one side be efficient and on the other side remain within budgetary restraints. "Efficiency" in this case means a solution providing the greatest possible security while interfering as little as possible with the work routines of the organisation. In practice, however, "efficiency" must be expanded to consider also other factors. An important factor is the ease with which the countermeasures can be employed by the users. Many anti-virus products look from the point of view of user interface as if they were made for programmers by programmers. An anti-virus program, which is not simply and clearly structured and easy to operate, will not gain acceptance from the non-expert computer user in everyday work. The lower the level of acceptance is, the less frequently it will be used. Obviously, a preventive measure, which does not actually get used, prevents nothing. Furthermore, it must be considered how difficult (or easy) it is to install the program, how difficult it is to implement regular updates across a large organisation, and how many qualified resources it takes to run the program regularly in the organisation.
It is also necessary to consider the operative framework when specifying a product and the corresponding countermeasures to be taken. Thus, the most unimportant and inexpensive data should not necessary be subject to the most comprehensive (and expensive) protection mechanisms used to protect staff data, important research results and vital financial company data. When 'introducing an anti-virus system it is possible through a sensible segmentation to obtain considerable financial savings without weakening the overall protection. When segmenting the protective mechanisms it is necessary to consider the following points of view:
In case of untrained users all security procedures on the PC must be automated, e.g. automatic invocation of a protective procedure from AUTOEXEC.BAT, from other batch files or when the user logs into the company network. Furthermore the user should not be required to reply to any questions from the system. Few if any, messages should be displayed on the monitor. If necessary a message may be displayed referring the user to a helpdesk or similar function in the organisation. E.g. it is normal to configure virus scanning software without built-in repair functions to act in this manner. In serious cases all further measures must be taken by experts. They are required to remove the virus, reinstall infected programs and repair damaged data.
Only specially trained users or system administrators should be allowed access to software tools that permit comprehensive system changes. Even in large corporations this means a very limited number of people, who are responsible for IT in general and for Information Security in particular.
In case no such persons are available internally in a company it must be recommended to get in touch with a specialised information security company in due time. These companies normally offer outsourcing information security measures that can prove interesting to companies of any size. In serious cases this type of company should be given responsibility for all measures to be taken.
It is important to perform an analysis showing the value to the organisation of particular sets of data, where these data are stored, and who operate the computers in question. This information allows you to determine the necessary level of protection for each category of computers, which hardware problems (networked computers, computers containing modems, etc) and which physical protection problems (easily accessible computers) must be considered, and the level of competence required from each operator.
A practical segmenting of protective measures may look like this:
- Computers with unimportant data - Generic anti-virus protection, e.g. a checksumming program. Optionally, a TSR protector.
- Computers with slightly more important data - Checksumming program, virus scanner. Optionally, a TSR protector.
- Computers containing important data - Checksumming software, TSR protection, two different virus scanners. Optionally an extra type of generic protection.
- Computers containing vital data and most notebook computers - Checksummer, TSR protection, two different virus scanners. Optional hardware protection or extra generic protection.
- Incoming diskettes must be examined in a separate test computer before being allowed onto any of the networked computers.
Before an organisation undertakes preventive anti-virus measures clear policies must be defined and distributed throughout the organisation. It has no meaning to allow each individual department in an organisation to make a patchwork of individual decisions, leading to incompatibilities and potentially serious security holes. The virus prevention policies must be made known throughout the organisation and they must be reexamined regularly (e.g. annually) with respect to their effectiveness, efficiency and cost. Furthermore, it is sensible to publish guidelines regarding who to call for assistance in case of problems or emergencies. This can be a single person or a complete help desk depending on the size of the organisation.
The contents of these policies must specify from which companies it is allowed to purchase software (trusted sources), who is authorised to handle diskettes from other than trusted sources (catalogue diskettes from suppliers, magazine diskettes or CD-ROMS, etc.), how intemal network traffic is controlled, how external data exchange (to and from customers, download of data from BBSs and the Internet, etc) is controlled, who is authorised to take further measures in serious cases or who must be advised about incidents in any case - and who is to receive copies of any computer virus found (virus test centres, police computer crime units, anti-virus producers, etc). These are just examples of some of the items that must be covered by the security policy. In large and diverse organisations information security policies can reach book thickness.
Together with the policies a disaster recovery plan must be designed and tested through realistic simulations. Also this type of preparation for an emergency is part of the preventive measures.
Although user training unfortunately is nonexistent in many companies it is never the less the most important and effektive protection against computer viruses. It is a genuinely preventive measure which is active before a virus infection occurs, and it is among the most effizient countermeasures that can be brought to bear on computer viruses. This security awareness training does not have to take more than one or two hours to bring to the user the knowledge of the most important rules of virus prevention. Is is neither the purposeful nor sensible to attempt to stuff the user with technical knowledge, which is unnecessary in everyday work. The training should only inform about computer viruses in broad lines and draw attention to their existence. Practice has proven that staff trained this way more readily accept that company security policies and measures are necessary than untrained staff, and that they tend to implement preventive measures without having to be instructed to do so all the time.
Before applying countermeasures the weak points of the organisation, which a virus can possible penetrate, must be known. A virus uses the following paths to infect computers:
Diskettes - the most common means of Transport for computer viruses. Most people probably by now realise that the main emphasis must be put at securing diskette drives. Most viruses arrive on diskettes with a shady past, e.g. containing pirated software, but infections on driver diskettes supplied with hardware are seen more and more often, particularly with noname products from the Asian area. Even original software diskettes containing brand name software has been found to carry virus infections. These cases have been comparatively rare, and the manufacturers have taken measures to limit the harm to users. Also a rapidly increasing number of CD-ROMs come infected.
Streamertapes are often responsible for reinfecting Computer systems when programs are reinstalled from backup tapes following the cleaning up operation after a virus infection. In order to prevent this from happening the following procedure should be used with regard to backups:
Right after installing new software on a (one) Computer it is necessary to make sure that this Computer is virusfree. This accomplished, a backup is made immediately, and this is stored for as long as the particular version of the software is in use. All subsequent backups of the Computer should only back up data, never programs. If this procedure for whatever reason is impossible to follow it is necessary to inspect all backup tapes for virus infection after one has occurred on a Computer.
Local Area Network/Wide Area Network>
an infection on a file server can quickly spread to all Computers connected to the network. In case the privileges on the network are set up to allow this, virus can also quickly spread from one workstation PC via the servers to the rest of the network.
International Networks - networks from which you download programs via modem. Private mailbox systems also belong to this group. Even though system operators take a great deal of effort to protect this type of sites against virus infections, they should in no way be regarded as Trusted Sources.
PC/PC Links across parallel or serial connections. Same rules as for any network apply.
Keyboards - not a likely path for a virus, but cannot be ruled out (someone typing virus code into a computer).
After describing the preparatory measures it is now time to look at how the security holes can be plugged. Experience shows that several countermeasures must be applied at the same time in order to optimise the protection against Computer viruses. The reason for this is that each component of an anti-virus protection system addresses a particular aspect of the protection, and that manufacturers and programmers of anti-virus systems follow ideas and design philosophies, each having advantages and disadvantages. Thus it is not normally advisable to acquire all components from one single manufacturer. Furthermore, techniques designed to produce automatic virus protection often display properties that viruses can use to render the protection ineffective.
When composing a protective system from components of different origins it is necessary to ensure the compatibility of these. Particularly in case of badly designed products problems can arise. E.g. a badly designed virus scanner may leave virus signatures in memory after completing a scan. In case a different scanner is started immediately after the completion of a scan by the first one, it is possible that it will indicate a virus infection although none is present. Products from different manufacturers sometimes interact negatively in this manner. Similar problems may arise from using a combination of TSR anti-virus programs from different manufacturers. This may lead to false alarms or even to system crashes.
The following rule must be followed, particularly regarding original software diskettes from manufacturers: If the manufacturer is so irresponsible that this has not already been done before the diskettes are delivered to the customer, the first step is to write-protect the diskettes. The next step is to make a backup on a virus-free computer, and write-protect that. Then the original diskettes are stored in a safe place, and software installation is performed exclusively from the (write-protected) backup diskettes. Some software products can only be installed when one of the original diskettes is used in the installation procedure and left unprotected. Avoid software like that if you can replace it with a similar product. If you do choose to use it, always scan the unprotected disk immediately after using it, and then write-protect it for storage. The write protection can not be bypassed by any virus, because it is implemented in hardware (unless the hardware is defective, of course).
Virus scanning is currently the most widely used method to track down viruses. Scanning cannot truly be said to be a preventive measure, because a scanner is only able to detect a virus when one or several files or disk areas have already become infected.
Since no virus scanner (despite advertising statements to the contrary by some manufacturers) is able to display a detection rate of 100% it is recommendable to use at least two different scanners from different manufacturers. It is important to consider from which countries the scanners originate. E.g. scanners from the USA do not necessarily detect all the viruses currently prevalent in European countries. On the other hand European products may have problems detecting newer viruses from other parts of the world. For world wide enterprises it is thus recommendable to use scanners originating from the same part of the world, from which diskettes and programs are mainly supplied, plus a scanner of local origin. When comparing technical data for scanners it is recommended to make sure that at least one of the scanners used can be set up to scan executables inside archives such as packed EXE files and ZIP and ARJ archives.
In case a virus infection is suspected the computer must be started from a clean write-protected DOS diskette and once again examined using all the tools at disposal. Booting from a clean diskette ensures that no virus is active in the memory of the computer while it is being examined. Theoretically it is specified to always start the computer from a clean system diskette before scanning, but in practise this is not always possible, e.g. if activating the scanner from a server.
A good scanner should scan the memory of the computer for virus when activated and subsequently look to see if it has become infected, itself.
Generic virus detection is a concept covering a number of techniques used to find computer viruses without using a scanner. Scanners as a rule are only able to detect already known viruses and need regular updates in order to provide efficient protection. When using generic virus detection you do not directly search for computer viruses, but rather for suspicious changes to a checksum taken over a program, or for suspicious and virus-typical code in executables, suspicious changes to the main memory right after booting the computer, etc. These techniques will without doubt form one of the future roads in virus protection. Although the technology must be developed and extended further, there are a few programs built on these techniques on the market that can be used to advantage and offer considerable security. An advantage offered by these programs is that no regular updates are required in order to bring virus Information up to date. Particularly in larger organisations this can reduce the cost of anti-virus measures considerably.
Furthermore, a program of this type is to a certain extent able to detect unknown viruses, however at this stage not sufficiently reliably to be the only protection. For some generic products it is a problem that they can either be tuned to use very "sharp" detection criteria, in which case they do find almost all the viruses but give off an unacceptable number of false alarms - or to use "mild" detection criteria, in which case they do not give as many false alarms but have a very low virus detection rate. Despite these problems genetic detection is a promising technology which will eventually be able to reduce costs and save time.
Checksumming is one of the most well understood generic detection methods, and under no circumstances should a proper anti-virus system lack a good checksumming program. Normally a checksumming program is used to ascertain the integrity of files and is as such included within the frame of protective measures. A good checksummer, however, is also able to detect changes to boot sectors of hard disks as well as changes to .COM and EXE files indicating a possible virus infection. It should also be able to detect companion viruses and be useful for reestablishing data after an infection. Checksummers are able to detect unknown viruses, because they search for file changes rather than virus signatures. Stealth viruses, which remove themselves before giving the file to the checksummer may cause problems by always giving the checksummer an uninfected file and thus rendering it incapable of detecting the infection.
A protective measure, which in practise is considerably undervalued, is a TSR program designed to prevent viruses from entering the computer in the first place. A problem with this type of protection is that it would be possible to program a virus, which would be able to circumvent the protection and thus render it inefficient. Several types of techniques lend themselves to this type of protection. A resident scanner is one possibility, but as explained above this is not really a preventive measure. Furthermore, many viruses are in the wild that circumvent or disarm resident virus seanners.
Other solutions supervise activity in the main memory and control interrupt activities. These are able to detect e.g. suspicious activities like direct writes to a disk, and alarm the user. This type of TSR would contain information about which programs are permitted to do "suspicious" things so as not to alarm the user unnecessarily. This reduces the number of "false" or unwarranted alarms considerably. It is important that this type of system intercepts warm boots (CTRL-ALT-DEL) and checks that no diskette is sitting in drive a:, potentially causing a boot virus infection.
The disadvantages to TSR programs are that they may be targeted and deactivated by specially written enemy viruses, and that they take up space in the main memory of the computer.
A few hardware solutions, which promise protection against computer viruses, exist on the market in the shape of plugin cards. Literally speaking, hardware comprise the only secure solution against viruses, since this - as opposed to software solutions - cannot be bypassed by virus actions (if it has been designed correctly). Unfortunately, the hardware solutions currently on the market have a number of problems, a fact having prevented their widespread use. These problems are mainly of a financial and organisational nature. In larger companies anti-virus software is sold as site licenses, and considerable discounts are built into these for large numbers of computers. Because of production cost a higher limit exists to the price of a hardware based protection system. This makes a site license for a software product considerably cheaper than a corresponding hardware solution. From the organisational point of view the hardware solution offers the advantage that it does not normally require changes after the initial installation. The disadvantage of course lies in the fact that each and every computer needs to be opened, the card installed and subsequently the accompanying software installed, an exercise which can take months. Assuming that no incompatibilities and similar problems turn up, the process will take between 30 minutes and one hour for each computer. Thus, there are very clear limits to the usefulness of hardware solutions. Furthermore, most hardware based solutions require at least some user training, because they require the user to make some informed technical decisions.
