By Mike Mullins
You're probably running some type of antivirus software on every computer in your network—as you should. When you bought the package, did your vendor claim that its software would stop the latest viruses in the wild? In that case, your virus liability should be zero if you've properly configured the vendor's software on your servers and workstations, right? Of course, you know that's far from the truth. What your vendor meant was, "we stop all known viruses."
None of the antivirus vendors will guarantee your equipment against all virus attacks because new viruses are created daily. In fact, according to Symantec and McAfee, about 10-14 viruses are born each day. This birthrate is what makes stopping viruses so difficult: New viruses appear faster than vendors can create virus signatures and propagate them to their paying customers. (The antivirus customer who hasn't bought this extra service is out of luck.)
Because new viruses are born so rapidly, both Symantec and McAfee run full-time antivirus centers. At their centers, you can read about the latest viruses, find tools for removing viruses from infected machines, and submit viruses for their analysis.
Assessing the threat
When you submit a virus, your vendor will analyze it with a threat matrix that's based on the number of reports received about that virus, the virus's ability to cause damage, and its likelihood of spreading. The vendor then assigns the virus a threat category ranging from one to five.
Now that we're up to date on virus signatures, let's look at the positive effects that some viruses have on network security.
By nature, viruses are destructive or disruptive to network operations. However, viruses such as the recent Blaster worm can have a positive side effect. The Blaster worm (a.k.a. MSBlast or LovSan) targeted a known vulnerability on Microsoft systems that allowed hackers to gain control of remote machines through the Remote Procedure Call (RPC) Distributed Object Component Model (DCOM) object service.
Because the virus targeted this security hole, the resulting publicity forced many administrators to close one of the most dangerous and easily exploitable holes on Microsoft systems. If it takes a virus to force administrators to apply patches and close vulnerabilities to their systems, then viruses can have a positive effect on networks and on the Internet as a whole.
Where your virus sits on your security vendor's threat matrix will decide when (and if) it will develop a signature to counteract the virus's threat. As with anything else, you get what you pay for when it comes to antivirus software. If you want better service, sign up for your vendor's extended service plan. The vendor will then have a financial incentive to solve your virus problems.
While waiting for your vendor to develop an antivirus signature for the latest worm, take a look at your security bulletins to see if they correspond to the latest threat. Antivirus is nice, but if there's a patch that provides the same protection, apply the patch. Remember the Defense in Depth mantra: Use all the tools in your arsenal. That includes signatures and patches.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.