Tech Tip: Get more from your antivirus software

By Mike Mullins

You're probably running some type of antivirus software on every computer in your network—as you should. When you bought the package, did your vendor claim that its software would stop the latest viruses in the wild? In that case, your virus liability should be zero if you've properly configured the vendor's software on your servers and workstations, right? Of course, you know that's far from the truth. What your vendor meant was, "we stop all known viruses."

None of the antivirus vendors will guarantee your equipment against all virus attacks because new viruses are created daily. In fact, according to Symantec and McAfee, about 10-14 viruses are born each day. This birthrate is what makes stopping viruses so difficult: New viruses appear faster than vendors can create virus signatures and propagate them to their paying customers. (The antivirus customer who hasn't bought this extra service is out of luck.)

Because new viruses are born so rapidly, both Symantec and McAfee run full-time antivirus centers. At their centers, you can read about the latest viruses, find tools for removing viruses from infected machines, and submit viruses for their analysis.

Assessing the threat

When you submit a virus, your vendor will analyze it with a threat matrix that's based on the number of reports received about that virus, the virus's ability to cause damage, and its likelihood of spreading. The vendor then assigns the virus a threat category ranging from one to five.

  • Category 1 - Very Low: The virus poses little threat to users and rarely makes headlines.
  • Category 2 - Low: This is either a low to moderately wild threat (reasonably harmless and containable) or a nonwild threat that's characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.
  • Category 3 - Moderate: The virus is characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous and uncontainable if released into the wild.
  • Category 4 - Severe: A virus of this type is dangerous and difficult to contain. You should download and deploy the latest virus definitions.
  • Category 5 - Very Severe: A virus in this category is highly dangerous and very difficult to contain. You should immediately download the latest virus definitions on all machines and execute a scan.

Now that we're up to date on virus signatures, let's look at the positive effects that some viruses have on network security.

Good viruses?

By nature, viruses are destructive or disruptive to network operations. However, viruses such as the recent Blaster worm can have a positive side effect. The Blaster worm (a.k.a. MSBlast or LovSan) targeted a known vulnerability on Microsoft systems that allowed hackers to gain control of remote machines through the Remote Procedure Call (RPC) Distributed Object Component Model (DCOM) object service.

Because the virus targeted this security hole, the resulting publicity forced many administrators to close one of the most dangerous and easily exploitable holes on Microsoft systems. If it takes a virus to force administrators to apply patches and close vulnerabilities to their systems, then viruses can have a positive effect on networks and on the Internet as a whole.

Final thoughts

Where your virus sits on your security vendor's threat matrix will decide when (and if) it will develop a signature to counteract the virus's threat. As with anything else, you get what you pay for when it comes to antivirus software. If you want better service, sign up for your vendor's extended service plan. The vendor will then have a financial incentive to solve your virus problems.

While waiting for your vendor to develop an antivirus signature for the latest worm, take a look at your security bulletins to see if they correspond to the latest threat. Antivirus is nice, but if there's a patch that provides the same protection, apply the patch. Remember the Defense in Depth mantra: Use all the tools in your arsenal. That includes signatures and patches.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks