On May 9th John Day led a heated discussion about protecting your network from viruses—especially in light of the IloveYou virus that recently went around the world.If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.
On May 9th John Day led a heated discussion about protecting your network from viruses—especially in light of the IloveYou virus that recently went around the world. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Welcome to the meeting
MODERATOR: Welcome to tonight's Guild Meeting. This topic is especially, well, topical, as we are discussing viruses and what you can do to protect yourself.
As you all probably noticed by the lack of last Thursday's Guild Meeting, even the mighty Republic wasn't immune to the dreaded Love Bug virus. It has taken no time at all for the Love Bug to mutate into deadlier forms.
Tonight, our speaker is John Day who will be discussing viruses and what you can do about them.
Don’t forget that at the end of tonight’s meeting we'll be awarding the traditional Guild Meeting participation prize. Tonight’s prize will be a copy of Norton's Internet Security 2000.
And now—Heeeeeerrrrreeess Johnny!
GroupWise and ILoveYou virus
JOHN DAY: Hope we've all recovered from the latest attack. Anyone here been impacted by the ILoveYou virus? Seems that most big antivirus companies didn't stop ILOVEYOU or, especially, its variants.
AUDREYJACKSON: Yes, but we got hit mainly by the variants, funnyjoke.vbs and funny.vbs. We run Notes.
HAROLD66: Not me.
JCARLISLE: We mostly run GroupWise. We saw a few hits by it, but it didn’t get very far.
JGILMORE: We were hit, but not fatally, and only by the original.
JOHN DAY: The only real protection from it seems to be making sure your backups are run nightly and to educate users to ensure that their settings are correct to stop scripts and ActiveX from running.
MIKKILUSA: GroupWise here, too, but we never saw it. We were lucky, but GroupWise would have stopped it, I think.
MODERATOR: Actually, Mik, there should be an article appearing on the Love Bug and GroupWise tomorrow, I think. (Dealing with the ILoveYou virus on a GroupWise system)
COMPSVC: We got hit by two copies, but fortunately the users did not open them. Antegen nailed the rest.
JOHN DAY: GroupWise and Linux sendmail seem to be the least impacted; sounds like multi-vendor platforms are the most secure.
MIKKILUSA: What effect did you have, Jcarlisle?
JCARLISLE: The messages came from outside to a few of our users. It didn’t seem to go any further.
JGILMORE: Shortly after it hit, our Exchange Servers were set with a 10-K limit on messages. This saved us.
JOHN DAY: That is a good fix. Without the MS Office VBS vulnerability, these seem to be stopped in their tracks.
Virus updates not available right away
MIKKILUSA: I do know InocuLan has a new update every hour on the hour since Love hit.
JGILMORE: McAfee still hasn't released a viable option. At least, not one that's very easy to deploy.
JOHN DAY: Yeah. Most server or e-mail server based protection is updating regularly. The administrators just need to change their settings to check for updates on the hour versus daily or even less frequently.
TSEVY: We were hit. Three out of 70+ users opened it. We shut down e-mail systems right away until we got the fix from Symantec.
Good virus protection habits
JOHN DAY: In MS-centric shops, it is even more important to ensure that the basics are being followed: important data kept on the server, backups every night, user client settings set to disable scripting and, especially, outlook preview set to disable.
JCARLISLE: Won’t the backups just back up the virus?
JOHN DAY: User education is also a key. While I would hate to play big brother and stop attachments, users need to be educated to open only those that they are expecting and to check with the sender before opening.
To disable scripting
TSEVY: Where do you disable client settings to disable/disallow scripting?
JGILMORE: Is there an easy way to disable Windows Scripting Host on Win95 with IE5?
JOHN DAY: Reboot first. To disable scripting, go to Settings, Control Panel, Windows Setup, Accessories, and uncheck Windows Host Scripting.
TSEVY: Does that work for all MS platforms (95 onward)? NT 4, Win2K?
