In the mid ’90s, antivirus protection on servers and e-mail gateways was typically an afterthought. The Internet was still unexplored territory, and viruses rarely landed on the desktops of computer users connected to networks. Most organizations had some antivirus protection installed, but it was usually limited to virus scanners inspecting desktop and server machines on a regular basis.
As recently as five years ago, in fact, it was perfectly acceptable to use the standard default settings of antivirus scanners on servers. These scanners would inspect files with extensions such as EXE, COM, and DLL. Given the viruses in existence at the time, executable program files were the most likely to get infected. With the arrival of the macro viruses, Microsoft Word document files and Excel workbook files became susceptible to infection. Antivirus programs then began scanning DOC, DOT, and XLS extensions. However, the file-extension approach meant documents not saved with the default extension were not being scanned.
If we fast-forward to the present, we discover it’s a whole new ball game. In most organizations, the Internet has become ubiquitous; many corporate desktop computers are constantly online, and the volume of business e-mail is at staggering levels. With this rise in connectivity, the number of viruses transmitted via Internet-related activities has overtaken the floppy disk as the more traditional means of virus propagation. Also, the range of virus types and the types of files they can inflict has broadened, so a new approach to fighting malicious code has become necessary.
The LoveLetter virus, which has the dubious distinction of causing the most network systems damage ever, first appeared in May 2000. The virus sent itself out as an attachment to e-mail and used the VBS file extension, which caused major problems because a number of antivirus products didn’t scan VBS files by default. LifeStages followed on the heels of LoveLetter a few weeks later. The media coverage of LoveLetter ensured that systems administrators were on the alert and quickly configured their scanners to watch for the SHS file extension it used.
Another example of the growing scope of threats is the discovery at the beginning of September of the Streams Companion method of embedding malicious code in Windows 2000 NTFS file system data streams. These data streams use “personal names” as a subset of the regular filename. Once again, antivirus vendors will be forced to adapt their scanners to detect this latest type of infection.
Hard core ways of protecting your network
What can we do if we’re unable to predict what file types will be infected next? The answer is simple, but it comes with a price. We must scan all the files arriving on our networks, regardless of their file extensions. The obvious penalty we pay is increased processing overhead. Even the most intelligent virus scanner that can parse files by type will impose some level of degradation on the performance of the network. However, the benefits of scanning all files outweigh these costs. The chance of a new virus getting past the first line of defense is greatly reduced. Also, the problem of reconfiguring the list of file types to scan is eliminated. Relying on any list of file extensions to be scanned is guaranteed to become a problem just as soon as a virus author discovers the next type of infection.
Other tips to keep a virus from ruining your day
Here are some additional, less drastic steps you can take to help keep viruses off your network:
- Apply the security patches that Microsoft and others have issued for e-mail clients (Outlook, Outlook Express, and so on).
- Apply the security patches for browsers (especially Internet Explorer).
- Maintain the very latest antivirus files on your desktops, file servers, and Internet gateways/mail servers.
- Use a different antivirus product on each of these zones to maximize the coverage.
- If you don’t have to use files with problem extensions (EXE, VBS, and so forth), block them at the firewall in both directions.
- Make sure that the security settings for all applications (e-mail, newsreaders, browsers) are set to the most restrictive levels your users will accept. This would include disabling Java and any other scripting languages.
- Create a few dummy e-mail addresses in all users’ address books that will get sent to you first to alert you to new virus or worm attacks that use this approach.
- Make sure that your network security hasn’t been neglected. Applying the correct levels of rights and permissions to users can stop many viruses.
- Subscribe to mailing lists that will keep you informed of new security issues.
The lesson we learn from these cases is that waiting until a virus has been discovered with a new file extension is almost a guarantee for trouble. It is far better to stop relying on file extensions as an indicator of potentially infected files. There are more than 180 types of files and other possibly infected objects known at this time, and the list grows constantly.
What sort of tricks do you use to keep the latest viruses from infecting your network? Start a discussion by clicking Post A Comment or send the editor an e-mail.