Hack 69 Fundamentals of a Virus-Free Network

Here are some fundamentals you need to pay attention to if you want to keep your network free of viruses.

This hack details some of the fundamentals of having a virus-free network, which I have identified through trial, error, and observation in the almost three years of working in the dual role of SMS/Virus Protection Administrator for my employer. As a result, we've had zero network downtime due to virus infection since January of 2000 until now (December 2003).

Awareness

The first fundamental is awareness. Simply put: you can't protect your network against a threat if you don't know the threat exists. Administrators need to keep up-to-date on viruses, current virus trends, and application and operating-system security vulnerabilities. How aware an administrator is about these subjects is very important, because it effects all the decisions that an administrator will make to protect a network from viruses.

There are several ways to gain awareness if network threats. For information on viruses and virus trends, the web sites of antivirus software vendors are the best place to start (I will discuss antivirus software shortly). All of those companies have some kind of virus-information section on their web sites.

I recommend checking the web site that corresponds with the antivirus software that your company uses several times a day (every couple of hours is even better). Virus writers are getting smarter and more devious everyday, and another virus like Nimda or Blaster could spread across the globe in a matter of hours or even minutes if given the right conditions. The more often you check, the better chance you have of getting a heads up on the next virus that goes worldwide.

Since antivirus vendors partly rate the threat level of a virus on how many samples of a virus have been submitted to them by their customers, it is also a good idea to check more than one web site for virus information. I recommend checking out two or three, just to keep an eye on things.

Here are a few good antivirus web sites:

Symantec (http://securityresponse.symantec.com)

Network Associates (http://vil.nai.com/vil/newly-discovered-viruses.asp)

Trend Micro (http://www.trendmicro.com/vinfo)

Computer Associates (http://www3.ca.com/virusinfo)

F-Secure (http://www3.ca.com/virusinfo)

I usually concentrate on Symantec, Network Associates, and Trend Micro's web sites. According to the latest ICSA Labs 2002 Virus Prevalence Survey (http://www.icsalabs.com/2002avpsurvey/index.shtml), these three companies make up about 89% of the global antivirus software market share. If a new worldwide virus outbreak happens, one of these three companies is probably going to be the first to have information on it.

Microsoft has also recently started an Antivirus Information web site (http://www.microsoft.com/security/antivirus/) to provide one place for information on viruses that involve security vulnerabilities in their software or operating systems. This is also an excellent source of information for using Microsoft products to help you keep viruses from infecting your network. Microsoft also has a Knowledge Base article that lists other antivirus software vendors (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q49500).

For application and operating-system security vulnerabilities, I recommend signing up for the NTBugtraq mailing list (http://www.ntbugtraq.com). If a security vulnerability comes out, you can usually read it on this list before you will see it anywhere else. Other good web sites include SecurityFocus (http://www.securityfocus.com), CERT Coordination Center (http://www.cert.org), and TruSecure's ICSA Labs (http://www.icsalabs.com).

I also recommend signing up for Microsoft's Security Notification Service (http://www.microsoft.com/technet/security/bulletin/notify.asp), which will notify you via email each time a security vulnerability from Microsoft is announced and will provide information if there is a fix.

The complexities of viruses are increasing every day, as the Nimda and Blaster viruses have taught us all. The vulnerabilities that Nimda used to propagate were several months old when that virus went worldwide. The Blaster virus taught us this lesson again as it spread globally less than a month after the vulnerabilities it used were announced. If more administrators had been aware of those vulnerabilities, then Nimda and Blaster would not have had as big an impact as they did. The lesson to learn here is this: to win the war against viruses, awareness is the first weapon that you should have in your arsenal.

Antivirus Software

The second fundamental for a virus-free network is antivirus software. Now this might seem pretty obvious; anyone who has worked in the Information Technology game long enough knows that antivirus software is essential, especially with viruses increasing in sophistication everyday. However, which features to look for in corporate antivirus software might not be quite so obvious.

The following list of features are things I have identified in my experience to be most helpful in enterprise antivirus software:

Certification: Look for a product that has been certified for use with the operating systems you are using. ICSA Labs (http://www.icsalabs.com) is a good place to look.
Easy to update: One of the most important things to look for is antivirus software that makes it easy to update virus definitions. Antivirus software that requires updates to be deployed with third-party software distribution or any other means that are separate from the antivirus software's own processes can lead to logistical problems when deploying the updates, depending on the size of the network environment and the method of deployment. Antivirus software with some kind of built-in update process is much more desirable. Also, antivirus software that has updates that require user intervention or a reboot to install can lead to similar logistical problems. A built-in, automated, and silent update delivery system will yield much better results and ensure that the software is updated properly.
Frequency of updates: When checking out antivirus software, take a look at the company's web site to see how often they provide updates and how they handle virus definition files in emergencies. Make sure that their policy meets the needs of your environment.
Centralized configuration: Antivirus software that has the ability to configure all the clients on your network from one centralized console is a lot easier to manage and helps ensure that configuration is consistent.
Real-time background scanning: Antivirus software that has the ability to scan files in the background, without user intervention, is essential in today's virus environment. Being able to configure which files the software scans in the background is also important.
Heuristic capability: Antivirus software that has the ability to detect virus-like behavior in a file's operation could help identify new viruses and new variants of already-discovered viruses.
Remote scanning capability: If you have a virus incident on your hands, the ability to initiate a scan remotely on one workstation or server, and the entire network if necessary, could be what keeps your network from getting damaged due to a virus infection.
Alerting capability: With the speed that viruses spread these days, it is essential to have antivirus software that is able to send alerts when a computer virus is found. Without this functionality, you could have viruses hitting every workstation and server on your network and you wouldn't know about it.
Support for mobile computers: Not many businesses today can survive with out laptops. If at all possible, look for software that is able to handle updating computers that are constantly mobile.
Reporting capability: If you work for anyone that has Manager in her title, then you are going to have to produce some kind of report on virus activity at one time or another. Help yourself out by looking for antivirus software that can create those reports for you.

