Lines of defense
Using antivirus software is just one step in securing your networks, but it's an important one
- By John McCormick
- Mar 31, 2005
The last year or so has seen unprecedented consolidation in the IT security field'especially in the antivirus business, where big companies, including Microsoft Corp., have gobbled up innovative small companies.
So on the one hand, you have fewer products to choose from. But on the other, the remaining programs will have more tools and features, as the bigger companies integrate the new technologies into their products.
There are several categories of antivirus software, and most agencies need to look at all of them. This guide addresses the broad category of antivirus software, which tackles three similar types of malware: viruses, Trojan horses and worms.
The accompanying chart includes both enterprise and small-office-home-office antivirus software. SOHO programs are often best suited for road warriors as well as workers in isolated offices, telecommuters and those in large offices who use PCs not connected to a network.
Wireless notebook PCs and personal digital assistants are probably the most at-risk devices. And laptops will eventually be connected to your network, so infections to them are a serious risk even if the mobile units don't contain any confidential information or aren't particularly important on their own.
Even cell phones can catch malware these days, so an office that protects only devices hardwired to the network remains vulnerable to a wide variety of threats.
Managing devices centrally is obviously the best option, but you need to weigh the ability of enterprise tools to properly protect individual systems. For example, should a user get updates directly from vendors or through the enterprise network? How well do the management tools work, or do they work at all, for PDAs, notebook PCs and cell phones?
When choosing an antivirus program, many managers overlook the fact that most programs will sample new viruses and send them to the vendor for analysis. That sounds like a great feature, but do you know if any confidential'or even top-secret'data is included in that code segment?
The program must provide a way you can either shut off this feature or review all code before approving transmission.
Of course, it's a good idea to be sure antivirus software has been tested, but before putting too much faith in an independent test, you need to know exactly what was tested, how it was tested and what constituted a successful test in the eyes of the testers. For instance, in the past some tests were performed with live viruses while others weren't.
Most IT departments don't have the resources to test antivirus software themselves, but at a minimum you should probably look for programs that have passed the ICSALabs testing done by TrueSecure Corp. of Mechanicsburg, Pa. See www.icsalabs.com for the most recent test results.
The infections antivirus software looks for include:Boot sector malware
, which hides in the basic control data for the operating systemExecutables
, which are contained in or masquerade as .exe or other program filesMacros
, which usually are found in Microsoft Word .doc files or Excel files, because both programs have powerful and potentially dangerous macro language tools. A simple fix is to set all computers to default to .rtf file format for Word VB worms
, which are viruses based on Visual Basic code.
Viruses are sometimes categorized by how they disguise themselves. This isn't exact, and many viruses make use of several techniques, but here is a look at some of the more dangerous current virus types:COM viruses
. If you have a legitimate .exe file, a .com file with the same file name but containing a virus will execute first under MS-DOS.Polymorphic viruses
. These transform themselves constantly to make it difficult to scan for a signature.Stealth viruses
. These will try to hide, perhaps by killing off antivirus processes.Date or random-event viruses
. Some viruses are always attacking; date or random-event viruses only activate under certain conditions.Armored viruses
. These are difficult for antivirus engineers to disassemble.
Like viruses themselves, the types of attacks are always evolving. Last year was the year of the phishing attack, which doesn't pose as much of a threat to government agencies as it does to individuals, because it usually targets financial information. But phishing could be turned against a secure network in an attempt to capture log-on credentials.
Despite all the media play that phishing and spam deservedly got, 2004 was also a banner year for viruses. It was the year when multiple viruses made the rounds and started again in just a few weeks, as new variants popped up each time a virus was stamped down.
It is clear to those who watch these things hourly that the initial virus is often rather weak but has some effect, while others are ready and waiting to be released as soon as the antivirus vendors produce a signature file to combat the previous one. There are also copycats.
A safe e-mail service, www.messagelabs.com, maintains statistics on virus infections.
Out of 147 billion messages passing through its servers in 2004, 6 percent carried a virus.
The peak was April through June when the average was nearly 10 percent, but even in November the tally was still 3 percent.
This is a common pattern, so look for virus attacks to again surge in the warmer months.
Where viruses were once the creation of misguided students or simple vandals, today many carry a payload turning infected systems into spam servers.
This commercial side of viruses is relatively new, and it means the infection is less likely to cause obvious damage to your system but is also likely to be far more sophisticated.John McCormick is a freelance writer and computer consultant. E-mail him at [email protected].