Hardware solutions can be recommended in case of particularly exposed computers, e.g. when these are operated by a large number of people such as in schools and universities. In cases like this the number of computers is limited, limited to a few rooms, and each computer carries more or less the same software, making distribution of preconfigured software a viable route to take. In these cases hardware based solutions promise both economical and effective protection.
A simpler and cheaper solution is diskette drive locks. Since viruses are most often brought into an organisation on diskettes, the use of diskette drive locks can prevent unauthorised use of diskette drives and thus the unauthorised installation or copying of software and data. Particularly in Computers connected to a network, diskette drives are not normally required at all, because software updates can be distributed over the network.
Particularly in larger enterprises having regular diskette interchange with customers a test computer is recommended. This computer serves exclusively as a security lock for all diskettes into and out of the organisation. Sheep-dip computers may be implemented on a divisional basis or one installed at the entrance of each building. To keep costs low scrapped computers like old 286'es may be used (they need to be protected by advanced systems, though). The most recent versions of at least two anti-virus scanners must be installed on these Computers and all diskettes scanned using both of these. Unfortunately it is necessary also to consider the problem of infected CD-ROMS, particularly those containing shareware programs. These should not be used in professional organisations.
Even stand-alone Computers must be sufficiently protected against computer viruses. Viruses enter these almost exclusively by means of diskettes. For this reason it is necessary in addition to the usual anti-virus system to include protection of the diskette drives. A good protection is a resident program, which automatically provides scanning whenever something is copied or executed from diskette, and which prevents diskette activity in case a scan has not been performed (or, indeed, a virus found on the diskette). In case of stand-alone Computers (as opposed to Computers on networks) using the diskette drive is the only way to install software, perform backups, etc., so diskette drive keys are not a solution.
When it comes to Computers on a network users should not be allowed to log on until the anti-virus system on the computer has declared this to be safe. The anti-virus system can either be installed centrally on the server or on the individual Computers. However in order to obtain adequate protection a combination of the two is normally required, so that part of the anti-virus protection runs on the servers and part of it on each computer connected to the network.
In case of a virus infection on one of the Computers this should under no circumstances be allowed access to the network, except possibly to mail an alarm message to system administration in order for further measures to be initiated.
A further very effektive measure is to restrictively reduce write permissions on the network. In general users should only have the right to write to certain data files and not to executable files. Furthermore, it should not in general be permitted users to copy executable files across the network. These permissions should be given exclusively to system administrators. As usual in most security work the principle is to deny per default.
Notebooks, being portable devices, are not automatically under the control of system administrators or similarly trained staff. An additional risk factor is the popularity of notebooks and their resulting proliference. Notebook Computers belong in the category of Computers to be particularly protected against computer viruses irrespective of the value of the data on the notebook. This means that each notebook computer should be protected by two virus scanners, a checksummer and possibly some other type of generic anti-virus tool. All these mechanisms should be set up to activate without user intervention. Furthermore, a mechanism must be set up to automatically scan notebook Computers each time they are inserted in their docking station and thus connected to the network. It is also recommended to make sure that all users of notebooks participate in information security training. Notebook Computers in an organisation are not only a serious source of virus infections, but also constitute a potentially very severe security risk in terms of stolen or lost data. They must be protected accordingly.
Thus, very regular backups must be taken of notebook contents, e.g. each time they are reinserted into their network docking stations, strong password access protection must be in force on the computer, even when not connecting to the network, and in case notebooks contain important information (and in General they shouldn't) this must be encrypted on the hard disk.
The knowledge of computer viruses and the countermeasures that can be used against them is now so comprehensive that virus protection can and should be built into the normal information security system in use in the organisation and considered in this context.
The anti-virus industry is slowly realising this and is busy designing and providing flexible toolkits to accomplish this integration. The best anti-virus systems now work efficiently and securely in the background without taking much user time or attention. User education, however, is lacking behind with the result that most users still use the timeconsuming and insecure method of scanning (whether on servers or perimeter computers) as their primary defence.