لطفا منتظر باشید ...
Hack 69 Fundamentals of a Virus-Free Network
Here are some fundamentals you need to payattention to if you want to keep your network free of
viruses.This hack details some of the fundamentals
of having a virus-free network, which I have identified through
trial, error, and observation in the almost three years of working in
the dual role of SMS/Virus Protection Administrator for my employer.
As a result, we've had zero network downtime due to
virus infection since January of 2000 until now (December 2003).
Awareness
The first fundamental is awareness. Simply
put: you can't protect your network against a threat
if you don't know the threat exists. Administrators
need to keep up-to-date on viruses, current virus trends, and
application and operating-system security vulnerabilities. How aware
an administrator is about these subjects is very important, because
it effects all the decisions that an administrator will make to
protect a network from viruses.There are several ways to gain awareness if network threats. For
information on viruses and virus trends, the web sites of antivirus
software vendors are the best place to start (I will discuss
antivirus software shortly). All of those companies have some kind of
virus-information section on their web sites.I recommend checking the web site that corresponds with the antivirus
software that your company uses several times a day (every couple of
hours is even better). Virus writers are getting smarter and more
devious everyday, and another virus like Nimda or Blaster could
spread across the globe in a matter of hours or even minutes if given
the right conditions. The more often you check, the better chance you
have of getting a heads up on the next virus that goes worldwide.Since antivirus vendors partly rate the threat level of a virus on
how many samples of a virus have been submitted to them by their
customers, it is also a good idea to check more than one web site for
virus information. I recommend checking out two or three, just to
keep an eye on things.Here are a few good antivirus web sites:Symantec (http://securityresponse.symantec.com)Network Associates (http://vil.nai.com/vil/newly-discovered-viruses.asp)Trend Micro (http://www.trendmicro.com/vinfo)Computer Associates (http://www3.ca.com/virusinfo)F-Secure (http://www3.ca.com/virusinfo)
I usually concentrate on Symantec, Network Associates, and Trend
Micro's web sites. According to the latest ICSA Labs
2002 Virus Prevalence Survey (http://www.icsalabs.com/2002avpsurvey/index.shtml),
these three companies make up about 89% of the global antivirus
software market share. If a new worldwide virus outbreak happens, one
of these three companies is probably going to be the first to have
information on it.Microsoft has also recently started an Antivirus Information web site
(http://www.microsoft.com/security/antivirus/)
to provide one place for information on viruses that involve security
vulnerabilities in their software or operating systems. This is also
an excellent source of information for using Microsoft products to
help you keep viruses from infecting your network. Microsoft also has
a Knowledge Base article that lists other antivirus software vendors
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q49500).For application and operating-system security vulnerabilities, I
recommend signing up for the NTBugtraq mailing list (http://www.ntbugtraq.com). If a security
vulnerability comes out, you can usually read it on this list before
you will see it anywhere else. Other good web sites include
SecurityFocus (http://www.securityfocus.com), CERT
Coordination Center (http://www.cert.org), and
TruSecure's ICSA Labs (http://www.icsalabs.com).I also recommend signing up for Microsoft's Security
Notification Service (http://www.microsoft.com/technet/security/bulletin/notify.asp),
which will notify you via email each time a security vulnerability
from Microsoft is announced and will provide information if there is
a fix.The complexities of viruses are increasing every day, as the Nimda
and Blaster viruses have taught us all. The vulnerabilities that
Nimda used to propagate were several months old when that virus went
worldwide. The Blaster virus taught us this lesson again as it spread
globally less than a month after the vulnerabilities it used were
announced. If more administrators had been aware of those
vulnerabilities, then Nimda and Blaster would not have had as big an
impact as they did. The lesson to learn here is this: to win the war
against viruses, awareness is the first weapon that you should have
in your arsenal.
Antivirus Software
The second fundamental for a virus-free network is
antivirus software. Now this might seem pretty
obvious; anyone who has worked in the Information Technology game
long enough knows that antivirus software is essential, especially
with viruses increasing in sophistication everyday. However, which
features to look for in corporate antivirus software might not be
quite so obvious.The following list of features are things I have identified in my
experience to be most helpful in enterprise antivirus software:Certification
Look for a product that has been certified for use with
the operating systems you are using. ICSA Labs (http://www.icsalabs.com) is a good place to
look.
Easy to update
One of the most important things to look for is antivirus software
that makes it easy to update virus definitions. Antivirus software
that requires updates to be deployed with third-party software
distribution or any other means that are separate from the antivirus
software's own processes can lead to logistical
problems when deploying the updates, depending on the size of the
network environment and the method of deployment. Antivirus software
with some kind of built-in update process is much more desirable.
Also, antivirus software that has updates that require user
intervention or a reboot to install can lead to similar logistical
problems. A built-in, automated, and silent update delivery system
will yield much better results and ensure that the software is
updated properly.
Frequency of updates
When checking out antivirus software, take a look at the
company's web site to see how often they provide
updates and how they handle virus definition files in emergencies.
Make sure that their policy meets the needs of your environment.
Centralized configuration
Antivirus software that
has the ability to configure all the
clients on your network from one centralized console is a lot easier
to manage and helps ensure that configuration is consistent.
Real-time background scanning
Antivirus software
that has the ability to scan files in
the background, without user intervention, is essential in
today's virus environment. Being able to configure
which files the software scans in the background is also important.
Heuristic capability
Antivirus software that has the ability to detect virus-like behavior
in a file's operation could help identify new
viruses and new variants of already-discovered viruses.
Remote scanning capability
If you have a virus incident on your hands, the ability to initiate a
scan remotely on one workstation or server, and the entire network if
necessary, could be what keeps your network from getting damaged due
to a virus infection.
Alerting capability
With the speed that viruses spread these days, it is essential to
have antivirus software that is able to send alerts when a computer
virus is found. Without this functionality, you could have viruses
hitting every workstation and server on your network and you
wouldn't know about it.
Support for mobile computers
Not many businesses today can survive with out laptops. If at all
possible, look for software that is able to handle updating computers
that are constantly mobile.
Reporting capability
If you work for anyone that has Manager in her
title, then you are going to have to produce some kind of report on
virus activity at one time or another. Help yourself out by looking
for antivirus software that can create those reports for you.
This list is by no means exclusive. Some of the things I have listed
here might not be important to you at all, and I might not have
included things that you consider important. The list of essential
features depends on the networking environment you are working in and
the operating systems that you have to support. Hopefully, this list
will lead you in the right direction if you are considering your own
needs for antivirus software.
Interception
The third fundamental of a virus-free network is
interception. Simply put: a user
can't execute a virus if the virus
isn't there.In the current environment of viruses, things can change quickly.
Since a large percentage of viruses in the wild propagate through
email these days, a new virus can spread worldwide in a few hours
under the right conditions. Depending on the virus, sometimes it
takes antivirus software companies several hours to come up with
virus-definition files that can contain a new worldwide threat. The
best way to protect your network from new virus threats like this is
to block all incoming instances of the file types that are known to
propagate viruses from reaching your corporate email system.Now, some would tell you just to block certain files or certain
subject lines in emails, because the thought of blocking too much
email would cause too many problems. Back when the Loveletter virus
came out, this might have been a viable option. Now it is not. The
sophistication of viruses has increased, and now just about
everything a virus generates is random. (A good example is the
W32.Klez.H@mm virus; see http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mml.)
The only common thread you can use is the file types that viruses
themselves use.Are legitimate files going to stopped by using this method? Yes, they
will. However, the rewards greatly outweigh the minor inconvenience
that this method might cause your user base. In the almost three
years I worked in my previous job, we stopped over 7,300 viruses.
From that number, I would say that over 90% of the viruses that we
stopped were volatile email attachments. On several occasions, using
this method protected us from worldwide virus threats before
antivirus vendors were able to provide new virus-definition files.With all of this in mind, the next thing to
think about is which file
types need to be blocked. A good place to start is the files that are
restricted from being accessed after the Outlook 98/2000 E-Mail
Security Update (http://office.microsoft.com/assistance/preview.aspx?AssetID=HA010550011033&CTT=6)
has been installed (this is functionality is embedded into Office
XP):.ade
Microsoft Access project extension
.adp
Microsoft Access project
.bas
Visual Basic class module
.bat
Batch file
.chm
Compiled HTML Help file
.cmd
Windows NT command script
.com
MS-DOS application
.cpl
Control Panel extension
.crt
Security certificate
.ext
Application
.hlp
Windows Help file
.hta
HTML applications
.inf
Setup information file
.ins
Internet communication settings
.isp
Internet communication settings
.js
JScript file
.jse
JScript encoded script file
.lnk
Shortcut
.mdb
Microsoft Access application
.mde
Microsoft Access MDE database
.msc
Microsoft common console document
.msi
Windows Installer package
.msp
Windows Installer patch
.mst
Visual test source file
.pcd
Photo CD image
.pif
Shortcut to MS-DOS program
.reg
Registration entries
.scr
Screen saver
.sct
Windows Script Component
.shs
Shell Scrap object
.url
Internet shortcut
.vb
VBScript file
.vbe
VBScript encoded script file
.vbs
VBScript script file
.wsc
Windows script component
.wsf
Windows script file
.wsh
Windows Scripting Host settings file
At my organization, we use a large part of this list, in addition to
other files we feel could pose a potential threat in the future due
to their nature. For example, we also restrict the following files:.ocx
Active X control
.swf
Shockwave Flash object
.wmv
Windows Media audio/video file
The way in which this policy is implemented depends on the
configuration of your network and which security measures that you
currently use. For an additional perspective on which file types to
block, see the following section.Blocking potentially unsafe email attachments is by no means the only
security measure that you should take to protect your network from
viruses. However, if you add this protection to what I have outlined
here, you will have strong groundwork that could protect you from the
next virus threat. Be sure to check out my column at myITforum.com
(http://www.myitforum.com) for
more tips on keeping your network virus-free.
Interception Redux
Here's another perspective (mine, Brian Rogers) on
how to keep your network free of viruses by configuring your
antivirus software to block certain file types.I'd like to share my own recommendations for file
types that should be blocked to keep your network free of viruses. I
posted this list to the AntiVirus discussion forum at myITforum.com
(http://www.myitforum.com) awhile
back. I compiled my list from various web sites and added a few of my
own:.bas
Microsoft Visual Basic class module
.bat
Batch file
.cab
Cabinet installation file
.chm
Compiled HTML help file
.cmd
Microsoft Windows NT command script
.com
Microsoft MS-DOS program
.cpl
Control Panel extension
.crt
Security certificate
.exe
Program
.hlp
Help file
.hta
HTML program
.inf
Setup Information
.ins
Internet Naming Service
.isp
Internet Communication settings
.js
JScript file
.jse
Jscript Encoded Script file
.lnk
Shortcut
.mde
Microsoft Access MDE database
.msc
Microsoft Common Console document
.msi
Microsoft Windows Installer package
.msp
Microsoft Windows Installer patch
.mst
Microsoft Visual Test source files
.pcd
Photo CD image, Microsoft Visual compiled script
.pif
Shortcut to MS-DOS program
.reg
Registration entries
.scr
Screen saver
.sct
Windows Script component
.shs
Shell Scrap object
.shb
Shell Scrap object
.url
Internet shortcut
.vb
VBScript file
.vbe
VBScript Encoded script file
.vbs
VBScript file
.wsc
Windows Script Component
.wsf
Windows Script file
.wsh
Windows Script Host Settings file
Ever since we blocked attachments with these extensions, we
haven't had a single virus infection via email.Chris Mosby and Brian Rogers