JOHN DAY: FYI, I just checked my Win 95 settings and found that it was enabled.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly, or on the Guild Meeting calendar.
AUDREYJACKSON: I work in a large law firm, and most of the attorneys and other staff depend on transmitting documents. We do try to school them on being aware of attachments, to be on the lookout for strange files with weird extensions, etc. But some don't listen.
JGILMORE: What's the address?? We'll fix you right up!!!
JOHN DAY: Audrey, I feel your pain. Sometimes restoring from backups after an attack is the only way. In a law firm and others, the users' needs come first. Sooner or later, they will learn—I hope.
AUDREYJACKSON: Some never learn, and for my TSS colleagues and me, we jokingly refer to my studded bat. Right now, it's just virtual, but believe me, for the "frequent flyers," we end up repeating ourselves. And they still blame us for their mistakes!
MIKKILUSA: The thing is, users do not come to meetings. Bummer.
CHURCHIW: I work in a high school, and the kids do listen. However, I'm expecting some of their parents who subscribe to our ISP to get caught.
A legal angle?
JGILMORE: It seems that MS provides great functionality but doesn't concern itself with security.
JCARLISLE: It seems a bit odd that MS would write a program with such a huge hole in it.
JGILMORE: Odd that MS makes every piece of software except Virus software!!!
JCARLISLE: Audrey, you said you worked in a big law firm. Have the words "class" and "action" been used much lately?
AUDREYJACKSON: Only in terms of "No Class, No Action!"
JCARLISLE: I mean, it seems a bit irresponsible to leave a hole like that open in software. No matter what kind of "Feature" it's supposed to enable.
Novell virus protection
MIKKILUSA: Which is the best virus detector for Novell?
MODERATOR: I heard someone mention InocuLan earlier.
DBA: We use InocuLan without too many problems.
MODERATOR: I've personally always favored NetShield on NetWare. It seems more stable than most things put out by Computer Associates.
JGILMORE: Is InocuLan for Novell systems exclusively or also NT?
MODERATOR: InocuLan is also available for NT.
TSEVY: Has InocuLan improved any? I’ve "encountered" it a couple of times two+ years ago, and it was always a problem on NT.
DBA: What is the best virus scanner for network scanning?
MODERATOR: Symantec is supposed to have a version of the Norton AntiVirus for Netware, but I haven’t seen it nor had experience with it, so I can't pass judgment on it.
JOHN DAY: I think that Trend's ScanMail is really good. It allows you to block messages based on subject, sender, attachment names, and almost any other variable.
JOHN DAY: Jcarlisle, in reference to your question about disabling VBS—in Outlook, setting it to plain text for incoming messages is the only way. Computer Associates seems to be trying to incorporate all of its products into a suite but has bought out the companies that made them independently.
InocuLan and ArcServe
TSEVY: We use NAV on NT and like it very much.
MIKKILUSA: InocuLan on GroupWise has problems, so we run on all workstations. Anyone here run anything on his or her GroupWise server?
DBA: InocuLan prevents e-mail attachments from opening but won't run on the GroupWise server.
MODERATOR: You can run a third party scanner such as Guinevere in concert with a virus scanner to scan attachments for viruses.
JOHN DAY: I used to believe in ArcServe for backups and InocuLan, but now they seem to be too complex to administer without a dedicated staff. I come from a small shop background and believe that one person should be able to take care on an NT shop without having to go to six months of school to do it.
JGILMORE: Our Suits chose McAfee for the Enterprise, but I run Norton and REALLY like it.
JCARLISLE: Both ArcServe and InocuLan seem to be very complex and buggy. I haven’t seen anything make a Netware server become more unstable than Computer Associates NLMs.
DBA: Some scanners really slow down access to files; InocuLan doesn't seem to. However, it will slow down backups over the network.
Norton vs. McAfee vs. InoculateIT
JOHN DAY: My feeling is this: you should have your clients protected with a client product, either Norton’s antivirus or McAfee, and your server with another. Two sets of .dat files and different detection schemes protect you from viruses written to defeat one or the other.
DBA: We used to run ArcServe and InocuLan, but can't get ArcServe to run on Netware 5.
JOHN DAY: I think Norton has the best client product, and Trend has the best Exchange Server client.
DBA: Norton seems to slow down clients
TRENTCOOK: We ran McAfee. Didn’t care for it at all. Switched to Norton. Liked it a lot, and I have done quite a bit with InoculateIT as well. Seems okay.
JOHN DAY: Tsevy, I think none of the standard products detected the love bug. This takes a paranoid admin to monitor CERT, www.securityportal.com, www.techrepublic.com and TechProGuild for news and to block messages at the mail server by subject until the .dat files come out.
TRENTCOOK: Biggest problem with InoculateIT was the File and Macro. Real Time was effective, but didn’t it outweigh the performance benefits?
JOHN DAY: I found McAfee to be slow to come out with updates in the face of a crisis. Norton’s client is easy for users to understand, so I've always chosen to use Norton on the client side.
TRENTCOOK: I had clients complaining all the time. Their machines ran pathetically slow. Other than that, the actual AV engine seemed to run fine.
JGILMORE: McAfee is definitely going to lose customers to Norton after this latest episode.
EHALTON: McAfee comes out with the early patch. I set up a test system and latest detection engine, and .dat called extra.dat and the VBS blew right through it.
JOHN DAY: McAfee is a good first step, but they can’t touch Norton in my opinion.
WENDYWHITE: Hi, John Day. Would you please tell which would be more effective for virus protection, hardware card or software?
JOHN DAY: Seems that a hardware solution would be hard to update in the event of a new strain. Software and an effective admin would be the better solution.
Scripting and auto updating
TRENTCOOK: I have a batch script to auto update users' definitions when they log into our NT domain. Takes a lot of work out of it.
TSEVY: Are there any products out there that will scan for "destructive" scripts?
JGILMORE: Norton had an easily deployed solution available Friday, and McAfee still doesn't!!!
DBA: We use batch scripts also to update clients.
JCARLISLE: Why would Microsoft allow scripting in Outlook to begin with? Are there any legitimate uses for it in an e-mail client?
TRENTCOOK: It's the only way to go. Too time consuming otherwise : )
JOHN DAY: Great idea, Trent. Relying on the users to update when servers are under strain from the millions wanting the latest data is hoping for the impossible.
TSEVY: With the NAV for Enterprise, you set up one machine as the Console, it pulls down updates, and pushes them to the clients. We love it. Very hands-off.
JOHN DAY: I set my users on a daily update when installing the Norton’s client.
TRENTCOOK: I am writing an article for TR. Actually, my update login script will be available for download off of TechProGuild. (Don't delay: Download these scripts to automate client virus-signature updates).
JOHN DAY: I set my clients for a 12: 00 to 1: 00 update during lunch. Most stay logged on, anyway, and never know it is running. Just disable the prompt user before running box.
MIKKILUSA: We have it so InocuLan updates them when they login but when you are getting 2 updates a day. Not effective till they re-log in.
EHALTON: I feel like a dinosaur. I e-mail the updates to users, instructing them to double-click and run the attachment.
TRENTCOOK: True, mikkilusa, but more effective than letting the user do it, or you going to each workstation. : )
JOHN DAY: Without specifics, downloading the latest version usually is a good idea even with the same updates. Why? Because later program versions are able to detect changes to your system that might, in turn, indicate a virus. These are updated to protect against the latest virus attack.
MIKKILUSA: McAfee lost my respect when they jumped on the Bill G. bandwagon and were part of 98. Plus they stopped supporting that edition and wanted you to buy the upgrade. What a rip-off!
JGILMORE: Don't laugh about going to each workstation!!! I spent my day doing it.
TRENTCOOK: Well, Ehalton, that’s better than my last company. Sys admin for only 20 users, so I would just go and do each WS once a week .... PAIN IN THE REAR!. That is why I decided to let a script do it for me.
JOHN DAY: I think letting users "double-click is cool." It’s better than going to each one. Users should be able to follow those type instructions.
TSEVY: I would never rely on end users. Sorry. Just my past experience tells me not to. Unless you have upper-management pushing on your behalf.
JOHN DAY: Tsevy, you can spot-check, rely on education, or just point out those who fail in a company e-mail, BUT that usually is not a good idea : O)
TRENTCOOK: If anyone has an NT network and would like a script to auto update your users' definition files, drop me a line at firstname.lastname@example.org. I can send it to ya.
SBROWNVA: Trentcook, what AV program for the script? I've been looking for a way to push the definitions to workstations.
TRENTCOOK: I wrote one for Norton, McAfee, AVP, and InoculateIT .... Take your pick, my friend : )
SBROWNVA: Trentcook, I'll write. We are using NAV but have not yet looked at the enterprise product.
TRENTCOOK: NP, man, it will work for you each time the user logs in. Saves many hours of work.
How to get updated information
TRENTCOOK: Do you all leave the RTS (real-time scanning) running on clients? I did, but too many complaints, so I had to sacrifice a level of virus security for performance.
EHALTON: I've also had good luck with MailScan from Deerfield
JOHN DAY: The basics are this: before I go to bed, I check the European links from www.cert.org for any news. I make sure that my backups are able to be restored. I never map drives on my servers via scripts to protect them from worms. I educate users to make sure the client is set up to disable scripts and outlook isn't set to the preview mode.
Watch for the dreaded Preview Mode
JCARLISLE: How does Preview Mode cause a problem if they don’t actually try to open the attachment?
TSEVY: But John, how do you make sure that 70+ clients don't have Preview Pane turned on?
JOHN DAY: I saw an update just before this meeting on www.cert.org that said with scripting enabled, the latest variant would launch in preview mode. How? Because with scripting enabled and preview mode on, the message was an active Web page. Scripting allowed it to launch a local script if security settings were set too low on local intranet.
JGILMORE: That's pretty frightening! Preview pane is very popular and hard to control.
TSEVY: Do you know if this can be accomplished via NT User Policies?
JOHN DAY: Tsevy, I don't know that. I think anything can be accomplished via NT user policies, but Outlook Preview Pane I'm not sure of. It is a registry setting, and I'm sure a script could be written.
Real-time data transportation
WENDYWHITE: Mr. Day, I want to ask if the popular antivirus software is for OS protection only, or can they protect real data transportation—like now? We’re using the chat, one type of real files. Or what about video transferring, etc.?
JOHN DAY: Wendy, that is a great question. One I don't know the answer to. I know that there are protections against ICQ-type attacks but as for chats, in this environment, I just don't know. I think my IE settings will protect me because I don't enable ActiveX or running of scripts.
DICKAW: Earlier, someone asked if any software caught ILoveYou. Antigen did.
JOHN DAY: Really, I'll have to check out Antigen for more info.
TSEVY: Dickaw, what kind of indication did Antigen give?
Dickaw: It provided us with a warning and then deleted the attachment and quarantined the letter.
UNIX and Viruses
TIM: Can viruses affect UNIX systems easily?
JOHN DAY: Yes, viruses can affect UNIX systems, however, there are many virus authors skilled enough to write them
WENDYWHITE: Mr. Day, where do you disable the ActiveX in IE?
JOHN DAY: Wendy, under tools, Internet Options, Security. Then I would check Internet and Intranet settings, three groups down, and disable run ActiveX scripts.
Is there more to come?
AUDREYJACKSON: Can we expect more of these diabolical viruses and worms in the future? Or will things settle down for a while, and then pick up again? What's the psychology of these people who do this?
JOHN DAY: Before this attack I was saying to myself, I do that a lot, what will we talk about when things are so calm, but then someone comes out with a new strain. So I think that we can expect a lull and then a major attack again.
I would expect another worm. Viruses don't have the same ability to steal or delete information.
TRENTCOOK: I agree with John. The trend seems to hit hard, wait, then hit hard again, wait, hit hard, and so on.
AUDREYJACKSON: I agree, John. I think a lull, then another major attack. The psychology of these people seems to be that they're always trying to "push the envelope," to see what else they can get away with.
JOHN DAY: Yeah, it takes that long for someone to come up with something new versus just mutating the latest strain.
Did you hear that caller ID was how they found the ILoveYou guy, but they let him go for lack of evidence?
AUDREYJACKSON: I read that it was caller ID that led them to the apartment in the Philippines. But I also had heard they were looking for somebody in Australia.
HAROLD66: What can you do to someone who wrote a virus but lives in other country?
MODERATOR: Nuclear counterattack?
AUDREYJACKSON: Some AV security company will probably hire the culprits out at a ridiculous salary! Know-thine-enemy type of thing?
JGILMORE: It's disappointing to see someone using skills I wish I had for these types of purposes!
AUDREYJACKSON: It reminds me of the type of people who seem to always commit suicide on the subway during rush hour! What a way to affect huge numbers of strange people you don't even know!
How does the virus access the OS?
WENDYWHITE: Mr. Day, why the virus creator can destroy our OS program, except he get our program from our OS first, but how could they do that?
JOHN DAY: Wendy, I'm not sure I understand. He can damage your OS because he updates various system files with copies of the virus. If he deleted them, you could just undelete them with one of several popular utilities.
The problem is that I, as well as many admins, installed the OS with defaults for directory names. This gives the virus writer the ability to know the location and names of your system files, and without local clients disabling ActiveX and .vbs scripting, he can overwrite those files.
Some call it lazy admins. We just didn't know at the time. I know I installed NT and 98 to directories with hard-to-guess names. (I would tell you what they are but then, well, you know.)
JGILMORE: Doesn't placing these files in non-default dir's make for many other headaches in the future, though???
JOHN DAY: Always install to directories that a virus writer won't guess, like winxx, with xx being your initials. Then these scripts won't work. That is a basic protection.
Yes, it can cause headaches unless you use a standard as I just described. Perhaps wintechrepublic or "insert your company name here" would be better.
Don't forget MS Office and Outlook. These are the biggest problem areas.
But what about the script?
SBROWNVA: The WINNT sys directory is in a system variable, so I would expect the script to look for the variable for the location of WIN.
JOHN DAY: You are correct, Sbrownva. Looking for variables is common in scripts, but just changing the default location would have prevented the win worm zip from the damage it caused.
Setting your IE security correctly would stop the script, anyway.
SBROWNVA: Was the DIR hard coded in win worm?
JOHN DAY: My understanding is that it was. I read that users who had non-standard dir names were not affected.
Here is my spin: $10,000 firewalls, 10-man IT staffs, Antivirus programs, etc didn't stop this virus. Correctly configured clients, educated users, and basic file backups were the only protection. This will be true on the next wave of attacks. Find your company’s critical data on user hard drives, perform security audits on clients, and educate your users.
AUDREYJACKSON: All of that didn't stop the virus because you're only as strong as your weakest link, and all too often, that's a user who's not thinking when they go and launch something they shouldn't have.
MODERATOR: Great way to sum things up, John! But wait. Don't everyone head for the X yet. It's time for the Flying Fickle Finger of Fate to select today's Guild Meeting winner.
It's … It's ... AudreyJackson! Congratulations!
AUDREYJACKSON: Hey, alright!!! And I thought I'd never win anything! Thanks a lot! ;-)
MODERATOR: Drop an Email to email@example.com with your snail mail information. Okay ... so it's not the $350 Million from tonight’s Big Game Lottery but it is a copy of Norton's Internet Security 2000.
AUDREYJACKSON: Will do.
MODERATOR: Thanks to John Day for speaking tonight. And thank you, everyone, for your participation.
MODERATOR: Guild Meeting adjourned.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly, or on the Guild Meeting calendar.