Antivirus Safety Net Has Too Many Holes

Despite all-out efforts to eradicate them, viruses remain this security manager's costliest problem

The largest risk my company faces for downtime and lost revenue comes from virus infections. Viruses used to be a nagging little problem that affected only those who trafficked in copyright- infringing software on floppies. Then Microsoft decided that documents should also be virtual machines that run macros, and the virus world became a lot more exciting. Just when we got our heads around that, Microsoft decided that e-mail clients should also be able to run scripts and that our address books should be open to all software.

1pixclear.gif
1pixclear.gif
1pixclear.gif

This Week's Glossary

Virus generation tool kit: Software available on the Internet that allows low-skilled wannabe virus writers to create viruses. One of these tool kits, called Visual Basic Script Worm Generator, was used to create the recent Anna Kournikova virus.

Secure Sockets Layer: SSL consists of a set of cryptographic protocols that use public-key technology to authenticate the site you are visiting and encrypt the data stream to keep the data transmitted confidential and unmodified.

Morris worm: A program written by Robert Morris Jr., a student at Cornell University in Ithaca, N.Y., that spread across the Internet in November 1988 and crippled large parts of it.

Melissa virus: This launches itself when a user opens an infected Microsoft Word 8 or Word 9 document. It prompts Microsoft Corp.'s Outlook e-mail program to send an infected document to the first 50 addresses in a victim's address book.

Love Bug: A Visual Basic script worm sent as an e-mail attachment. The message's subject contains "I Love You." It propagates itself to all addresses in a victim's address book.

LINKS:

www.hushmail.com: Dublin-based Hush Communications is a Web-mail company that takes security seriously - perhaps even a little too seriously. It's for paranoid people like me.

www.vmyths.com/index.cfm: Can't tell your AOL4Free.com from your Love Bug? VMyths.com, Rob Rosenberger's virus myths home page, will help you separate fact from fiction.
1pixclear.gif

There are thousands of viruses, each of them trying to spread, and many of them leaving damaged data and public relations woes in their wake.

We run the best antivirus defenses money can buy. We update our software every time the vendors release new patches. We spend a great deal of effort on the problem, and yet we still suffer occasional virus infections. Why?

Chinks in the Armor

First of all, we must continue to do business. Our development teams need to share code. Our sales teams have to send documents and presentations, our finance teams have to share spreadsheets and databases. These days, all these files can contain viruses.

I remember recruiting new staff to address virus issues and interviewing a string of ex-military and intelligence types. Short haircut after short haircut explained to me that the way to eradicate the virus threat was simply to remove all floppy drives and CD-ROMs from all machines, disable Internet access and discipline anyone caught with a virus on their machine. We could never get away with that.

The business benefits we derive from allowing documents and spreadsheets in and out of our environment far outweigh the downside of the rare virus epidemic that overloads the e-mail system or of the requirement to go to backups to recover some corrupt files after an infection.

Of course, we work to reduce the risk as much as we can. But best efforts don't give us 100% protection; every system has a chink in its armor. Once in a while, a new virus finds a way through our lines of defense.

In the good old days, it would take many months for a new virus to become a global issue, leaving plenty of time for virus updates. Today, a hacker can execute a few mouse clicks using a virus generator tool kit and make headlines on CNN the same day.

In response, vendors have developed faster ways to deploy updated signatures. Most are now Web-enabled with automatic updates and central management consoles. Their deployment packages, which push protection onto user desktops and servers, could teach intrusion-detection system (IDS) vendors a thing or two.

Most IDS deployments require you to visit each machine in turn. That's fine when you have five machines in a demilitarized zone, but what if you have more than 4,000? Even with these improved tools, it still takes a lot of effort to deploy a new signature to every desktop. If the machine is turned off or the user has disabled the virus checker, then you're still exposed.

As the number of virus signatures grows, the desktop virus scanner runs slower and slower, tempting users to disable it. Vendors have tried to work around this by limiting what they scan: They usually just look for program files - the .exe, .com, .vbs and .doc files known to contain viruses. This means that, even with all the latest signatures loaded and the desktop antivirus software enabled, infected files can still get through undetected. So we can't trust the desktop to be timely or even there at all. We have to have gateway protection as well.

By forcing the entire Web and e-mail content in and out of the company through gateways, we can check it all in one place. This used to be foolproof: Keep it up-to-date and you'd never have a virus. People even began to wonder if we needed desktop protection at all, with such good border protection.

Then, like good security people, we improved the confidentiality of our users. Shopping online? Use a Secure Sockets Layer encrypted session to protect your credit card from prying eyes. Sadly, our gateway protection is a type of prying eye. If users encrypt, we can see nothing and can do nothing to help them keep viruses at bay.

The same problem affects the use of Web-mail services like Hotmail. We encourage staff to use these to reduce the risk of company liability. If they are going to say something foolish, we prefer that our company name not be associated with it. While our e-mail servers have antivirus software installed, many Web-mail providers don't. If they use a decent Web-mail provider, like Hushmail, the content is protected, so the virus gets through our proxy Web checking. Microsoft doesn't bother to encrypt the session containing your e-mail on Hotmail. That's bad for your privacy but great for our ability to check for viruses.

Viruses also have a nasty habit of coming back to bite you after you think you have cleaned them out. After our last .vbs infection, we cleaned all the Windows NT file servers, and yet the virus was still active. It had sneaked onto some OpenVMS Pathworks and Unix Samba file servers. It's very hard to get decent antivirus software for these operating systems because they rarely have viruses of their own.

Once all that was cleaned out, the virus was still hiding on our backup tapes. When we restored the files, we found ourselves introducing a threat back into the environment. The worst time to suffer a virus problem is when things are bad enough that you need to go to backups.

Any attempt to reduce the risk of viruses also decreases the ease and functionality for users. Luckily, hardly anyone uses .vbs files for business purposes within our company, so we have been able to disable the running of these files on desktops. This makes us immune to any variants of the Love Bug virus, but it doesn't mean we feel safe. So far, the viruses making global headlines haven't carried significant payloads, but everyone working in this field can imagine an Armageddon virus that would make the famous Morris worm look like a tempest in a teacup. Viruses have become a fact of modern computing life, and they don't look like they're going away anytime soon.

Do you have a trick that saved you from viral nightmares? I welcome your thoughts in the Security Manager's Journal forum.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon