Protecting Corporate Networks from Viruses

by Natalya Kasperskaya

The safety of information is one of the most acute problems nowadays. This refers both to business and private life. Dozens of periodicals discuss the problem, many volumes are dedicated to it, and specialists in data protection are very well paid. No wonder: neither large companies nor individuals can prosper without their data being thoroughly safeguarded.

One of the most important aspects of corporate network security in large and middle companies concerns the protection from computer viruses. This article concentrates on the means of such protection. We will see how antiviral tools and strategies may be implemented at different levels of network infrastructure.

The main peculiarity of computer viruses is their self-reproducing ability. And the number of viruses capable of destroying computer information constantly multiplies. One thing must be clearly understood: consequences of virus intrusion may be truly disastrous. Imagine all the company’s documents suddenly lost or the network server hard disk formatted clean! Even the seemingly ‘harmless’ virus getting slipped in the corporate LAN can cause malfunction of applications and server slowdown or halt. And if the server stays idle, for example, in a bank’s network, the losses will exceed many times the expenditures on buying antiviral (AV) software. That is why the system administrator should by all means try to minimize the risk of corporate network being infected by virus - and if such infection has occurred, be able to neutralize it and restore the normal workflow of the system as soon as possible.

Precautionary Measures

To get acquainted with the main principles of antiviral network protection we will consider networks with dedicated servers, for peer-to-peer networks are rarely used in large companies (besides, protecting a peer-to-peer LAN means installing antiviral software on each workstation, which is equivalent to buying several copies of that software).

Setting up the networking preferences in AVP

Secure LAN management implies following several general rules.

1. Each network user (and each user group) must have strictly delimited tasks and access rights. To exchange data all users should employ a dedicated directory or internal corporate mail server.

2. Servers must have reliable AV software installed (preferably memory-resident). Using beta and trial versions is not recommended.

3. Servers must be virus-checked once a week; all shared directories need everyday checking. Tests should be run with all the virus-checking options turned on.

4. The number of disk drives and input devices on workstations should be limited. Most of the LAN users should do without local hard drives; all necessary data can be downloaded from the server.

5. It is highly recommended to use a stand-alone computer (not connected to the LAN) to test all new software. New antiviral tools should also be first run on this PC (it is usually called ‘dirty’ PC).

6. All the LAN computers connected to the outer world through modems or dedicated lines should be checked with special care. These checks must be carried out before the files downloaded from Internet find their way to the LAN. To ensure even better security special software called firewall should be installed as network’s gatekeeper. Firewalls not only check the incoming traffic for suspicious files, but also prevent unauthorized access to the LAN.

While implementing all these principles the LAN administrator should keep in mind several details. Even if users’ access is restricted and servers are equipped with antiviral software, shared directories still constitute some danger of virus infection. Unfortunately, memory-resident virus-protection programs significantly slow down the process of file opening/closing. So, in attempt to improve performance LAN administrators often disable the most rigid options of antiviral programs, thus weakening the defense. It is not an easy task to balance performance and security so as to optimize the functioning of a LAN; in each case the solution depends upon the network size, amount of traffic, software in use and the nature of tasks that are being tackled. Fortunately, modern antiviral monitors provide a wide range of customizing options that make such balance achievable. For instance, thoroughness of virus checking may differ for various directories, thus allowing significant protection strengthening at the cost of a minimal increase of server resources utilization.

At this point the problem of choosing the proper antiviral software arises. Quite a lot of AV packages are available today, so it is difficult to make the choice. Many complex criteria must be taken into account thereby.

Choosing the Right Corporate AV Software

before buying an AV package you should make clear several items.

1. First of all you should decide what kind of functions you expect of the software, which elements of your corporate system must be protected, which ‘gates’, or points of entrance you want to defend (consider Internet connections, disk drives, CD-ROMs, e-mail, shared directories etc.).

Decide, what kind of protection you need. There are several aspects of data protection, so consider not only AV checking, but also access control, data encryption and other functions. The advantages of complex means of protection are obvious, but building and maintaining such systems is a more efforts-consuming task.

Some programs excel in performance, others - in accuracy of virus detection, manageability or customizing options. Your choice of software depends on the features that are of more importance for you.

2. The next step is to analyze the computing environment in which the AV software will be functioning. The most important factors determining the consistent network protection strategy are: types of LANs and operating systems installed; computers and servers types and configuration (including CPU speed, amount of RAM etc.); network services (e-mail, Internet connection etc.); installed applications and utilities; network protection tools that are already in use (firewalls, means of access control, auditing etc.). The new AV software must be able to integrate smoothly into the existing environment.

3. After summing up the existing hardware and software configuration consider the types of AV software you may need. The most common types are virus scanners (programs that check disk drives for viruses; usually scanners are combined with heuristic analyzers capable of discovering unknown viruses), system integrity checkers, behavior blockers (programs that intercept suspicious operations) and AV monitors (memory-resident programs that are working in background mode and detect viruses without user’s interference). Memory-resident monitors are often called on-access scanners because they automatically check files that are being created, opened, run as programs or moved. Virus scanners perform the so-called check-on-demand (or manual check) which is always initiated by the user.

In most cases a combination of scanner and monitor provides sufficient server protection. However, it is highly recommended to employ all kinds of AV tools available, insofar as it does not decrease the network throughput.

One of the most important features of any AV program is its ability to delete known viruses and restore infected files into their original state (or the state close to it). Unfortunately, even the leading virus-testing laboratories of the world seldom test the AV software for curing abilities. Practically all modern AV programs restore the infected files, but not all provide the same quality of file recovery.

When the program encounters an unknown virus, its heuristic analyzer may notify the user of it, but to get an updated disinfecting tool the user has to contact the software vendor. And here the warranty issue arises. Warranty is a part of license agreement and usually provides technical support for a term of one or two years (the license agreement also specifies the number of workstations on which the program may be installed; that is why before buying AV software you should make out whether you are going to virus-protect all the network computers or only those connected to the outer world).

Scheduling the antiviral checks

Another important issue is the quality of technical support provided by software vendors. If your AV software has detected suspicious files that look or act like viruses you have to obtain AV software update (or reassuring message in case it has been a false alarm) as soon as possible. There are two types of updates: regular and urgent. Usually software vendors react to emergency within 24 - 48 hours. For instance, Kaspersky Lab guarantees necessary updates within 48 hours; however, registered users of the company’s Antiviral Toolkit Pro (AVP) package get the fist aid sooner.

The leading vendors supply their customers with software updates regularly. Several companies provide such upgrades monthly, others, like Kaspersky Lab, do this every week to guarantee more safety. The user-friendliest programs feature automatic upgrades, for it is not convenient to download files from vendor’s Web site manually. You should pay attention to the automatic updates availability in case your organization relies on centralized network administering. Also, the AV software must be compatible with the administering system that the company may be using currently (it may be Novell’s ZENWorks, Microsoft’s SMS or IbM’s Tivoli). The license agreement should also include local support via telephone and on-the-spot aid by company specialists.

4. The results of the user poll, conducted by Kaspersky Lab in 1998, revealed the importance of AV programs’ additional features. The most sophisticated programs feature the following options:

- immediate notification (via pagers, e-mail, network etc.) in case of virus intrusion;

- immediate disconnecting of infected workstations from the network;

- flexible customizing options allowing an administrator to configure the software on each workstation according to specific needs of the enterprise;

- availability of reliable and comprehensible information concerning all the viruses known to the program. (In this regard the Kaspersky Lab’s AVP package surpasses its competitors: it comes with one of the world’s most comprehensive virus encyclopedias, AVPVE. The encyclopedia contains descriptions of all known viruses, their symptoms (including sound effects) and the ways of fighting them.)

AVP abounds in various customizing options

Studying the Market

After you have formulated your requirements, you can conduct a small market research to estimate all the competing AV packages available. First, you may study the information provided by AV vendors themselves, then turn to independent resources (in fact, purchasing decisions are rarely totally unbiased, usually they are affected by personal habits, acquaintances’ opinions, local traditions etc.). There are quite a few organizations in the world that carry out professional-level comparative testing of AV software. The most widely recognized are International Computer Security Association (ISCA), Virus bulletin and West Coast Labs. ISCA tests AV programs’ ability to detect and eliminate viruses found ‘In the Wild’. Viruses used in the tests are listed at ICSA’s site, the list is regularly updated. To get certified the program must be able to detect 100% of the viruses on the list or at least 90% of the viruses from the comprehensive ICSA collection. You can find more detailed information at http://www. icsa.net. Virus bulletin tests not only the ability of AV products to handle the viruses of the main categories (ordinary, or ‘file’ viruses, polymorphs, macro-viruses, ‘In the Wild’ and so on), but also their features (performance, rate of false alarms etc., see the details at http://www.virusbtn. com). The West Coast Labs’ certification criteria are similar to those of ICSA. The leading computer periodicals, such as PC Magazine and PC World, also conduct comparative analyses. However, any analysis may tend to subjectivity, for there is no universal testing system. For instance, some analysts appreciate program’s interface first of all; others pay more attention to vendor’s market position. All this complicates customer’s decision still more.

As the final stage of decision-making procedure you may try to acquire several products for evaluation before purchasing one of them. As a rule, AV software developers grant such an opportunity to customers, providing them with trial program versions either with limited period of validity or even fully functional. For example, you may obtain a fully functional trial version of AVP from Kaspersky Lab after filling in a special testing request form.

Suppose you have got the evaluation copy of the program. Now you may study its features more in detail. Pay attention to the following important issues.

1. How much does the program slow down your server operation? Every memory-resident program diminishes the performance, so it is up to you to decide whether or not the slowdown is within tolerance. This means you should try to empirically optimize the system’s speed/security balance using the software’s options.

2. Is the program friendly and easy to use? Sure, this is a matter of taste and is up to those who are going to use the software.

3. And the last (but not the least) issue is price. Depending on the number of network users the price may vary from $300 to $5000 per server. Consider your budget and the value of information in your LAN. Remember that the priciest product is not necessarily the best one. And the best antiviral program is undoubtedly the one that not only meets all the above-mentioned requirements but also best suits your personal taste.

Natalya Kasperskaya, e-mail: natalya@ avp.ru; URL: http://www.avp.ru.

A brief Survey of Kaspersky Lab’s Antiviral Solutions

The Antiviral Toolkit Pro package (AVP), offered by Kaspersky Lab, includes a wide range of virus-protection software both for individual users and corporate networking environments. Registered AVP users all over the world enjoy 24-hours-a-day technical support via telephone and e-mail.

AVP provides all kinds of virus protection - scanning, monitoring and integrity checking. It supports the most popular software platforms, including DOS, Windows 3.x, Windows 95/98, NT, OS/2 and Novell NetWare. All the products of the AVP family use the same antiviral database which is updated weekly. Currently it is able to detect and disinfect more than 26,000 viruses of all known types, i.e.:

- polymorph, or self-encrypting viruses;

- “stealth”, or invisible viruses;

- mutating viruses;

- Trojan horses (such as “back Orifice” and the like);

- viruses, specific for particular platforms, such as Windows, Unix and OS/2, as well as Java applet-based pestilence;

- HTML viruses;

- macro viruses for Microsoft Word, Excel, Access and other applications.

AVP detects and disinfects viruses contained in packed files and archives of several types, including ZIP, ARJ, LHA, RAR, as well as in the local mailboxes of many popular e-mail clients. The program possesses a very powerful heuristic engine which guarantees the detection of 80% of new, currently unknown viruses of all kinds. For additional security a redundant scanning mode is provided. The program’s user-friendly interface and abundance of customizing options make AVP an easy to use and convenient tool.

AVP Solutions for Different Platforms

The DOS 32 version of AVP is distributed on boot floppies. This can be a rescue in case a virus attack makes startup of any OS impossible. When nothing helps, you just boot your system using this antiviral startup floppy and run AVP right away. After the program detects and eliminates the infection, you can safely reboot your computer and start your main OS.

AVP for Windows 95/98/NT Workstation.

This version comprises the standard scanning module and several additional programs, including:

- Antiviral memory-resident utility AVP Monitor - an incessantly vigilant sentry which controls all file operations thus protecting your system.

- AVP Inspector (AVPI) - a utility that checks the hard disk for all the system changes (not necessarily caused by viruses). Using the Inspector significantly decreases the time needed to check the disks with the AVP scanner because in this case only new or modified files must be scanned. besides, AVPI has a built-in function that enables the recovery of files and sectors damaged or infected by viruses.

- AVP Control Center - an integrating workshell that provides a quick access to all the antiviral modules and also lets you update the virus database via Internet.

The OS/2 version of AVP includes the standard scanning module and AVP Monitor - the unique memory-resident virus interceptor for this platform.

AVP-based Solutions forNetworking Environments

The company offers antiviral solutions for corporate networks, based on Windows NT (versions from 4.0) and Novell NetWare (versions from 3.1).

AVP for Windows NT Server

This version lets the administrator control the access to the server from any workstation and provides maximum safety for file and application servers in NT networks. Viruses are intercepted right on the NT server, antiviral database is updated automatically via Web. Memory-resident Monitor controls the users’ access to the server resources. With the help of AVP Control Center, a special integrating workshell, the administrator can schedule the management of all the AVP components - Scanner, Monitor and Inspector - and create complex reports. The coming upgrade, due in the nearest future, will also include the means of remote control for the antiviral modules and remote notification in case of virus attacks.

Windows NT Server users may also purchase Kaspersky Lab’s special version of AVP Inspector for Web servers. This program controls Web servers content in order to detect unauthorized data or reference changes.

AVP for Novell NetWare (AVPN)

AVPN is a powerful protection tool for NetWare-based networks. It supports the Novell Directory Service (NDS) and provides both virus scanning and filtering to monitor the files stored on the server, so as to detect viruses in static data as well as in files currently read from the file server or written to it. The administrator can run the scanning process either on schedule (using the built-in scheduler) or at random. The antiviral filter is able to check files on the fly, while they are being read, written or run. When the infected files are detected, they may be cured (disinfected), deleted, moved to a user-specified directory or renamed; there is also an option for disconnecting infected workstations from the net. The antiviral databases may be dynamically updated or totally replaced. All the operations and their results are logged in the registry.