Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Guidelines for an Anti-Virus Policy

Alan Solomon

[Back to index] [Comments]

Introduction

The virus threat is real. It is not the world-shattering problem sometimes outlined in the pages of the press; nor is it the non-existent 'urban myth' suggested by others. Many 'in the wild' viruses cause no damage; but a significant number are specifically designed to cause data loss. Like other problems facing IT professionals, the virus threat should be assessed realistically. It is important to identify those areas of the organisation which interface with the outside world; and which are the likely source of a virus infection. The appropriate anti-virus tools should be selected, designed to provide a layered defence of the system (perimeter defences, in-depth protection of laptops PCs, desktop PCs and servers, etc.). It is important to look at the way data is handled within the organisation; and to take routine precautions to minimise the risk of infection.

What is a Virus?

A virus is a piece of self-replicating code; in other words, it is software which is designed to copy itself.

Boot sector viruses infect the boot sector of floppy disks and the partition sector [or, in some cases, the boot sector] of hard disks, when the PC is booted from an infected floppy disk. Executable file viruses infect program files, on local drives or network drives. Macro viruses infect the macros within document and spreadsheet files.

In addition to the code necessary for the virus to copy itself, most successful 'in the wild' viruses try to conceal themselves, from users and from anti-virus programs [if a virus quickly draws attention to itself, it is unlikely to spread very far]. Some viruses contain a payload; this may be anything from a screen display, or message, or damage to data files. However, not all viruses contain a payload. If the virus does contain a payload, there must be a trigger which causes the virus to deliver its payload. The trigger may be a particular system date, the number of re-boots, the number of floppy disks infected or something else which software can be designed to do.

It is worth noting that virus authors, unlike commercial software vendors, do not have to make their software compatible with other programs; they do not have to beta test their software or provide technical support on their products; for this reason, viruses may produce unintended consequences [they may make the system unstable, or prevent other software from working properly].

Identifying the Threat

You can't manage what you can't measure! In order to implement an effective anti-virus strategy, it is essential to identify the sources of any possible virus infection. You should consider the following.

Minimising the Virus Threat

There are several steps you can take to minimise the risk of your organisation becoming infected by a virus and, if a virus does breach your defences, to minimise the risk of data loss.

  1. Taking regular backups of data on your system is the most important precaution you can take against data loss, whether that data loss is the result of hardware or software malfunction, or virus infection. It is important to ensure that you are able to restore data from these backups. You should also ensure that you have clean copies of all your executable files on floppy disks [these disks should be kept write-protected].
  2. You should ensure that ALL incoming software comes from reputable sources. It is a common, though mistaken, belief that shareware, free disks or games are the only source of viruses: while such software can be a source of viruses [because it is copied more], it is the source - NOT the function - of software which is important [viruses have been found on shrink-wrapped software distributed by major companies, and on disks sent out with hardware]; the playing of games is primarily a management issue, rather than a virus issue 'per se'. For this reason, ALL incoming floppy disks should be checked for viruses.
  3. Floppy disks are a common means by which viruses are spread [boot sector viruses, which represent a large proportion of the viruses reported to Dr Solomon's Software, can be spread only on floppy disks]. Judicious management of workstations, particularly in relation to the use of floppy disks, can help to minimise the risks of infection by boot sector viruses.
    1. Cultivate the habit of write-protecting floppy disks, wherever possible, to prevent virus infection.
    2. Discourage users from leaving floppy disks in the drive when PCs are switched off, to prevent PCs from being inadvertently booted from a floppy disk infected with a boot sector virus.
    3. If users do accidentally boot from a diskette, encourage them to power-off and re-start the PC, rather than continuing the boot process.
    4. Change the CMOS setting of PCs, so that they boot in the sequence C:, A: [to prevent the PC from booting from a floppy disk].
  4. Judicious network management can go a long way towards preventing the infection of files stored on a network. As far as normal network users are concerned, a file server issimply a hard disk at the end of a cable: it may be where their software is run from; it may be where their data files are stored; and it is the place to which their files goon their way to the printer. The system administrator can do a lotto protect a network against the possibility of virus infection, simply by making use of the built-in security features offered by most networksoftware. When a user logs-in to the network, the network software checks, by means of a password, to see what rights have been assigned to that user by the network supervisor. If there is a virus memory resident on that user's PC, it has only the same rights as the logged-in user. By setting files to 'execute-only', the network supervisor can ensure that users are able to run software without being able to change it; and if the user is unable to change software, then so is the virus [this may also be done for data files, by setting them to 'read-only']. The situation is different on the workstation itself: here the user is able to change file attributes, using routines made available by the operating system; and if the user is able to do this, then so is any virus which is memory resident on that user's PC.]

