Over the past decade, viruses and worms have shifted from being a minor nuisance to a major threat. The business consequences are significant: Companies that do not provide enterprise-wide protection leave themselves exposed to the potential for a complete system meltdown. To help you prepare a line of defense, I’ll offer some tips on deploying an enterprise-wide solution to protect against today’s threat.

Virus vs. worm
A virus’ purpose is usually two-fold: to replicate itself to other files in an attempt to maximize its spread, and to deliver a payload. In rare cases, the payload simply displays a message on the infected system. But in most cases, the payload is destructive. Typical viruses attempt to delete or corrupt data, and in some more recent viruses, they attempt to damage hardware by corrupting firmware. In the past, virus creators needed solid expertise in low-level programming and knowledge of the inner workings of the operating system. Today, viruses can be created easily by people with little or no programming experience, thanks to GUI-based virus generators.

A worm is a program that can run independently of other programs, can replicate itself to other computers on a network, and can consume resources or deliver a destructive payload. A worm can function on its own, unlike viruses, which require other programs or files of other types in order to infect. Worms most often do damage by consuming resources, either locally on a computer to the point where the computer is unable to function, or by consuming resources on a remote computer by repeatedly attempting to access a resource, such as flooding a port. Worms take a variety of approaches to propagation, generally exploiting known vulnerabilities in the target operating system or its services. For example, the Code Red and Nimda worms propagated through vulnerabilities of Internet Information Services (IIS) on Windows Server platforms, unprotected network shares, and Web sites and unprotected browsers. The Simile and Ramen worms attacked Linux platforms by exploiting vulnerabilities in specific services on those platforms. A relatively few worms, such as the W32.Winux worm, can propagate to and infect both Windows and Linux platforms.

General server-based protection
Your first line of defense should be at the perimeter of your network. Deploying firewalls to block port- and service-based attacks is essential. However, perimeter protection can go much further than simply blocking all but a handful of required ports. You should also consider deploying perimeter scanners to scan for and block viruses before they ever get inside your network.

Many worms exploit vulnerabilities in the operating system, so patching against those vulnerabilities is critical. Applying service packs and updates can go a long way toward closing holes that expose the server to attack. Windows Server 2003 can typically apply patches without rebooting (and triggering the disruption that rebooting can cause). For earlier Windows operating systems, consider using Qchain.exe to apply multiple patches with a single reboot. Although most worms and viruses target Windows platforms, Linux platforms are equally at risk if not patched and updated.

Disable unneeded services
Carefully review each server and ensure that it is running only those services required for it to carry out its function. Disable services that are not needed to reduce the server’s attack surface, and explore ways to harden required services. Separate critical services from noncritical services by moving them to other servers, and consider deploying load balancing and clustering where appropriate to help ensure high availability.

File system protection
Consider how your network resources should be protected. All file servers should have an antivirus solution that actively scans the file system in real time so that, as files are modified or added, the antivirus application can quarantine or repair the affected files before they spread to client systems or other servers. The server should also be protected at the file system level in other ways. For example, all Windows servers should use NTFS, since FAT offers essentially no security. You should also eliminate unnecessary shares, require share permissions for all shares, and use hidden shares where possible to further protect the server from worms that propagate through unprotected shares.

Protection for e-mail services
Mail servers are obviously a vulnerable point in any network. A file system scanner can catch message files as they are written to the system, but a better approach is to use an antivirus solution that scans the messages as they arrive in the mail system. There are several antivirus solutions that interface directly with Exchange Server to proactively scan incoming and outgoing messages. An SMTP gateway scanner is another alternative in networks where other mail servers are used, or where you want to scan the messages before they reach your mail servers.

It’s also important to not place all of your faith in one solution. Using multiple scanning engines from different vendors can add an extra layer of protection. A message might get past a single engine, but it’s less likely to sneak past two or three. Using multiple scanning engines also guards against a coordinated denial-of-service attack on a particular antivirus vendor. GFI’s MailSecurity is an example of an antivirus solution that employs multiple scanning engines. As an alternative to a single-vendor solution, you could deploy an SMTP-gateway scanner from one vendor and a solution from a different vendor on your e-mail servers.

The antivirus solutions you choose for your e-mail servers should scan for more than just virus-infected files. It’s critical that they also perform exploit detection and scan for scripts, malformed MIME headers, or other mechanisms that exploit vulnerabilities in e-mail clients or server operating systems.

Outgoing messages should also be checked
In addition to scanning incoming messages, you should consider scanning outgoing messages. The presence of an infected attachment in an outgoing message is a sure indicator that at least one client system is infected. You should also use some form of administrator-controlled attachment blocking to prevent certain types of high-risk files from entering or leaving the network. The extended e-mail security update for Microsoft Outlook provides enhanced security protection for Microsoft Outlook, including incorporating attachment blocking. The security update is also available for Outlook 98. Exchange Server administrators can use the Outlook E-mail Security Administrative Package to configure attachment blocking options and specify which applications can access the user’s address book, send messages programmatically, and perform other actions.

Updating and patching
Besides deploying solutions at the gateway and the server, you should also consider e-mail client update and patching to be an important aspect of any antivirus protection scheme. Deploying the Outlook security update is one option, as is upgrading to the latest version of Outlook. If your company relies on Outlook Express, you should deploy the Outlook Express Security Patch, which has security features similar to those in the Outlook security update. The Outlook Express patch also fixes other problems, including a buffer overflow exploit for Outlook Express mail headers.

If you rely on Outlook Web Access (OWA) for remote access to the Exchange Server, you should also consider upgrading to Exchange Server 2003. This latest version incorporates attachment blocking for OWA. Scanning incoming SMTP traffic is a good first step, but SMTP isn’t the only protocol that can expose the network to attack. Consider antivirus solutions that offer protocol scanning for FTP, HTML, POP3, and other protocols.

Client-based protection
Even if you implement a server- or gateway-based solution, scanning e-mail at the client level can be one more effective step in reducing the potential threat from viruses and worms. Scanning at the client level also gives you another opportunity to use a variety of scan engines from multiple vendors to broaden your network’s protection.

When deciding on a client antivirus solution, you generally have the option of a managed or an unmanaged solution. In an unmanaged solution, each client is configured and managed separately at the workstation. This includes configuring such options as antivirus signature updates, file exclusions, and other settings. In a managed solution, an administrator configures the client from a central server, and configuration and updates are pushed from the server to the clients (or scheduled automatically for a pull by the client).

Both approaches are valid; the one you choose depends on the level of control and responsibility you want users to have over their antivirus applications. It has always been my feeling that removing the user from the equation is usually the best approach, so favor a managed solution that not only enables administrators to fully configure and manage the antivirus application for each workstation, but also removes from the user the capability to do so.

Whichever method you choose, educating users should also factor into your antivirus solution. The more your users understand how virus infections and worm attacks occur, the less likely they are to engage in risky behavior such as installing software or bringing potentially infected disks or other media into the office. Naturally, you should also employ group or system policies and effective user and group permissions to restrict the actions that users can take.

Update and notification schemes
No antivirus solution is complete without carefully considering update and notification schemes. You need to understand how frequently your antivirus vendors make updates available, including ad-hoc updates during virus or worm outbreaks, and plan your updates accordingly. You should also implement some mechanism that enables administrators to verify that updates are being downloaded from the vendor and broadcast to servers and clients on a regular basis. A virus signature update that sits on a server waiting for weeks for a client to pull down is a useless update.

Finally, find out how an antivirus solution notifies administrators of virus infections and outbreaks, and how it responds to those outbreaks. The more quickly you’re notified, and the more options available for notification, the more likely you are to be able to stop an outbreak before it gets out of hand. The capability of the antivirus solution to take actions automatically when an outbreak begins can be a valuable feature and a real lifesaver, particularly if an outbreak starts in the middle of the night. When you’re evaluating your antivirus solution, take into account not only how well it will scan for and detect viruses, but also what actions it can take on its own (under your configuration) to address the threat.


Business consequences

The consequences of viruses and worms can be catastrophic to a company of any size. Although many companies consider data loss or corruption to be the primary result, there are other effects that can be equally damaging, and in some cases, more so. For example, even if you impose an effective and complete backup scheme, it will take time to restore infected systems and recover lost or corrupted data. A single server with lots of storage capacity could take over 24 hours to back up fully to tape, and even longer to restore. That recovery not only takes valuable IT staff time, but it also idles the company’s employees. That downtime can have a negative impact on a company, particularly one with narrow profit margins. While you can alleviate the problem with disk-based backups, you can’t eliminate downtime altogether.

Another problem that many companies don’t recognize is the potential for proprietary or customer data to be compromised. That give your competition a leg up, and the damage to your company’s public image could be irreparable. At a minimum, you’re going to lose both customers and revenue.