Virus Protection Overview
Since the advent of Internet e-mail and widespread use
of the World Wide Web, malicious programs have become a major security threat.
Viruses and worms can be transmitted around the world in a short period of time
by attaching infected executable files to e-mail messages. The attachments are
usually “Trojan horses” masquerading as something the recipient has requested
or would like to see, and often appear to be coming from a known source.
The best defense against these programs is a combination
of management practices and the use of anti-virus software on servers,
workstations, and laptops. Complete anti-virus software includes: a virus
scanner that tests files and directories for the presence of viruses, including
e-mail attachments; a “disinfectant” to remove viruses from infected files;
real-time protection against viruses that may hide in a computer’s memory; and
a subscription service for updates to the virus signature files to maintain
protection as new viruses are discovered. [1]
The following factors shall be considered as part of the virus scanning software selection process:
· The vendor shall be well established. According to the Gartner Group, the following vendors are market leaders in the virus/malicious software market:
o Network Associates McAfee
o Symantec Norton Anti-Virus
o Trend Micro InterScan VirusWall
o Computer Associates InnoculateIT
· Certification by the International Computer Security Association (ICSA).
· The software vendor employs both a scanning engine to detect known viruses and a heuristics engine to help identify macro viruses.
· The vendor shall provide automatic updates to the virus signature file.
· Many anti-virus companies today market anti-virus solutions for e-mail servers and gateways. It is becoming increasingly important that these two points of entry to the corporate network be protected. These products must be able to detect and clean infected files (both standard and compressed files) in real-time.
· Capability to be managed and monitored from a central console.
· Policy management capability as part of the software. Important functions that these policy management applications perform include ensuring that end users cannot circumvent security guidelines, using the corporate security policy as a means to dealing with malicious code intrusions, and ensuring security administrators are notified when security breaches occur.[2]
Virus Protection Standards
Minimum Security Option
|
Description |
Benefits |
Disadvantages |
|
Policies
concentrate on educating users about their responsibilities for regularly
scanning for viruses. |
Low cost
(requires only desktop scanning software and user education). |
Will not prevent
virus infection from penetrating networks via e-mail attachments or hostile
code. |
Prevention:
1. Users will be trained about the possibility of receiving viruses and other malicious code from the Internet and about the use of virus scanning tools.
Detection:
1. Off the shelf virus-scanning tools will be used to scan computers weekly. No auditing of virus scanning tool records is necessary.
2. Employees will inform the system administrator of any virus detected, configuration change, or different behavior of a computer or application. When informed that a virus has been detected, the system administrators will inform all users with access to the same programs or data that a virus may have also infected their system. The users will be informed of the steps necessary to determine if their system is infected and the steps required for virus removal. Users will report the results of scanning and removal activity to the system administrators.
Removal:
1. Any machine infected by a virus will immediately be disconnected from all networks. The machine will not be reconnected to the network until system administration staff can verify that the virus has been removed. When applicable, off-the-shelf virus scanning tools will be used to remove a virus from an infected file or program. If virus-scanning software fails to remove the virus, all software on the computer will be deleted (including boot records, if needed). Software will then be reinstalled from uninfected sources and re-scanned for viruses.
Optimum Security Option
|
Description |
Benefits |
Disadvantages |
|
Policies shall
dictate more frequent scanning for viruses, and the use of server and email
virus scanners. |
Effective
protection on various servers and desktops limits exposure to viruses. |
Cost associated
with implementing and updating the anti-virus software. |
Prevention:
1. Software will be downloaded and installed only by network administrators (who will scan or test software).
2. Anti-virus software will be installed on file servers to limit the spread of viruses within the network. Scanning of all files and executable code will occur daily on these file servers. Workstations will have memory resident anti-virus software installed and configured to scan data as it enters the computer. All incoming electronic mail will be scanned for viruses. Programs and files opened by applications prone to macro viruses will not be executed without prior scanning.
3. If available, virus software update files from the vendor shall be automatically delivered and installed using secure channels.
4. Employee security training will include the following information about virus infection risks:
· Virus scanning software is limited to the detection of viruses that have been previously identified. New and more sophisticated viruses are constantly being developed. Virus scanning software will be updated continuously with new “.dat” files to maintain currency regarding the latest viruses.
· It is important to inform the system administrator of any different or out of the ordinary behavior a computer or application exhibits.
Detection:
1. Off the shelf virus-scanning tools will be used to scan computers on a daily basis. The virus scanning tools will be updated on a monthly basis. All software or data imported onto a computer (from floppy disk, e-mail, or file transfer) will be scanned before being used.
2. Virus scanning logs will be recorded, reported and examined by the system administration staff. Employees will inform the system administrator of any virus that is detected, as well as any configuration change or different behavior of computer systems or applications.
3. When informed that a virus has been detected, the system administrators will inform all users who may have access to the same programs or data that a virus may have also infected their system. The users will be informed of the steps necessary to determine if their system is infected as well as the steps taken to remove the virus. Users will report the results of system scanning and removal activity to the system administrators.
Removal:
1. Any machine infected by a virus will immediately be disconnected from all networks. The machine will not be reconnected to the network until system administration staff can verify that the virus has been removed. When applicable, off-the-shelf virus scanning tools will be used to remove a virus from an infected file or program. If virus-scanning software fails to remove the virus, all software on the computer will be deleted, including boot records if needed. Software will then be reinstalled from uninfected sources and rescanned for viruses.
Maximum Security Option
|
Description |
Benefits |
Disadvantages |
|
All reasonable
measures possible to prevent virus infection must be taken. More extensive
user awareness training. |
Centralized virus
scanning for the entire organization. |
Higher costs
associated with maintaining anti-virus software and the costs associated with
controlling the installation of software. |
Prevention:
1. The court’s appointed IT administrator must approve all applications before they can be installed on a computer. No unauthorized applications may be installed on a computer. Software configurations will be scanned on a monthly basis to validate that no extraneous software has been added to a computer.
2. Software will be installed only from approved internal servers to limit exposure to contaminated software. No software will be downloaded from the Internet onto any computer. File transfer "gets" from external sources will not be permitted.
3. Anti-virus software will be installed in file servers to limit the spread of viruses within the network. Scanning of all files and executables will occur daily on the file servers. Workstations will have memory resident anti-virus software installed and configured to scan data as it enters the computer. Programs will not be executed, nor files opened by applications prone to macro viruses without prior scanning.
4. All incoming mail and files received from across a network must be scanned for viruses as they are received. Virus checking will be performed if applicable at firewalls that control access to networks. This will allow centralized virus scanning for the entire organization, and reduce overhead by simultaneously scanning incoming messages that have multiple destinations. It also allows for centralized administration of the virus scanning software, limiting the locations on which the latest virus scanning software needs to be maintained.
5. IT administrators should be notified of update availability from the vendor and download update files and patches directly from the manufacturer’s Website via a secure connection.
6. Employee security training will include the following information about virus infection risks:
· Virus scanning software is limited to the detection of viruses that have been previously identified. New viruses and more sophisticated viruses are being developed constantly. Virus scanning software must be updated on a regular (monthly or quarterly) basis to maintain currency with the latest viruses.
· It is important to inform the system administrator of any different or out of the ordinary behavior a computer or application exhibits.
· Failure to follow these policies may result in punishment according to company standards.
Detection:
1. All software must be installed on a test-bed and tested for viruses before being allowed on an operational machine. Only after receiving approval from the CIO/Security Administrator may software be moved to operational machines.
2. Use of off-the-shelf scanning software will be enhanced by state of the art virtual machine emulation for polymorphic virus detection. All other new virus detection methods will be incorporated into the detection test bed. To keep abreast of the latest viruses which have been identified, scanning software will be updated monthly or as updates arrive.
3. Virus scanning of all file systems on a daily basis is mandatory. Virus scanning results will be logged, automatically collected, and audited by the system administration staff.
4. All data imported on a computer (from floppy disk, e-mail, or file transfer) will be scanned before being used. Employees will inform the system administrator of any virus that is detected, configuration change, or different behavior of a computer or application.
5. When informed that a virus has been detected the system administrators will inform all users who may have access to the same programs or data that a virus may have also infected their system. The users will be informed of the steps necessary to determine if their system is infected and the steps to take to remove the virus.
Removal:
1. Any machine infected by a virus will immediately be disconnected from all networks. The machine will not be reconnected to the network until system administration staff can verify that the virus has been removed. When applicable, off-the-shelf virus scanning tools will be used to remove a virus from an infected file or program. If virus-scanning software fails to remove the virus, all software on the computer will be deleted including boot records if necessary. The software will then be reinstalled uninfected sources and rescanned for viruses.