This list is by no means exclusive. Some of the things I have listed here might not be important to you at all, and I might not have included things that you consider important. The list of essential features depends on the networking environment you are working in and the operating systems that you have to support. Hopefully, this list will lead you in the right direction if you are considering your own needs for antivirus software.

Interception

The third fundamental of a virus-free network is interception. Simply put: a user can't execute a virus if the virus isn't there.

In the current environment of viruses, things can change quickly. Since a large percentage of viruses in the wild propagate through email these days, a new virus can spread worldwide in a few hours under the right conditions. Depending on the virus, sometimes it takes antivirus software companies several hours to come up with virus-definition files that can contain a new worldwide threat. The best way to protect your network from new virus threats like this is to block all incoming instances of the file types that are known to propagate viruses from reaching your corporate email system.

Now, some would tell you just to block certain files or certain subject lines in emails, because the thought of blocking too much email would cause too many problems. Back when the Loveletter virus came out, this might have been a viable option. Now it is not. The sophistication of viruses has increased, and now just about everything a virus generates is random. (A good example is the W32.Klez.H@mm virus; see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html.) The only common thread you can use is the file types that viruses themselves use.

Are legitimate files going to stopped by using this method? Yes, they will. However, the rewards greatly outweigh the minor inconvenience that this method might cause your user base. In the almost three years I worked in my previous job, we stopped over 7,300 viruses. From that number, I would say that over 90% of the viruses that we stopped were volatile email attachments. On several occasions, using this method protected us from worldwide virus threats before antivirus vendors were able to provide new virus-definition files.

With all of this in mind, the next thing to think about is which file types need to be blocked. A good place to start is the files that are restricted from being accessed after the Outlook 98/2000 E-Mail Security Update (http://office.microsoft.com/assistance/preview.aspx?AssetID=HA010550011033&CTT=6) has been installed (this is functionality is embedded into Office XP):

.ade: Microsoft Access project extension
.adp: Microsoft Access project
.bas: Visual Basic class module
.bat: Batch file
.chm: Compiled HTML Help file
.cmd: Windows NT command script
.com: MS-DOS application
.cpl: Control Panel extension
.crt: Security certificate
.ext: Application
.hlp: Windows Help file
.hta: HTML applications
.inf: Setup information file
.ins: Internet communication settings
.isp: Internet communication settings
.js: JScript file
.jse: JScript encoded script file
.lnk: Shortcut
.mdb: Microsoft Access application
.mde: Microsoft Access MDE database
.msc: Microsoft common console document
.msi: Windows Installer package
.msp: Windows Installer patch
.mst: Visual test source file
.pcd: Photo CD image
.pif: Shortcut to MS-DOS program
.reg: Registration entries
.scr: Screen saver
.sct: Windows Script Component
.shs: Shell Scrap object
.url: Internet shortcut
.vb: VBScript file
.vbe: VBScript encoded script file
.vbs: VBScript script file
.wsc: Windows script component
.wsf: Windows script file
.wsh: Windows Scripting Host settings file

At my organization, we use a large part of this list, in addition to other files we feel could pose a potential threat in the future due to their nature. For example, we also restrict the following files:

.ocx: Active X control
.swf: Shockwave Flash object
.wmv: Windows Media audio/video file

The way in which this policy is implemented depends on the configuration of your network and which security measures that you currently use. For an additional perspective on which file types to block, see the following section.

Blocking potentially unsafe email attachments is by no means the only security measure that you should take to protect your network from viruses. However, if you add this protection to what I have outlined here, you will have strong groundwork that could protect you from the next virus threat. Be sure to check out my column at myITforum.com (http://www.myitforum.com) for more tips on keeping your network virus-free.

Interception Redux

Here's another perspective (mine, Brian Rogers) on how to keep your network free of viruses by configuring your antivirus software to block certain file types.

I'd like to share my own recommendations for file types that should be blocked to keep your network free of viruses. I posted this list to the AntiVirus discussion forum at myITforum.com (http://www.myitforum.com) awhile back. I compiled my list from various web sites and added a few of my own: