In the past, we could take some comfort in knowing that we had some inherent protection against viruses. Writing virus code required a certain level of programming expertise, as well as some understanding of such things as low-level DOS calls and memory allocation. And since data files were not executable, a shared data file couldn’t infect your machine. Today, it’s a more dangerous virtual world we live in—and those safeguards are gone.
It’s easier than ever to create a destructive bug. Macro languages are now included in the major office productivity products, and users have the ability to tie the execution of a macro to the opening of a file or template. Suddenly, anyone who knows how to write an AutoOpen Word macro can become a virus author.
In this article, we’ll look at some methods to keep your computer system out of harm’s way.
In part one of this series , we gave you a brief overview of how a virus infection occurs, and we defined the types of viruses that you need to know about as an IT manager.
Medicine that’s hard to swallow
Microsoft now includes macro detection in the File/Open code for its Office products, although the code is fairly unsophisticated. If the file has any macros at all, you’ll receive a dialog box telling you there are macros in the file. The macros may be dangerous, or they may be harmless. The dialog box asks if you want to enable them or not. If you have a number of custom templates used throughout your business, it’s likely you’re uncertain whether the macros in question are legitimate office automation macros or malicious outsider macros. You can’t see the macros until you answer the dialog and open the file.
From Melissa to Bubble Boy, TechRepublic gives you updates every week on new and troublesome viruses. Each Friday, Exterminator brings you news of important bug fixes, virus recovery information, service release announcements, and security notices. Be sure to check it out.
An ounce of prevention
The best prevention method is so obvious that it’s often overlooked: Purchase an antivirus product and use it. Popular products include Norton’sAntiVirus and McAfee.
Antivirus software use many different virus detection methods. Here are the three top ways they seek and destroy a virus.
1. File scanning
This compares the contents of the files being scanned to an inventory of virus signatures. If a match is found, the antivirus software alerts the user to a possible virus infection. Some products can remove the virus from the infected file, while others can only detect the virus and alert you to the problem. File scanning is usually fairly fast and can find the majority of viruses actually “in the wild.”
The biggest disadvantage to file scanning is the need to update the inventory. The level of protection is only as good as the latest virus included in the inventory. Many users are not diligent about updating, so they compromise their protection. (I’ve seen many computers with two-year-old virus inventories.)
2. In-memory monitoring
This method loads a small program into memory, where the program continuously monitors what is going on in the computer. Every file that is opened, every floppy that is accessed, and every message to the hard disk are all checked for possible virus activity.
If the monitor sees something suspicious, it stops whatever is happening and alerts the user. Some monitor programs are quite sophisticated and are able to detect stealth and polymorphic viruses.
However, a monitoring program may place a load on a system. It may also sound an alert to a false positive. If users are frustrated from either of these disadvantages, they may shut off the in-memory monitoring.
Inoculation is a variation on the file-scanning approach. The antivirus program scans each file and creates a checksum, which is based on the bytes in the file as their order and value are combined to create a unique number. These checksums are then stored for later comparison. If the checksum has changed, then the bytes in the file have changed. While it is common for data files to change, executable files normally do not change. This is an excellent line of defense, though it requires the user to understand which files should change.
Start with a clean system. Boot from a floppy you know is clean so that those boot-sector viruses can’t activate. Scan your system with a good antivirus product that can scan both executable and data files and that can find macro viruses.Run regular scans. Scan all your files at least once a month. Use the inoculation feature as well.Run monitoring software. My monitoring software has saved me countless times. It’s worth the investment.Scan every incoming file. Scan every download, without exception, to avoid the headache of recovering files from your backups.Don’t open mystery e-mail. Use the preview feature in Outlook. If the sender is unknown, it’s time to delete. Remember, with HTML e-mail it is now possible for someone to write malicious code within an HTML message and send you a virus.Update your knowledge. Don’t think computer security is for the Pentagon. Log in to TechRepublic regularly to stay informed about the latest virus.
Bruce Maples is a writer, trainer, and consultant living in Louisville, KY.
What works for you?
What remedy do you recommend for virus aches and pains? Share your worst virus horror story by posting a comment below. If you have a story idea you’d like to share, please drop us a note .
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays