Keeping your organization functioning efficiently means going to war against viruses. But antivirus software isn't enough. You need a systematic way to keep your entire infrastructure up to date with the latest signatures. Here's an effective strategy.
Recently, I discussed the benefits of a four-layer antivirus strategy, which addresses security for Internet gateways, servers, desktop and laptop clients, and handheld devices. However, getting corporate agreement to protect every one of these important layers and implementing effective protection is just the first battle in the war against viruses.
To be truly victorious, you must be vigilant in keeping up with antivirus updates. Being current is analogous to keeping supplies and ammunition available at the front lines of a battle. In order to maintain an effective fighting force, an organization must perform four key steps:
The first and most easily neglected step in managing your multilayer antivirus defense is the timely and consistent retrieval of antivirus signature updates. Given the importance of this task, I recommend applying some degree of fault tolerance to the process.
Most signature updates are obtained by accessing the FTP site of the antivirus vendor and pulling down the latest update. This process must be automated (and many virus software packages have built-in automation features). Failure to automate will result in updates being skipped simply due to forgetfulness, carelessness, and absenteeism (your holidays).
Gone are the days when updates were merely issued monthly and you had plenty of time to deal with each release. Today, the updates are weekly—if not daily. Having but one automated method of retrieving updates is good but not as good as it can or should be. A fallback or alternate method is also important.
Many FTP sites become overly busy during peak periods and access is then restricted. If your scheduled update is for a time that coincides with a busy period, you may not be getting your updates as regularly as anticipated. I recommend having a backup system, such as the old-fashioned dial-up access for retrieving updates. Not only does it provide a level of redundancy, it can also act as a safety check regarding a signature update.
On more than one occasion, the vendor of the antivirus software we use released a buggy update, and I was able to validate this by comparing the results of the files obtained via FTP with those downloaded from dial-up access. If nothing else, this approach provides a vehicle for proving to the software vendors that you’re not an idiot when you give them an earful for releasing buggy software updates.
Having successfully obtained that latest signature update, you should test it before general deployment throughout your organization. In our company, I have a list of key systems that get a copy of the latest signature version in advance of other clients. These preview systems contain a cross sample of operating systems and critical applications so that they are representative of our general PC population. The key systems are configured to pick up their updates from a private location unbeknownst to everybody else.
Provided there are no glaring problems, a mass rollout of the signature update will follow within 48 hours. The general rollout is automatically performed unless manually overridden. Obviously, with the frequency of updates coming out, testing is much less exhaustive than a normal software deployment. You can increase the time used to test, but the trade-off is that clients are then further delayed in receiving an update, which can prove to be a dangerous situation. All in all, we’ve found that 48 hours is about right. In certain circumstances, such as with the recent SirCam virus, we have eliminated the testing phase in favor of a more rapid deployment of the signature files. In either case, you should have some flexibility built into your process.
Deployment is clearly the most crucial phase. Assuming that testing hasn’t revealed any major glitches, it is time to automatically roll out the software to the server and client layers. In a large organization, it’s not feasible to have all of your client machines pick up their updates from one central location. This would simply saturate your available bandwidth and introduce unnecessary delays for clients.
We have set up our system so that clients always pick up their updates from a server that is local to them. In the background, a master server distributes the tested update to various distribution servers. This process runs at night, when WAN utilization is at its lowest. One hurdle we had to overcome was related to how our PC images are built, with respect to the antivirus software. Each PC image is built with a default pointer location for virus signature updates. Rather than rely on an IT support person to change the pointer location for each workstation, we built a section into our logon script that modifies the pointer to the signature update location according to where the client resides (i.e., which physical site) so that signature updates are never performed over a WAN link.
Dial-up clients are particularly difficult to deal with. These systems are obviously connecting over slow links and having frequent signature updates can be quite counterproductive. To overcome this problem, you can provide incremental signature updates rather than complete updates. Many antivirus software packages, including McAfee and InoculateIT, now offer this functionality in their latest software offerings. Another option is to write some custom script that notifies remote clients of new signature updates and provides the opportunity to download them. If you choose this route, you must also build in a mechanism that states that when a client is more than a certain number of signatures behind, an update will automatically be pushed out. We chose to set our number at three signature updates behind.
You must also remember to update your handheld devices. This can be somewhat tricky to automate, as there are no tools presently available (that I’m aware of) that will distribute updates directly to handheld devices. These clients usually rely on receiving a notice and can then either obtain the update through some internal source or via a wireless connection that connects them directly to the antivirus vendor’s Internet site.
One important side note: It’s necessary to protect off-site systems as stringently as on-site systems. In our company, I recommended that all home PCs, whether owned by the company or not, have our antivirus software installed on them if the users want to connect to our network. The rationale behind this is that clients using home PCs often come in contact with viruses (via HTTP mail, shared disks, accessing nonbusiness Internet sites, etc.), and by eventually connecting their computer to our network via RAS or VPN, they may potentially infect our network servers.
This recommendation, which is now an enforced policy, was not nearly as contentious as I expected. Via the logon script, we detect if clients have our antivirus installed; if they don’t, a complete version of the software is pushed out to them. If they elect not to install the software, their remote network session is terminated.
One phase that is easily forgotten involves monitoring the antivirus health of your environment. You need to monitor whether all your connected computers have the latest software, whether they’re at the latest signature level, whether someone has intentionally or inadvertently disabled the “real-time” monitoring, and so on.
Today, many antivirus solutions offer tools for monitoring the state of your antivirus environment, and I would insist on this functionality before purchasing any new product. If you have an existing system without such functionality, you should either consider switching products or write some custom code to capture the pertinent information from your systems as they connect to the network. This won’t be a trivial task, so it might be better to simply buy a new antivirus software package.
Nobody ever said that protecting your organization from viruses was going to be easy. It takes financial resources, a considerable amount of effort, and most importantly, a realization that virus prevention is an ongoing activity. Failing to take all the necessary steps to win the war against viruses will eventually cost your organization dearly in terms of resources and reputation.
Do you have tips for effective antivirus prevention?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.