Anti-Virus Tools

It is important that your organisation is equipped with the right tools with which to implement an effective anti-virus strategy. Such a strategy should be based on the prevention of virus infection, the earliest possible detection of any virus which breaches your organisation's outer defences and, should a virus spread within your organisation, recovery and a return to normal business as quickly as possible. You should consider the following when selecting which tools to use.

The tools described below are designed both for prevention and early detection of viruses.

Booting Clean

NEVER attempt to carry out a clean-up operation if there is a virus in memory. ALWAYS power-off [to clear memory] and boot from a clean disk, to avoid running anything from the hard disk.

It is wise to ensure that you have a system disk for PCs within your organisation. However, you should consider the following.

Your system disk(s) [and other utilities] should be created in advance of any virus outbreak; a clean-up is not the occasion to discover that you lack the tools necessary to deal with a virus outbreak. We would recommend that you put together a set of 'emergency tools', in advance of any virus infection: these tools should be kept up-to-date by the IT department.

Booting Clean Under Windows 95

A system disk may be created under Windows 95, using the syntax

FORMAT A:/U/S

This will enable the PC to be booted clean. However, we have found that this is NOT sufficient for removing some boot sector virus infections; in a few cases, an attempt to boot clean in this way causes the PC to 'hang'. In these cases, you should proceed as outlined above, using a DOS system disk [or using Dr Solomon's Magic Bullet... If the PC is running a version of Windows 95 which uses a 32-bit FAT [File Allocation Table], you will be unable to access files on the hard disk if the PC is booted from a DOS system disk or a system disk created under a version of Windows 95 using a 16-bit FAT. If you use a version of Windows 95 which uses a 32-bit FAT, you should create a specific system disk for this operating system, or use Dr Solomon's Magic Bullet [see below].

Dr Solomon's 'Magic Bullet'

Dr Solomon's Anti-virus Toolkit is supplied with a disk labelled 'Magic Bullet'. This enables you to clean boot the PC and, via a user-interface, detect and remove viruses.

Magic Bullet will scan and clean files on any disks formatted under the FAT [File Allocation Table] system. This includes MS-DOS and Windows 95 [including versions of Windows 95 which uses a 32-bit FAT]. If the PC is running Windows NT [using the NTFS file system] or OS/2 [using the HPFS file system], you will be able to scan the partition sector of the disk, but not the files.

If a PC uses disk compression [such as Stacker or SuperStore], or if access is required to additional hardware [CD-ROM drives, for example], Magic Bullet will NOT give you access to the drive(s). In these cases, you should create a specific system disk using the methods outlined above.

What Users Need to Know

The anti-virus tools deployed throughout your organisation are the most effective means of preventing the infection and spread of a virus. The organisation's 'perimeter defence' ['sheep-dip' PCs] minimises the risk of a virus entering the organisation. The organisation's 'in-depth', desktop protection [VirusGuard and WinGuard] operates in the background, preventing access to infected disks and files with minimal input required from the user. Server protection adds a secondary layer of defence 'in-depth'; and makes it easier to administer the anti-virus strategy.

The more your anti-virus strategy can be lifted out of the hands of your users, and the more automated the anti-virus scanning, the easier it will be to manage. Remember that users are fallible; and that, in their eyes, 'the virus problem' is an IT problem [users' primary function is in Sales, Marketing, etc.].

Nevertheless, any comprehensive anti-virus policy should include guidelines for users, outlining the ways in which they are expected to handle data so as to minimise the risk of infection. You should consider the following.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua