Protective Layers

With so many types of malware stalking the Internet, companies pile on their e-mail defenses.

When the Nimda worm struck in 2001, one of its many victims was the Virginia Hospital Center in Arlington. The worm crashed servers, erased data and forced VHC to hire a consultant.

"It deleted files and brought a couple of servers to their knees," says IT director Mark Rein, who joined VHC a year after Nimda struck. "We had to have a company come in and eradicate the virus."

Fortunately, the virus didn't attack patient data. But it did provide a wake-up call, making VHC aware that it needed better e-mail security. There wasn't a silver bullet that could stop all viruses and—nearly as bad—spam, so VHC opted for multiple overlapping defenses.

Today, the hospital is protected by five layers of antivirus and antispam defenses: an e-mail relay and antivirus product called eSafe from Aladdin Knowledge Systems Ltd.; an antispam and antivirus device from MailFrontier Inc.; antivirus software from Symantec Corp. on the e-mail servers and desktops; and a Web filter from Websense Inc. to monitor HTTP traffic and prevent employees from accidentally downloading viruses from the Web.

Finally, the hospital uses a Juniper Networks Inc. intrusion-detection and-prevention product to alert IT staff to anomalies in network traffic or unauthorized software on the system.

Sound excessive? In this era of massive malware attacks, such multiple layers of defense are, in fact, not paranoid but prudent.

In a March report from Ferris Research in San Francisco, antivirus software vendors said that there were nearly 100,000 viruses in existence then and that the number is increasing each month. F-Secure Corp., a vendor of antivirus products in Helsinki, Finland, notes that the largest virus outbreak in 2004, MyDoom.A, churned out nearly 10% of global e-mail at its peak (see New e-mail worm breaks infection records ).

Protective Layers
Image Credit: Joyce Hesselberth

Another problem is spyware and adware, small programs that install themselves on a PC and either push out advertising or, in the case of spyware, track user activities. Such programs can come from the most innocent of sources.

Last fall, for example, the U.S. Department of Energy's Carlsbad, N.M., office was perplexed by a sudden flood of pop-up pornographic ads on employee PCs. "We couldn't understand how we were getting all this traffic from adult sites," says Paul DeVito, information systems site security manager.

His staff traced it to a weather site used by the DOE that had been hacked and was downloading X-rated adware to visitors' PCs.

Besides cutting productivity, adware and spyware can also cause computer problems and worse. "It can cause instability in PCs, operations to crash, slow performance," notes Chris Williams, a senior analyst at Ferris Research. "And it can log your keystrokes and report those back to a Web site, so your network log-in is being compromised."

Security Strategies

How can a company shore up its servers and desktops against this rising tide of malware? First, say experts, educate employees on spam and viruses. But education can go only so far; technology is also needed. Here are five steps for defending against malware.

1. Restrict user privileges.

The fewer the system privileges on a user's desktop, the fewer opportunities there are for viruses and spyware to take over, says Andrew Jaquith, an analyst at The Yankee Group in Boston. "The biggest reason companies have spyware problems is the user privileges are set too high," he says.

IT may also opt to block certain types of attachments, such as executable or Zip files, and prevent access to certain Web sites. The DOE's Carlsbad office now uses Websense software to block access to adware- and spyware-heavy sites, such as gambling sites. It also relies on an e-mail firewall from Tumbleweed Communications Corp. with built-in McAfee Inc. antivirus and spyware filtering tools.

2. Apply patches immediately.

Installing security patches and updates is critical, regardless of how much antivirus protection you may have. JetBlue Airways Corp. in Forest Hills, N.Y., for example, has layers of antivirus and antispam defenses, but its IT staffers also apply new security patches promptly, says Lesen Wang, IT e-mail systems administrator at JetBlue.

"Even with an antivirus program, a virus can get through," he says. Two years ago, for example, JetBlue's desktops were infected by the Blaster virus because they hadn't been patched, but the airline's servers, which had received regular updates, remained unaffected.

3. Switch to alternative e-mail packages.

While not guaranteed to be shielded against viruses, nonstandard (that is, not Microsoft) software is less likely to be targeted by virus writers.

For example, Brett McKeachnie, network systems administrator at Utah Valley State College, reports that the school, which uses Novell Inc.'s GroupWise, never had a virus problem and didn't realize it was receiving viruses until it installed iSolation Server, an e-mail security product from Avinti Inc. in Lindon, Utah.

"Avinti put [iSolation Server] into the mail stream, and the next thing you know, we've got 40 to 50 viruses hitting the filter," says McKeachnie. However, not everyone at Utah Valley State uses GroupWise—some are on Outlook—so the college remains vulnerable to virus attacks and, of course, spam.

4. Build a multilayered defense.

There are several approaches to antivirus and antispam protection, none of which is 100% effective. So using two or more is a useful strategy, say experts.

Techniques for blocking spam include maintaining blacklists of spammers' Internet addresses and employing the challenge/response strategy, which attempts to catch spammers by asking a suspicious sender to resend the message, the assumption being that an automated spam program won't reply. Another option is Bayesian filters, which "learn" to recognize spam from samples that an IT administrator or an end user feeds it. The filter then uses probability scores to decide whether an e-mail is likely to be spam.

Signature-based scanning is the most common approach for identifying viruses, but it doesn't help when there's a brand-new virus on the loose. The "zero hour" problem—the time lag between the initial release of a new virus and the point when an antivirus software vendor can issue a patch update—is the biggest problem with signature-based products, especially since the gap can be as long as eight hours. Companies relying solely on pattern-based antivirus protection are vulnerable to new viruses during that time.

One technique that attempts to close this gap is blocking technology that shuts down access to certain systems if it detects any initial virus activity. For example, JetBlue used Trend Micro Inc.'s signature-based ServerProtect, but it opted to add IronPort Systems Inc.'s C-Series antivirus and antispam device, which includes a blocking technology called Virus Outbreak Filter. The filter quarantines suspect e-mail if it detects a new virus outbreak based on data from IronPort's SenderBase e-mail monitoring network.

Yet another approach to blocking viruses is heuristics scanning, which detects viruses by analyzing a file's structure, behavior and other attributes instead of looking for a pattern match in the code.

The bottom line, say experts, is that two or more defensive technologies—whether in different products or combined in one—are better than one.

Just as using two types of antivirus or antispam software can increase your odds of catching malware, so, too, can locating defensive products at different points on your network. Firewalls, SMTP gateways, HTTP gateways, e-mail and file servers, and desktops are all good places to defend.

Monrovia Nursery Co., a national plant and flower wholesaler in Azusa, Calif., recently added its fourth layer of security: an antispam and antivirus gateway from MailFrontier in Palo Alto, Calif. The new gateway complements an existing firewall—which blocks attachments such as Visual Basic scripts—and antivirus software from Symantec on its e-mail servers and desktops. "It's another layer of protection," says Ray Martin, Monrovia's IS technical manager. "Redundancy and variety are good when it comes to e-mail security."

The main point of a multilayered defense, says Richi Jennings, a Ferris Research analyst, is to cover all of the potential points where a virus could enter. Too often, he says, companies think they're immune to viruses, when in fact they've failed to cover a key point of entry.

"You may feel you have a clean architecture, with virus scanning on the perimeter of the network," Jennings says. "But if you've forgotten a vector—such as a laptop that has a virus and gets plugged into the company network—then suddenly you've got a bunch of infected machines because you didn't put antivirus on the desktops."

5. Use an outside service.

If you want a multitiered defense without having to purchase individual products and implement them, an outside antivirus and antispam service may be the answer. Companies such as MessageLabs Ltd. and Postini Inc. will intercept and clean your e-mail of viruses and spam before sending it to your e-mail server, thus sparing you the software and hardware expense of scanning and processing your own e-mail.

Internet service providers may offer antivirus and antispam filtering services to corporate clients. For example, virus and spam filtering at Bata Canada, a unit of shoe manufacturer and retailer Bata International, is handled by Bata's service provider, Pathway Communications in Markham, Ontario.

One major advantage, according to Eli Gabbay, manager of IT technical support at Bata, is the ability to offload some of the administrative chores to Pathway. "I found [antispam and antivirus software] to be very complicated. ... There's a lot of work for me to do to maintain it," he explains. "Now the only thing I need to do is put any spam that gets through into a folder, and Pathway adds it to its database."

Typically, antivirus services use signature-based scanning in combination with other approaches to optimize their success rates. And they clean up the e-mail before it ever reaches their customers' servers. Some users are also turning to antivirus and antispam service providers to clean up their e-mail before it even hits their firewalls.

Euro RSCG Worldwide, a New York-based international advertising and marketing firm with 233 agencies, turned to New York-based MessageLabs for help in dealing with a rising flood of spam that threatened to overload its e-mail servers.

"We had more spam coming in than legitimate e-mail," says CIO John Tanner. "It got to the point, last August, where we were going to have to increase our hardware by 33%."

Euro RSCG tried blocking spam at the firewall with blacklists, but that approach resulted sometimes in blocked mail from prospective clients whose addresses or e-mail servers had been hijacked by spammers. So the ad agency tried the MessageLabs service, which culls spam and viruses before sending the clean mail on.

Of course, the company still uses antivirus software on its servers and desktops to be safe. But so far, spam has ceased to be a problem. "I don't have to manage any hardware or software. I don't have to worry about upgrading hardware because spam has increased," says Tanner. "Spam has disappeared from the planet for us."

Hildreth is a freelance writer in Waltham, Mass. She can be reached at


The Enemies

Here are a few images of viruses that have infected Internet mail.




Copyright © 2005 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon