The threat of viruses is constantly being hyped up with increasingly hysterical claims from vendors, but the proliferation of e-mail and the Internet have definitely been a boon for rapid virus distribution.

Here we look at the issues presented by viruses, the deployment and ongoing management of antivirus tools, and the role of end-user education.

Throughout this article we use the term "virus" in a generic sense that includes worms, Trojans, and any other malicious code.

Business issues

Jakub Kaminski, antivirus research manager at Computer Associates, points out that viruses can be expensive, not just because of the intended effects of their payloads, but because of the unintentional damage they cause, as well as the need to stop systems to check (and if necessary repair) them. Such downtime can be very costly.

Managing director of security software distributor Janteknology Glenn Miller was previously instrumental in setting up McAfee's Australian operation. "Meta Group estimates that public exposure of an IT security breach can shed, on average, 1.75 percent off a company's stock price within 48 hours, converting to hefty losses in real dollar terms," he says.

"Thus, having a solid contingency plan to shore up intrusions has become as important as having a barrier to protect against them in the first place."

Even though there are products that are able to identify virus-like behaviour, antivirus software is not sufficient as it is essentially reactive.

"Indeed, there are many more security vulnerabilities--holes--than there are viruses...multi-layered solutions are required," says Miller.

This fact is not lost on antivirus vendors who, operating in an already mature market, are increasingly moving to become broader-based players. Symantec, for example, has bought a security company and is now selling hardware firewalls.

Meanwhile, McAfee has done a deal with eEye--the company that discovered the first Microsoft hole and developed Secure IIS in response--and is offering Secure IIS as a download from its US site.

Forrester Research interviewed 50 security managers at major organisations, and just over half said a one-day outage would "have a disastrous effect". It's not simply the operational problems, "the PR damage associated with an incident would be hard to recover from," said one manager.

John Donovan, managing director of Symantec Australia and New Zealand, points out that outages are an especially serious issue for e-businesses, as they can suffer a major loss of brand equity as a result of a security-related outage.

Not only is downtime costly at an organisational level, it can mean a lot of unwanted extra work for IT staff. "It is estimated that the average server-based virus infection today requires 22 person days of recovery time," says John Biviano, ANZ country manager at Sybari Software, which develops Antigen antivirus software for Exchange and Domino.

While we generally think of viruses as having immediate and obvious effects, they can work in subtle ways that may not be apparent for some time. Brenton Foggo, senior systems specialist at Adelaide University's ITS department, warns that data corruption is an issue that sticks around for a long time after a virus outbreak.

Legal issues should also be considered. "A Trojan can allow a massive security breach and allow business information to be stolen and confidentiality to be breached, a serious concern in today's litigious environment," warns Biviano.

Quite apart from any implicit or explicit expectation of confidentiality, Joel Montgomery, product marketing manager at Trend Micro, points out that it would be "a definite breach of the amended Privacy Act" if malicious code exposed supplier or customer records. Donovan believes such issues have always been well understood in the financial sector, but the message is now spreading to other corporations and SMEs.

And there's always the potential for downstream liability. Tim Smith, national business manager, security at Dimension Data Australia, spoke of the need to show due care and diligence by installing antivirus software and keeping it up to date in order to avoid the risk of claims from organisations that received infected documents from your systems. Antivirus "is not just an IT issue, it's a business issue," he says.

What are the options?

"File filtering and content management features act as a proactive guard against virus threats before scan engine data files are updated," says Biviano. "It is a good idea to block POP3 and IMAP4 access via the firewall," to prevent users from accessing external mail servers that might not be running antivirus software.

Chris Nixon, technology marketing manager at LAN Systems agrees. "There's a different virus for each type of traffic," he says, so Java, ActiveX and other content needs to be checked at the gateway.

Although virtual private networks are put into place to increase security, careless implementation can open a window of vulnerability. If remote users have a dual-homing configuration (also known as split tunnelling), there is a risk that viruses can sneak around corporate defences.

Antivirus and firewall software are therefore both needed on remote access computers, he advises. "What if trusted traffic is carrying malicious content?"

Blended threats such as Code Red and Nimda exploit multiple vulnerabilities and points of attack, and therefore antivirus software alone is not sufficient, says Symantec's Donovan. "That's a bit of a leap for most network managers," he says, but companies have seen a shift of interest from antivirus to integrated security systems.

