Anti-Virus Defences

(Note: This is a reprint from our August 2003 Newsletter)

Recently Green Light IT had too help a customer clean up after a virus infection, and I was reminded how expensive an exercise this can be for an organization, in terms of money for services from people like Green Light IT and in terms of lost productivity.

Just after this work came the blaster virus, which some customers were properly protected against due to good management, and others have, so far, survived due to good luck. So far no customers have been infected thankfully.

The nature of viruses continue to evolve to the point that good anti-virus protection relies on more than just having current anti-virus products and using them.

Instead we are seeing viruses that need effective “network security” to prevent them.

Of course, although this breed of viruses may seem new, it really isn’t. As I look back through previous stuff we have written I note that in October 2001 we wrote an article about the Nimda virus that made it clear that we can expect virus writers to start using recently announced security exploits as new ways to propagate viruses.

The article is still on the website at: http://www.colmancomm.com/ (this link is no longer valid sorry). It’s the fourth item in the list of “Stuff”. In fact I felt so much of what was written there was still relevant, that I was tempted just to reprint it as this newsletter’s editorial. It might be worth your time to read it, and make sure that your business is at least doing the basics mentioned there. However, I thought I might expand on the nature of these newer viruses, and what you should be doing to protect yourself.

Most businesses these days connect to the Internet in one way or another. What is also clear these days is that most viruses come from the Internet, whether via email, downloading infected files from the web, or even an infected machine trying to directly connect to your network and infect it.

Given that this is the entry point for most viruses it does deserve special attention. So of the three infection vectors I mentioned above (email, web and direct connection) what are three ways to mitigate the risk.

Email:

By and large email has carried the lion’s share of destructive viruses over the last few years. In addition to running desktop anti-virus products, your email should be scanned by another set of anti-virus products, either by you, or a third party. We offer an economical service that does this, but your ISP may also offer it as a standard part of their service. For those of you that host your own email server (i.e. not done by the ISP) you should see to this immediately.

Web:

Web is difficult to protect against because there is no real opportunity for any system to inspect a file until it is fully downloaded on the users computer (although there are some products that try to do it I don’t think any of them are satisfactory for use) (note - fast forward to 2009 - there are options now).

The two strategies that work against this are 1) getting Anti-Virus products on every vulnerable system inside your environment and keeping them up to date (including servers) and 2) educating users about the danger of downloading programs and other executable content from the Internet.

In our experience 1 is far more likely to have success than 2, but if you can do both that is better.

As another step it might be possible, depending on your network configuration, to prevent most users from downloading dangerous files. If these files do need to be downloaded, you can have it done by one person only in the office, who is hopefully a little more judicious than others.

Network:

Network borne viruses, which try to directly connect across the network and infect other machines, are the type that have been increasing in prevalence over the past couple of years. They also seem to be the ones that cause the most trouble these days, including such notorious candidates as Code Red and now Blaster.

It is well and truly past time that you should be operating a firewall on your connection to the Internet. For customers still connecting to the Internet through winproxy setups and the like, and those customers connecting through straight windows dial up, it is time to take some action.

Personal computers, which do not always have the protection of a network firewall, such as home PCs, roving laptops etc, can be protected by installing a good personal firewall product, such as ZoneAlarm from ZoneLabs (note for 2009 - most AV products include firewalls now).

Systems that provide connectivity for a whole network should probably be replaced by a dedicated firewall. Exactly what product best suits depends on your requirements. As all of our customers know, we market the SENSEI Firewall, but there are many other options too depending on the features you are after. Blaster is the wake up call. It is time to reconsider the anti-virus defenses for your business and make sure they are in good nick.

As always, you can contact us for advice and assistance.