CEDPA Logo DataBus Header

 
Conference
DataBus Index
Listservs
Presentations
Events
Organization
Bylaws
Directors
More Info
CEDPA Home

Issue Index

   DataBus - Vol 41 No. 2: February-March, 2001
  
Best Practices Anti-Virus Strategy Guide Download MS Word Document
Download this article


Computer viruses have become a ubiquitous feature of modern computing. New major virus threats like the Melissa, W32/ExploreZip.worm, and most recently, the LoveLetter virus, are appearing on an all too frequent basis. These viruses can all have effects on your PCs (being rogue applications interacting with your machine) and business, ranging from employee downtime, user distractions, and add to the workload of the help desk. An anti-virus solution that limits the mischief that these viruses can cause is therefore a necessity.
 
Anti-Virus software is as complex as any enterprise application to install and rollout to a large user-base. Unfortunately, Anti-Virus software requires regular updating to be effective. At this stage, most vendors offer weekly updates, but there is already a requirement growing from industry for daily and even hourly updates.
 
The 1999 ICSA Virus Prevalence Survey provides some astonishing data, "over 4/5ths of respondents claimed to have at least 90% coverage of PCs with anti-virus protection." Yet very few of the same respondents had anti-virus protection installed and active at the mail and gateway levels.
 
Furthermore, although many networks have anti-virus software installed, this does not mean that they are prepared to respond effectively in the event of a virus outbreak. Within many organizations, it is common problem to see desktops and servers with a lack of up-to-date anti-virus protection. Some common challenges contributing to this problem include: conflicting programs, inefficient or inoperable distribution processes for new, critical DAT files, no clear anti-virus policy, or over-utilised IT resources.
 
McAfee, a Division of Network Associates, Inc. is a company that is uniquely qualified and committed to assisting companies with the successful implementation of the industry's most effective enterprise anti-virus protection. The first step in this endeavor is to create an effective anti-virus strategy. Thus, the purpose of this document is to help you recognise the current virus threats you face, and to create an appropriate anti-virus strategy to counteract these virus threats.
 
When reviewing this guide, you should first consider the following qualifying questions:
  1. Do you consider viruses to be a threat to your organization?
     
  2. Do you use and share electronic data?
     
  3. Do you have an anti-virus strategy, identifying what the virus threat is to your business and the policies and procedures to protect your data from virus infection, corruption or deletion?
     
  4. Does the strategy include concepts such as these?
    • A policy defining what products are installed, how they are configured and maintained.
    • A method for implementing the policies in your infrastructure.
    • A policy and associated procedure for dealing with virus outbreaks.
    • Documentation of the strategy to allow any member of your IT team to manage your anti-virus tools.
    • Procedures and guidelines for users.

  5. How do you assess the effectiveness of your anti-virus strategy?
     
  6. When did you last review your anti-virus strategy? Does it reflect the current threat, the trend of viruses that propagate via e-mail and the web, and changes in your IT infrastructure?
If you don't have answers to the above questions, then read on, as the next several pages will get you on your way to creating an effective anti-virus strategy for your organization.
 
Identifying the threat
 
Before you create your anti-virus strategy, you must first review your working environment. That is, to be able to protect against the virus threat, you must first understand the threat to your organization.
 
For example, a single home user with a dial-up ISP web connection, faces a very different threat to a corporate business. Home users need protection against the data they download from the web, e-mails they send and receive, and the media they use in the PC. For most, the effects of a virus are annoying and time-consuming, but do not result in revenue loss. The corporate business often relies on the data such as customer information and records to help them create revenue. This important, and often critical data, is the reason for anti-virus protection. If the data is lost or corrupted, business revenue is directly affected. As such, the need for protection is essential and the possible sources of infection increase with the size and detail of their IT infrastructure.
 
How do I identify the threat?
 
So, having understood the need to quantify why we need to protect, you should ask the following questions:
  1. How can a virus enter my organization?
     
  2. Where can a virus be stored within my organization?
     
  3. How can viruses be transferred or replicated around my organization?
     
  4. Where does a virus get triggered within my organization?
The next sections explain the common threats that we have seen in the different levels of organizations.
 
Small enterprise
 
Physical Media - Still used in virtually every business, whether it be the traditional floppy disk, through to Jaz drives, optical disks and CD-ROMs. These all contain data that could be virus-infected and so virus scanning is required. The strategy decision is whether to rely on the desktop anti-virus software to either proactively scan the media using an On-Demand scanner, or rely on the On-Access scanner to pick up infected media as its used. Traditionally many businesses have followed a procedure, such as passing the media to IT support to be scanned using a stand-alone dedicated machine known as a footbath or sheep-dip. These normally have one or more anti-virus products installed and some simple menu to allow staff to check the media. Some companies (such as many government agencies) also have such machines in reception, and request all visitors to scan any media they bring on site prior to usage at the PC. Beyond its physical ability to act as a front line of virus defense, the footbath or sheepdip machine also acts in this instance as a marketing tool, showing the company to be a virus-aware and security-conscious organization.
 
PCs - Traditionally still the backbone of most virus outbreaks, the workstation is the location that most viruses are triggered and replicate. We will focus later in this document on the policies used to protect the user's machine.
 
Servers - These offer a dual threat in terms of virus outbreak. Firstly the servers in your organization normally contain your mission-critical business data. As such, they should be considered as the core of your anti-virus protection strategy. In most instances, this is the most important data to the business and should be backed up on a regular basis. Secondly, most servers also act as the data communication hub for the workstations. So servers also lend themselves to the threat of being a virus storage and transfer mechanism. This means when looking to protect your server, you should consider carefully protecting not just the long-term data stored, but also the connections made to the server from networks or other forms of remote node.
 
Dialup ISPs (web and e-mail access) - From the small single-node business to global corporations, most have users (often with laptops) that have modem dialup accounts to ISPs. These offer their own unique virus threat on two levels. First, they allow the user to gain access to public e-mail and the web, via a method outside of the corporate standard. This means they fall outside the general considerations of the protection strategy. Most corporations will funnel users through a single point of access to the web which can be controlled by a firewall and scanned with the appropriate anti-virus software. The dialup ISP offers a method to circumnavigate this protection. Second, they offer access to known shortcuts for communication such as Hotmail Internet mail. We have seen instances when normal corporate mail has been disabled due to a virus outbreak, and users have then turned to these other forms of communication, which may also be an everyday entrance "hole" for viruses into your network.
 
Medium Enterprise
 
Laptops - Common to virtually every organization, these are probably the hardest resource on which to maintain an effective level of virus protection. Because they are portable, they are very open to infection. It is common practice to take these onto other customer/client sites. And there is an increased temptation to share data as the users are outside the physical restraints and control of their own organization. Add to this, most laptop users today will have Remote Access Server (RAS) access to their corporate mail account and in many instances the corporate network, they pose not only a threat to themselves but also a threat to your network. Generally there are two main approaches adopted to protecting laptops.
  1. Primarily the solution is to give them strong all-round anti-virus protection (that is, On-Access scanning and On-Demand scanning against all forms of data transfer, such as e-mail, web access and file access). The difficulty with this can come with the maintenance of the software. You need a web-based form of update that is small and simple to apply, using the client anti-virus software. Where you can not gain updates from the web, many still send physical updates out to laptop users, however these can take time to reach the users, and regular updating can become costly.
     
  2. The alternative solution is to treat the laptop as a unknown quantity within the business. This still means providing best endeavors of anti-virus protection, but ensuring before the laptop users can gain access to the main network, their machines are checked for viruses using the latest versions of anti-virus software (often triggered via a login script). Or this means controlling what access they have to the LAN, and ensuring the data on that segment of the LAN is well protected against being infected by the laptop user.
Remote Users - Although the access to media from other organizations is not prevalent, they again work outside of the physically controlled environment and can again be a greater threat to the business than your standard local networked users. When looking to add remote users to your anti-virus strategy, you should consider them in the same light as the laptop user.
 
WAN links - Much as the local server, these act as key flow points of data between segments of the LAN. When reviewing the virus threat and your anti-virus strategy, these should be considered for two reasons. Firstly in instances of file-based virus outbreaks these can act as flow barriers limiting how far the virus can spread. Secondly they offer a key point of protection, that requires little effort to maintain.
 
Corporate e-mail and web access - The '99 ICSA Virus Prevalence Survey defined over 50% of all infections outbreaks as being e-mail-based. And we suspect that about 80% of virus infections are now e-mail or web related. This has been the result of two changes. Firstly we all now use both mechanisms for sharing files specifically Microsoft Office documents. Again the ICSA report accounted for 2/3rds of all virus outbreaks being macro-based. Secondly we have seen the instigation and rapid growth of viruses that proactively use MAPI mail to replicate themselves around the organization, by grabbing user information from the address books and sending infected mails using VBS scripting. To date, this is probably the weakest point of most organizations anti-virus strategies, with many organizations failing to recognize and/or address this threat. This highlights why regular reviews of your anti-virus strategy are so important. Many organizations rely on the desktop protection to protect against this threat, which is ill-advised. First, this relies on all workstations being covered with up-to-date anti-virus software. In other words, a single line of protection must be 100% consistent to be effective. Multi-layered defense gives the cross-cover where some areas may fall short of the desired level of protection.
 
In reality, 100% perfect desktop anti-virus coverage is an un-achieveable target. A 90-95% desktop coverage is the realistic goal you should aim to achieve. The second issue with relying on desktop cover is the fact that most mail systems are proprietary. That means your desktop anti-virus scanner must be able to understand and scan within that environment. If this is the case, you will be able to protect the users' mail, otherwise the user will still be protected against running any attachments by their on-access scanner, but they will not be able to clean any viruses in the mail system. It makes strategic sense to have a central tool local to the mail system and gateway to scan data throughput. This allows access to both scan and clean both mail, databases and web downloads for all connected users from a single source. As we will examine in more detail later, having this key point of detection can be very important both for simplicity of maintenance anddealing with outbreaks.
 
Alternative data storage - UNIX, DMS, backups (HSM) - Traditionally this is an area of protection that is overlooked as it is not considered live media. However the above examples, along with many others that can be found in industry, can be used to store and access data. When either running a regular virus sweep of all your media or completing a clean up these should be included. Careful consideration should be given as to how this can be achieved. Can you simply map to the device and scan all the data?
 
Or is there an anti-virus product that can be installed locally? When investigating this, you should be looking for an on-demand scanner and scheduler. Obviously with such devices, viruses can not be triggered so an on-access scanner is less important. You simply need to be able to scan the device to check that is not acting as a storage device for the virus.
 
Large Enterprise
 
Autonomous business units and the links between them - With large corporate organizations, the IT infrastructure and anti-virus strategies can often be mixed - the result of different businesses merging together or the autonomy of each unit within the business. Here each business unit may have autonomy or mixed vendors for anti-virus software. Two key concepts should be followed. First, it is important to aim for consistent levels of protection. As such, a common generic anti-virus strategy should be applied across the units, which is best implemented with the tools from each anti-virus vendor's products. This includes maintaining and updating the products with a consistent and common strategy. Second, there must be some common auditing between the units. That is, when one discovers an outbreak, they share information about the virus and how to deal with it with the other units. It is a beneficial business practice to share information about the products and levels of protection each unit has.
 
Shared applications and data with other organizations - Within many of today's large-scale organizations, data resources are shared between organizations (both within and outside a single company). This provides an new risk to the organization as you have a remote site that can access your network, yet you have no control or influence over their anti-virus strategy. Where such links occur, you should control the level of access they have to your network, limited to only the required data resource areas. In addition where possible, the method of communication linking the business together should have anti-virus software installed to check any data they write to your network.
 
Data encryption - Over the last few years, we have seen a steady growth in the use of encryption of data - from the simple password protection offered in Microsoft Office to the more advanced strong encryption techniques used in end-to-end encryption tools such as PGP and VPN network connections. All offer the same threat in terms of viruses. The data can not in most instances be scanned until it is decrypted at destination, and most anti-virus products can not identify the data as encrypted as opposed to regular scannable data. With weaker encryption, many anti-virus products can scan through the encryption. Be aware that recent versions of Microsoft Office have been using increasing stronger encryption. It is important when creating your anti-virus strategy is to understand what forms of encryption are used within your organisation, whether your anti-virus software can either scan through it or simply highlight the encrypted data. For encrypted data that can not be scanned or identified by your anti-virus product, you need to ensure the end point where the data is decrypted and accessed has the appropriate anti-virus software installed that can check the data as it is accessed.
 
Protecting Against the Threat
High-level anti-virus strategy
 
Having reviewed the virus threat to your organization, you can now start to create your anti-virus strategy to protect against it. An anti-virus strategy should be based on protection policies and the procedures required to protect against viruses. At a high level, these can be broken down into the following sections:
  • Identify the data points to scan for viruses within your organization. This should include incoming data, outgoing data, and data being passed around the organization. You should be able to identify these from the threat analysis you have completed.
     
  • Outline the anti-virus tools and their configurations that you wish to use to protect against the threat at each data point.
     
  • Define when and what procedure should be used to maintain and update the anti-virus tools/products.
     
  • Define the processes to be followed during a virus outbreak.
     
  • Decide how to make users aware of the virus threat, and how to help them to deal with virus outbreaks (awareness and training).
Once defined on paper, these policies and procedures should be implemented at an electronic level.
 
Policies and procedures
What anti-virus tool should be used?
 
At each data point raised in the threat analysis, you must now review what anti-virus tools to use. In an ideal world, all points would have an on-access scanner installed.
 
The On-Access Scanner (OAS) is loaded automatically into memory as the operating system or resource starts. It then monitors disk or data activity, intercepting and scanning for viruses. If desired, in most instances (providing the virus is not active in memory) the scanner can clean the infection. This form of scanning has a number of key benefits. It is automated, it detects viruses in real time, and requires no human intervention to function correctly.
 
In addition to the on-access scanner, most anti-virus products include an On-Demand Scanner (ODS). This scans for viruses only when triggered, usually scanning a specific segment of data, such as a file, folder, drive or database. The benefit of the ODS is that it checks all files, not just those being accessed. As such, it is specially useful when completing a virus clean-up, by allowing you to ensure all data is virus-free. It is also commonly used to check incoming media, such as with footbath/sheep-dip techniques (described earlier in this document) or locally on the user's PC.
 
Within McAfee's VirusScan product, we include four different on-access scanners.
System Scan Monitors standard file and disk activity on the PC.
E-mail Scan Scans MAPI-based mail as received to your mailbox. Lotus Mail and Internet-based mail including HTTP and POP3 through the download scanner component.
Download Scan Scans HTTP Web downloads.
Internet Filter Checks for malicious Java and ActiveX, and blocks IP or URL addresses.
When would you use each of these components? In a typical networked environment, the e-mail server and Internet gateway should be protected with their own anti-virus software. As such, all the components beyond a basic system scan are providing duplicate scanning of data. This can be beneficial as cross-check scanning but should not be considered as essential to your anti-virus strategy. So, in what instances should you use these additional scanners?
 
In the small business model where there is no central point for mail and web downloads, each user may be connecting locally to the web via an ISP and as such the protection must be local to the user's machine. This same scenario applies in two variations to larger organizations.
 
First, the similar situation often applies with laptop users who have dial-up ISP accounts. Second, they may be used when for what ever reason the organization does not have anti-virus protection at the server or gateway (although this can be a less effective method).
 
When reviewing what anti-virus tool to use at each level, you must consider the following. Is the PC suitable to support an OAS? Most workstations are, but it is common to find both file and e-mail servers that are already suffering from excess workload, running at dangerously high utilization rates. In such cases, the ideal solution would be to upgrade that PC to deal with the workload. When reviewed in the bigger Total Cost of Ownership (TCO) picture, this is always cheaper than the cost of a virus outbreak. However when upgrading is not available, two alternatives should be considered:
  • It would be unwise to load an OAS with normal scan settings (to check all possibly infectable data). This can be the metaphoric straw that breaks the server's back. As such, common sense should be used and trade-offs made, such as not scanning all data files (for example, scanning only mission-critical data). This allows the OAS to function with limited resources. When this is the case, the ODS should be run against the rest of the data on a regular basis.
     
  • Simply rely on only on-demand scans run on a regular basis. Note that this would not stop virus infection, but would limit the period during which the virus could spread.
Where you have mission-critical data such as that stored on servers, you may wish to implement both forms of scanning - the OAS to check data as accessed, and the ODS to complete a thorough sweep of all the data on a regular basis (usually in periods of low-volume traffic). In such instances, some thought should be given as to how the on-demand scanning is scheduled.
  • It is recommended to scan data prior to running backups. This ensures the data you are backing up is virus-free.
     
  • You should examine the size and type of data you are scanning. This will affect the time taken to scan the data. Where you have large volumes of data, you may wish to break the scanning down into manageable segments - scan a different segment each week night while the server is less active and then scan all the data over the weekend.
How is the anti-virus software installed?
 
Depending on the size of the business, you may already have tools or infrastructure for deploying software to PCs (such as SMS, Tivoli). If this is the case, you may look to deploy your anti-virus software using these same software deployment tools.
 
However there are several areas to consider:
  • It is very likely you will want to customize the setting of your anti-virus tool as part of your deployment.
     
  • You may need to update the product with newer virus definition sets, engine components or patches. Can these be wrapped up and included in your deployment strategy as a single install?
The McAfee Installation Design utility allows you to rebuild the install MSI package and customize options such as the anti-virus components you wish to install, import the configurations of the components and apply new virus definition files, engine updates, and where required, patches as a single new install process.
 
Alternatively you may look to your anti-virus vendor to provide you with tools to either build a customized install package, or provide you with an enterprise management solution. Different environments require different solutions. Does your vendor provide you with a management tool to suit your requirements? Does your vendor provide consulting services to support deployment efforts? Network Associates offer two installation and management tools ePolicy Orchestrator (ePO) and Management Edition. Table 1 compares the current functionality between ePO 1.1 and Management Edition 2.5. 
TABLE 1.
  ePolicy Orgestrator 1.1 Management Edition 2.5
Installs Anti-Virus Components Yes Optimized for Installs, multiple repositories
Management tool must install Anti-Virus components to be able to manage them No Yes
Methods of installing management client to PC Push, e-mail, scripted, manual Push, manual, scripted
Policy Management Real-time enforcement When initiated at console
Virus Reporting Drill-down graphical reports Tabular Virus logging
Coverage Reporting Drill-down graphical reports Summary text reports
Networking protocol support HTTP/IP IP, IPX, NETBEUI
Maximum numbers of clients manageable from single console 100,000 5000
Support for linked management consoles Yes, merge reporting only Yes
You should review the ability of any anti-virus management tools to integrate with your existing anti-virus deployment and management tools. For example, does the anti-virus management tool allow you to maintain, upgrade, and enforce policy settings for existing anti-virus tools you already have deployed, both current and older versions? Can it support autonomous installations of the product, or does it need to be pushed out with the anti-virus tools to be able to manage them?
 
ePolicy Orchestrator allows the management of autonomously installed anti-virus software. It supports the policy management of the following products:
  • VirusScan 4.03(a)
     
  • VirusScan 4.5
     
  • VirusScan Thin Client (TC) 6.0
     
  • NetShield for NT 4.03(a)
     
  • NetShield 2000 (v4.5)
     
  • GroupShield Domino 5.0
How are the anti-virus tools options configured and enforced?
 
As previously mentioned, the components such as the on-access scanner contains a host of options, including what to scan, actions to be taken on virus alert and alerting/reporting. Consideration and planning should be given to understanding these options and setting them appropriately to your threat.
 
Later in this document we will give some basic advice on what these settings should be.
 
When setting these options, you should also determine how these options and settings will be enforced. From experience, we find that users through accident or purpose will often change settings or even disable the anti-virus software installed. You must be able to monitor and control the anti-virus products you have deployed to ensure enforcement of the policies you have set, such as the specific product version as well as its configuration. In an emergency such as a virus outbreak, you should also consider how effectively you can alter or increase your scanning options.
 
Where using an on-demand scanner, the task should be scheduled to function automatically and have permissions to access all data, preferably from a central source. This makes management easier. Normally, we would suggest on-demand scans on servers should be run when the server in relatively inactive. If you are scanning large segments of data, your policy may include a maximum scan limit to the scan if it encroaches on other maintenance activities. In such an instance, it is important you are informed that the scan took longer than desired so you can alter the scheduled scan event.
 
When deciding where to create scan tasks using the on-demand scanner, some thought should be given to the outbreak scenario. In these instances, you may wish to run on-demand scans against all machines. This can be from a scanner stored on a central server or from the local machine. In either instance, the important aspects to consider are being able to trigger the scan immediately, ensuring all files on one machine are scanned, and results are audited, and users can not disable the scan task. As the scan on large drives can take some time, this is a common tendency amongst end users.
 
Auditing your strategy
 
Once the anti-virus software has been deployed, you will want to maintain it and also be able to audit the effectiveness of your strategy.
  1. Product coverage. The anti-virus tools you think you have deployed are actually out there, functioning correctly and being updated according to defined intervals.
     
  2. Virus reporting. You can track the virus alerts and if set their removal. This is important not only to prove your anti-virus strategy is effective, but equally if you have auto-disinfection set for viruses with the OAS. You need to log the virus alert so if there was an associated payload for the virus you can be aware of it and take appropriate actions. More information on this will be covered in the section on virus outbreak procedures.
McAfee's ePolicy Orchestrator offers a level of reporting unsurpassed in the industry. Through the collation of information reported back to ePO from the client agents, ePO uses SQL queries and Crystal 7 report templates to create tabular and graphical drill-down reporting on the level of users being managed, the anti-virus components installed (by product, Engine and Virus Definition/DAT files), the effectiveness of the anti-virus software installed and the viruses detected.
 
ePO includes a number of different templates that allow reports to be created from a number of views, such as for a particular virus alert; for a specific infected user, the types of viruses, or the products which detected the viruses.
 
ePo offers coverage reporting for the following products:
  • VirusScan 4.03(a)
     
  • VirusScan 4.5
     
  • VirusScan Thin Client (TC) 6.0
     
  • NetShield for NT 4.03(a)
     
  • NetShield 2000 (v4.5)
     
  • GroupShield Domino 5.0
In addition, ePO has virus-alert reporting for the following products:
  • VirusScan 4.5
     
  • NetShield 2000 (v4.5)
     
  • GroupShield Exchange 4.5
     
  • GroupShield Domino 5.0
     
  • WebShield SMTP 4.5
Our advice for OAS policy settings
 
The following are some guidelines for configuration settings that should be used within your on-access scanner (OAS).
 
Don't scan everything. Traditionally, anti-virus is not the primary skill of most IT staff. As such, the array of options can be, to say the least, overwhelming and confusing. So what should you scan for?
  • Scan only vulnerable data - Many file formats and even some operating systems do not support viruses. To scan these does not add any value to your anti-virus strategy. Look to your anti-virus vendor for advice, or even an automated method or ensuring your physical policy settings are only checking vulnerable data.
     
  • Scan only what is local to the machine - We provide anti-virus tools for the different levels of threat from workstation (VirusScan) through server (NetShield), mail (GroupShield) and gateway (WebShield). At each point you ascertained a threat during your risk assessment, implement an anti-virus tool. This should only scan that local threat. Scanning remote data is both unnecessary and an expensive use of network bandwidth.
     
  • Decide whether to clean - The on-access scanner's ability to remove non-memory- resident viruses on detection is an invaluable feature to the administrator. However, it is important that we have an effective method of auditing what and where the alert was. This allows the organization to prove the effectiveness of the anti-virus strategy. It also allows the IT staff to understand any further actions they may have to take against the virus infection, such as restoring data that was corrupted by the virus payload.
     
  • Enforce the policy - User permissions can be set to prevent them tampering with the anti-virus software. When a user has succeeded in changing the settings, either notify administrators or re-enforce the policy set upon the user.
Updates Policy
 
Anti-virus software is only as good as its last update. Commonly one or two of the viruses we see in the top ten list is a new virus. However with weekly virus definition updates, and customers starting to request daily updates, McAfee is starting to see anti-virus security taking over from the main function of the business.
 
When reviewing the update policy, it is important to balance the virus risk against the frequency and ease of updating. Traditionally bandwidth has been an issue, but with automated technologies allowing both network and web updating, you should be able to apply updates with little effort. Today McAfee uses incremental updates at approximately 100KBytes per week bandwidth concerns are no longer an issue with our products.
 
It is important to note that an update policy should look at all levels of updating. Within McAfee products, we offer three levels of update.
  • Virus definition update (DAT) - The weekly incremental updates that define what viruses we can detect.
     
  • Scan Engine upgrades (SuperDAT) - McAfee generally updates the scanning engine on a quarterly basis. The engine determines where we scan for viruses and what actions are taken to remove the virus code. We have found many organisations focus on the DAT updates but miss engine updates. This can result in the anti-virus software being aware of the latest viruses, but in some instances not being able to detect them (as we can not scan in the right places to detect or clean the virus).
     
  • Emergency Virus definition updates (incremental or extra DAT) These are used as an instant detection and repair solution for a new virus sample, to give you protection against current virus threats until we add the solution to the main virus definition set. The McAfee AVERTLabs website classifies new viruses according to the level of threat. If the McAfee AVERT (Anti-Virus Emergency Response Team) organization rates the virus as a medium or high priority, McAfee will produce a new incremental virus definition set. This can be applied using the normal procedures you have set in your strategy. For all new viruses, we also produce an extra DAT file, which is a simple text file that when added to the working directory of the anti-virus scanner is loaded on next startup of the OAS or as you run an ODS. Some consideration should be given to the application of the extra DAT file within your anti-virus strategy. They are normally applied to deal with a outbreak of a new virus. As such, you should have a fast method of implementation, that may expedite normal procedures. You should also consider prioritizing its distribution using the concepts outlined below.
So what should you consider when reviewing your update policy?
 
Primarily you should consider when and how you achieve your updates. We would suggest incremental update as the best method, because of its size and simplicity. The update technology with the product allows updates to be applied without either specific user permissions or reboot. In terms of frequency, you should return to your virus risk assessment for your business, and prioritize the threat. If we return to some of the examples used earlier, we can set risk levels associated with virus infection to each data point.
  • Data Servers - High - These contain the core data of the business.
     
  • E-Mail Servers - High - Most common point of virus transfer
     .
  • Internet Gateways - High - Common point of virus entry to the organization.
     
  • Laptops - High - Often have remote access to the business, but can gain access to media outside of the organization.
     
  • Networked PCs - Medium - Point at which most viruses trigger and replicate. Often the first point of contact to physical media.
     
  • Stand-alone PCs - Low - Virus cannot replicate easily.
     
  • UNIX Machines, Backups, Document Management Systems - Low - Can be used to store virus only.
In the perfect world, we would update each of these with daily or weekly updates. However where this is not possible, you should look to maintain the level of update balanced against the threat.
 
This approach is also very useful when dealing with a virus outbreak. By highlighting the key threat areas, you can ensure the critical systems are updated with new definitions or if required a new engine, as soon as they are available. All other points should be updated as soon as possible but this procedure allows you to maximize control and limit the effectiveness of the outbreak.
 
Outbreak Procedures
 
The following are some simple guidelines as to the procedures you should follow when dealing with a virus outbreak.
  1. Locate the virus in the environment and find out what the virus is called.
     
  2. Ascertain the threat.
     
  3. Get information on the virus from www.avertlabs.com.
     
  4. Take appropriate actions to control the outbreak.
     
  5. Estimate the scale of infection, allocate the required resources, and clean the virus.
  6. Validate data integrity.
     
  7. Contact any other business (units).
The steps above will help you deal with any virus outbreak. Most important is to understand the infection mechanism of the virus and any possible payload. This will allow you to take appropriate actions when dealing with the virus.
 
See the following examples.
 
Example 1
Form virus - This boot-sector virus relies on floppy disks to replicate. The payload of the virus makes the keyboard click on the 18th of each month, if using DOS and no keyboard device drivers. Actions - This virus has no malicious payload and can only transfer via floppy. Request all users stop using floppies. Estimate how many machines are infected. Check all floppy disks in the organization, and clean any infected PCs. The impact to users is minimal. This author has seen companies shut down their networks for viruses like Form, which is completely inappropriate.
 
Example 2
Explore.Zip.Pak.Worm - This uses MAPI mail to replicate itself to users by auto-replying to unopened mail in the infected user's inbox and any new mail received. The payload of this virus is to truncate specified commonly used files such as .DOC and .XLS and.PPT on infection and then every 30 minutes.
 
Actions - This virus has two immediate threats - it can replicate fast and it has a damaging payload.
 
As an initial step to prevent the possible overload of the mail servers and control the outbreak, you should stop the mail servers. If it is MAPI-based, then restart it with administrator-only access. Although this causes incoming mail to queue, it stops the virus from being able to spread. You may also wish to sever your SMTP gateway if you believe there is a high threat of sending the virus out to customers. Next, you should shut down any machines you believe to be infected. You do not want the payload to trigger. This will limit the spread and damage of the virus. Finally, you would estimate the scale of the infection, and then start the clean-up process.
 
With any virus outbreak, if you believe you have infected another business unit or company, it is a good practice to inform them. Tell them about the virus and methods for dealing with it. Most would prefer to deal with an infection at a small scale rather than suffer a large outbreak, which could possibly be traced back to your company or business unit.
 
Outbreak Manager
 
When examining how you may better control the outbreak of new mass-mailer viruses, not initially detected by your anti-virus software such was the case when the above example first hit, you should consider using one of the current tools offered with GroupShield Exchange 4.5, GroupShield Domino 5 and WebShield SMTP 4.5, which is Outbreak Manager. This scanning tool monitors the e-mail activity, looking for virus-like events. If these events are discovered, pre-defined actions can be taken to control the outbreak. For example, when dealing with a mass-mailer outbreak, we could look for a defined number of duplicate attachments. When this threshold is reached, the actions can either be manually or automatically triggered. These could include:
  • Updating the virus definitions (new definitions may be able to exactly identify and clean the virus).
     
  • Run a scan against all mailboxes or folders to clean the infection.
     
  • Block all attachments, thus stopping the virus from replicating.
     
  • Shutdown and restart the server with administrator-only permissions. This would allow mail to be received but would stop any users being able to open or run the infected attachments.
Outbreak Manager will not detect the virus by name. However, it will act as an early warning system. With its ability to set rules against virus-like actions, it can ensure the outbreak of a new unknown virus is limited by the actions set, so reducing the scale of the outbreak, and where defined, take the first steps towards the clean up.
 
Training and awareness
 
Obviously your everyday user is not a virus expert. However some simple employee guidelines, either in a user manual or as part of basic training will help them. The sort of information you should pass onto users is as follows:
  • Basics - What is a virus? What can viruses do? How can they affect me?
     
  • Basics - Advice on using PCs at work to avoid virus infection.
     
  • Don't open or run untrusted e-mails or programs.
     
  • Get any incoming physical media checked for viruses before using it.
     
  • Be aware of the risks of downloading games, utilities, and so on from the Web.
     
  • Basics - Where or who do I go to for further information or advice?
     
  • Question - How can users confirm they have anti-virus software installed?
    Answer - Check for the icon in the system tray.
     
  • Question - If possible, how do they check the are running a current version?
    Answer - The Help About box includes the date of the drivers being used.
     
  • Question - What should a user do if they see a virus alert?
    Answer - Record the virus name, contact the appropriate member of IT support. If good auditing is in place, this will have been logged automatically for the user.
Documentation
 
Once you have completed creating your anti-virus strategy, you should document it. This allows any member of the IT staff to understand the policies and procedures in your anti-virus strategy, and importantly to be able to complete them in your absence. This is specially crucial during a virus outbreak where a clearly defined policy can save both time and money by dealing with the virus effectively.
 
It is also necessary to review your virus strategy on a regular basis (at least annually). This is to take into consideration the changes within your IT infrastructure (in other words, it will re-assess the virus risk to your business) and the changes within the virus industry, such as new types of viruses, which again may require you to review and amend your strategy.
 
Summary
 
This document has provided useful guides and steps to follow when looking to create or review you anti-virus policies and procedures. If you require further help creating an anti-virus strategy, contact McAfee Professional Services or your local McAfee Sales representative.
 
As a final check list, you should look to complete the following sections each time you review your strategy.
  1. Review your environment.
     
  2. Set your anti-virus policies and procedures.
     
  3. Define your update strategy.
     
  4. Be able to audit the implementation and effectiveness of your strategy.
     
  5. Prepare an outbreak procedure.
     
  6. Document your strategy.
     
  7. Make your users aware of virus threats.

Jed McNeil is State & Local Government & Education Sales Manager for Network Associates, Northern California. He can be reached at 1-800-338-8754 x3101 or by email at Lisa Milburn is State & Local Government & Education Sales Manager for Network Associates, Southern California. She can be reached at 1-800-338-8754 x3138 or by email at