"The blended threat was probably the most complicated thing for anyone to deal with," says Charlie Johnson, vice president of Symantec Security Services. This is largely because of a tendency towards silos of control within organisations--one group looks after the firewall, another cares for the mail servers, and yet another deals with desktop antivirus measures.

"Not a lot of [Symantec's] clients have integrated security response programs," he says, "you need an integrated solution to an integrated threat."

Large organisations "are going to spend an ungodly amount of money" on security, predicts Johnson.

One technique to reduce the spread of viruses within a large network is to split the network into a number of virtual LANs. "Utilising VLANs then firewalling off these VLANs from other subnets can help prevent attacks from spreading from servers and PCs in different VLANs and subnets," says Foggo.

A relatively new vector for viruses is instant messaging, warns Smith. Some content filters are already available for instant messaging, and he expects to see such support in all major antivirus products shortly.

Viruses are generally regarded as a generic threat, but there is evidence that malicious code sometimes targets a particular organisation. One Australian online business claims to have lost over AU$375,000 in six months as a result of what Peter Lee, general manager of Brisbane-based security specialist ComSec Enterprises, described as a custom-written Trojan horse.

According to Lee, organisations can protect themselves from this kind of attack by using personal firewalls on desktop computers. Such software runs untrusted programs in a "sandbox" to ensure any malicious activity is identified and terminated before it can do any damage. "This new generation of product does not rely on databases of known viruses," he says.

"Any computer that is connected to the Internet is at risk," Lee adds. "Trojans can be hidden in Java, ActiveX, and all manner of Internet based program code. The days where you needed to receive an infected file are long gone. Viruses, worms, and Trojans are delivered using very sophisticated methods. For this reasonalone, it is critical that organisations don't rely on just virus scanning and firewalls."

"The hacker's counting on somebody not doing their job," says Johnson, pointing out that Nimda exploited a vulnerability for which a patch had been released 18 months earlier.

Not all platforms are equally prone to viruses. For example, AAPT uses Novell GroupWise rather than Microsoft Exchange. Todd Hull, manager of IT platform support, suggests this has reduced the number of viruses that can affect the company.

While it seems clear that the widespread use of Microsoft products attracts virus writers, vulnerabilities in other platforms have also been exploited.

E-mail viruses

However, as networking became widespread, the number of entry points widened. Just being connected to the Internet was enough to allow the recent Nimda virus to attack a vulnerable system.

Although many recent viruses have been spread by e-mail, scanning e-mails and attachments is not a sufficient defence against viruses.

You also need to scan code immediately before it is executed, and to scan files before they are closed. It's not enough to rely on one line of defence-"think about total security" is Kaminski's advice, which includes checking for viruses, controlling access to systems, ensuring compliance with security policies, and detecting intrusions.

Or you can take an appliance-style approach. WebShield for Nokia Appliance is "a gateway solution," says Vic Whitely, Nokia Internet Communications' general manager in Australia and New Zealand.

He argues that over 90 percent of viruses are carried by e-mail, so it makes sense to detect them at the edge of the network. Using a separate device avoids adding to the load on already heavily used mail servers and avoids instability resulting from running a third-party scanner alongside the mail server software.

Furthermore, moving the scanning process away from users minimises the risk that someone will accidentally or deliberately disable the protection. Nokia Appliances can be installed in pairs for fault tolerance, and the company claims that in this configuration failover occurs so quickly that no packets are dropped.

Sybari Software thinks e-mail viruses are even more common. Biviano says around 95 percent of viruses enter an environment via e-mail, so "the focus of virus protection should be at the e-mail server."

"We still recommend you have antivirus software on the desktop," Whitely says, because a layered approach is needed for adequate protection, such as against the minority of viruses that arrive on physical media. Biviano concurs: "Best practice protection involves protecting all points in the food chain-firewall, e-mail, server, and desktop."

Trend Micro sees desktop software as a "last line of defence" against e-mail viruses. Gateway protection can filter out infected e-mails before they reach the mail server, which is especially important when dealing with a mass-mailing virus.

Such filtering should be used in conjunction with a mail server scanner to detect viruses in internal e-mails as well as those lying dormant in old messages, Montgomery recommends.

He points out that it is usually best for an antivirus product to completely delete mass-mailing viruses, because there is no benefit in trying to disinfect or quarantine such messages as you would a Microsoft Office document that had been infected with a macro virus.

Scanning only mail traffic is also not enough, says Network Associates' Bell. Some gateways scan SMTP traffic only, or perhaps SMTP and FTP, he claims. HTTP, SMTP, POP3, and FTP can all be exploited, and his company's E250 and E500 gateway appliances cover all four.

Symantec's new Gateway Security Appliances provide antivirus protection, firewall, intrusion detection and VPN functionality in one box.

The three models are intended for 50 to 1000-node installations, and multiple units can be used in combination to provide load balancing or to protect remote offices while retaining the advantage of single console management.

While you want to catch viruses as close as possible to the fringe of your network, timing issues underscore the need for multiple layers of protection. "Occasionally the firewall or mail gateway will let a new unidentified virus through to the users, because the virus signature database is not yet updated with information on the new virus threat. In this instance, when the workstations receive their virus signature database update they will then be able to detect the virus," says Antony Steele, senior system engineer at Open Systems.

"An example is where a virus-infected e-mail is received by a corporation's mail gateway at 3am. The users virus signature database is updated with new signatures at 5am, and the user reads the e-mail message sometime after 8am. The infected e-mail may have got through the mail gateway, but as the user tries to launch the infected attachment at their PC the virus is detected and prevented from running."

Deployment and management

There are four aspects to the problem. Firstly, antivirus software works at a very low level and often needs administrative privileges.

Secondly, systems managers need a way of checking that the software hasn't been disabled by users hoping to "speed things up a little bit".

Thirdly, antivirus updates must be applied regularly, but large installations face bandwidth issues if all users try to download the updates directly from the vendor. Finally, the antivirus software itself will require upgrading from time to time, and this presents the same problems as the initial installation.

CA circumvents these problems by designing its eTrust Antivirus products for large corporate environments. One of its customers--Microsoft--has a network of around 140,000 desktop PCs, according to Dozortsev.

The basic approach is to have a master server that is capable of automatically discovering the entire corporate network and installing a software agent on each computer.

This step requires a one-time grant of administrative access to each of the client systems, but that can be revoked as soon as the agent is installed. The eTrust Antivirus server can then push the antivirus software and any future update or upgrade files to individual PCs without human intervention.

Client settings are password protected, and the Policy Compliance Monitor can raise an alert if they are changed, or propagate new settings across the network. "We can create separate policies with arbitrary granularity," says Dozortsev. Policies can be applied to individual users or systems, or to groups or departments with drag-and-drop ease.

Although IT professionals are aware of the importance of keeping antivirus software up to date, it is also important for vendors to make ongoing management as quick and easy as possible.

Otherwise, there is a risk of infection occurring between the release of an update and its application to every PC within the organisation. For example, AAPT suffered a major Nimda infection because the antivirus update process was too time-consuming to carry out on a regular basis. Senior technical specialist Jan Chrbolka says this was one reason why the company switched to Sophos antivirus products.

Now, updates are handled automatically through a multi-stage process: an antivirus server collects updates from Sophos via the Internet and distributes them to file servers around the company. Then the antivirus software on each PC regularly polls its local server and pulls down any new updates.

Although some customisation was required, the setup process was "quite painless" according to Chrbolka.

Network Associates' McAfee operation has come up with an interesting variation on this theme using peer-to-peer technology for its managed antivirus service. When the client starts up, it polls a McAfee server to find out whether the definition file is still current.

If not, it tries to obtain the new file from another PC on the same LAN, and only if that fails does it download the update from McAfee. While the initial installation and update distribution can be handled by the same software (as in the case of CA's product), this is not essential. AAPT uses Novell ZENworks for the remote installation of new software coupled with the update-distribution feature built into Sophos.

Similarly, Antigen has its own centralised deployment and management features, but it can also be managed from NetIQ Security Manager, Biviano says.

Getting the right information

Michael Mychalczuk, security manager at NetIQ, suggests organisations will get the most from their security tools by installing a management cockpit--security management software that lets administrators manage the various tools from a central point.

"Maintaining a secure infrastructure requires managing multiple security programs across numerous platforms. Without an efficient security management tool, the various products are typically unable to share information, representing a costly, inefficient and insecure way of protecting a company's assets," says Mychalczuk.

NetIQ's Security Manager for Anti-Virus integrates with Network Associates (McAfee), Symantec (Norton) and Trend Micro products to provide administrators with real-time notification of a virus attack and the status of the distributed antivirus software.

While Symantec's LiveUpdate service (which delivers software updates as well as new virus definition files and firewall rules) is designed to scale from the smallest to the largest installations, it also works with enterprise management tools such as those from Hewlett-Packard, IBM, and CA, Donovan says.

Trend Micro isn't too keen on third party management products. "It is difficult to develop a third-party product for managing antivirus, because AV is a constantly evolving industry and AV vendors are yet to standardise interfaces for central control. This is a reason why AV vendors cannot yet effectively manage competitive products--it's just too hard," says Montgomery.

But satisfactory central consoles do exist, he says. Features to look for include a secure, browser based interface ("so an administrator can manage a virus outbreak from home in the event of a 3am wake-up call"), platform independence, and the ability to manage all antivirus products across the network.

McAfee's ePolicy Orchestrator handles the deployment and ongoing management of the company's security software, and is highly scalable, according to senior marketing manager Allan Bell: "from one server, you can manage 250,000 machines."

It can also be used to manage Symantec's desktop products, which is an advantage following a merger between two companies using different software, he adds.

Nokia's approach dramatically reduces the maintenance load on IT staff, Whitely suggests. WebShield for Nokia Appliance is based on McAfee software, and automatically downloads any updates as long as a software subscription agreement is in place.

"You don't have to touch it," he says. But when configuration changes are needed, that can be done remotely with the aid of Nokia's Voyager Web-based management tool.

Protection alone isn't sufficient, because a new virus may hit you before your antivirus vendor releases an update. Tony Liddy, managing director of Elantra (a value-added distributor focusing on business continuity and data protection), says organisations also need "tried and tested recovery solutions."

For desktop systems, this means a backup system such as Connected TLM that allows rollback to a "known good" state. "At the server, timeliness is critical and a good disaster recovery strategy must be in place with critical data being at least replicated to an alternative location. Smart intrusion detection and management systems should also be employed to minimise server attacks and ensure patch updates are current," he says.

Some antivirus vendors are taking steps to reduce the window of vulnerability between the release of a virus and the corresponding pattern file update. For some time, antivirus software has had the ability to warn of virus-like behaviour.

However, this doesn't help when you are trying to detect viruses at a gateway or server because the code isn't being executed. Trend Micro's SMTP scanner uses rules as an interim measure.

The company's server can be polled for new rules at intervals as short as every 15 minutes. For example, a rule might block any messages with a particular subject and body text that also have an attachment of a certain name.

The company can provide new rules more quickly than new pattern files. "The Outbreak Prevention Policy is the first indication of a new generation of antivirus whereby antivirus vendors will contribute to an organisation's antivirus policies and strategies, rather than providing technology alone," says Montgomery.

While a lot of work is being done to automate the process of maintaining antivirus software, some companies take extra effort to ensure administrators are advised of threats.

One example is F-Secure's Radar subscription service that can use different notification methods including SMS, e-mail, fax, or phone according to the severity of the threat, the time of day and the day of the week.

Some people suggest using a mix of products from different vendors for best protection. "It is very important that there is no single point of failure in the IT environment," observes Biviano. "Antigen employs multiple scan engine technology using the highest performance engines at the e-mail server to provide maximum protection."

Or as Smith puts it, "there's merit in having more than one vendor involved" by using one product at the gateway and another for individual PCs.

Biviano adds: "Using a suite approach--using a single antivirus vendor for protection at all points--is a common approach that is seen as cost effective, but very often costs business far more as it is a single point of failure. Suite products rely on the same virus definition files to protect all points of entry."

That's not strictly true--Dozortsev pointed out that CA has avoided putting all its customers' eggs in one basket by acquiring two antivirus product teams (Australia's Vet and Israel's iRiS) and maintaining them as two separate operations.

CA customers can mix and match antivirus engines, for example using iRiS on servers and Vet on desktops, yet control them through a single management interface.

It is even possible to hot-swap the engine running on a particular system without requiring a reboot.

Smith also observed that some organisations choose to outsource the management of their gateways, "typically tied in with that [outsourcer] managing intrusion detection and firewalls," partly because they regard it as a specialist matter and partly as a matter of risk transference.

McAfee recently published the results of a March 2002 survey carried out in the UK by Vanson Bourne, which found that although 82 percent of companies had suffered a virus attack in the last 12 months and 35 percent had suffered virus induced downtime, 92 percent of IT managers still believed they had sufficient resources to manage security.

Bell suggested that IT managers gain kudos from projects that contribute directly to the bottom line, whereas senior management only notices antivirus measures when they fail--so it makes sense to outsource antivirus efforts (for example, with McAfee's ASaP Online Services which provide managed security services covering antivirus, firewall and other filtering technologies), and get better protection at a reduced total cost, while concentrating in-house resources to more visible and productive projects.

Biviano points out that it is difficult to ensure antivirus software on notebook computers is kept up to date if they aren't connected to the corporate network for an extended period. "By protecting all the other points of entry into a network, keeping notebooks and desktops up to date is slightly less critical," he says.

According to Foggo, Adelaide University uses a Symantec tool that packages the latest updates and distributes the result by e-mail. "That's a good method to keep mobile users updated," he says. In any case, when notebooks are reconnected to the network the antivirus software is automatically updated.

"Integration [of antivirus software] into the main security suite has become one of the main issues," says LAN Systems' Nixon. Buyers are starting to look for a single product to take care of all their security requirements, or at least a "one-screen view" of security.

LAN Systems is aligned with OpSec, one of the biggest security partnerships. Over 300 partners provide tools that fill different parts of the security picture and integrate together, he says.

Education

Staff must be reassured that they won't get into trouble if they report a virus, emphasised Kaminski. Training should also cover what not to do--reformatting a hard disk in a panic might make matters worse.

AAPT includes such training in staff induction, says Hull. A recent reorganisation has expanded his responsibilities, and he plans to review ongoing training requirements in this area once a security review is complete.

"Educating staff is not an event, but rather an ongoing process," says Miller. "First up, companies need a well articulated communications plan or policy. This needs to be constantly reinforced via company newsletters, meetings [etc]. Companies also need to be vigilant: if breaches are found, they need to be dealt with quickly."

LAN Systems' Nixon takes the view that "the less involvement [users] have, the better". He advocates gateway-based protection coupled with locked-down antivirus software on the desktop, so user education can be kept simple.

As Cameron MacDonald, Microsoft Exchange administrator at AC Nielsen Australia puts it, "Education is important but enforced policies are more practical." However, Nixon recommends teaching users about virus hoaxes to avoid the loss of productivity caused by passing on bogus warnings.

Even warnings about genuine viruses can be a time-waster. "All the time e-mail is sent to thousands of people warning them about the latest dangerous virus and [asking them] to pass the message onto everybody they know.

They think they are doing the right thing by doing this, but indirectly they are the virus," says MacDonald.

Donovan says user education should relate to corporate policies such as using complex passwords (and not putting them on sticky notes attached the monitor!), and not opening attachments unless they are from trusted sources--though "users in Australia are a lot smarter than they used to be," he says. Recent e-mail viruses haven't spread much in Australia, but it's important to keep driving the point home to users.

Smith suggests antivirus issues should be part of general security awareness training. If users understand why security is important and how antivirus measures fit in, they are less likely to try to bypass them. He also recommends that acceptable use policies should prohibit the deliberate release of a virus.

Organisations should also investigate the possibility of extending their antivirus licences to cover employees' home computers. This may be possible at low cost or even free of charge. "The more space you cover with antivirus, the safer you are," says Kaminski.

One of the advantages claimed for server or gateway-based scanning is that they prevent viruses reaching users' PCs, so there is less need for training.

"Some of the most successful [e-mail viruses] use innocuous messages such as 'Take a look at this'," says Bell, and since the message comes from someone known to the recipient (because the virus got their address from someone else's address book), they are likely to open it.

Blocking certain attachments, especially .exe and .vbs files "won't stop everything, but will ease your pain," he says.

"You can continually educate people about viruses but it can be difficult to get them to take notice, or to consider their actions prior to opening an attachment.

Anti virus protection is needed at all points in the food chain. It is far more expensive to clean up after a destructive virus than to protect against them in the first place," says Biviano.

Final word

Buying antivirus software "is just the start of the journey," warns Dozortsev. He likens the packages to a bulletproof vest: valuable protection, but it won't stop you getting shot in the head.

Constant vigilance is needed in keeping your antivirus and other security software up to date and in applying security-related patches to operating system components and applications to deal with the latest exploits.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.