Virus Databases
Virus Links
Virus Research

Guard Your System: Write a Policy that Works for You

Having escaped unscathed from Michelangelo, et al, sysops must guard against complacency as well as viruses

By Sarah Gordon
E-mail:[email protected]

This paper was first prepared for the November, 1995 issue of Government Computing News.
© Copyright 1996, Government Computing News


Don't be lulled into a false sense of security.

Remember the Michelangelo virus hysteria a few years back? It blew over with relatively few reported incidents, and users and managers have been leery of warnings of dire virus events ever since.

There is an element of "it will never happen to me," as well as doubt that the threat is real.

You should assume it will happen to you and that your shop needs an anti-virus policy. The goal of anti-virus software and an anti-virus policy is to minimize virus-induced loss of time and data.

As with almost everything else in computer security, the optimum position is neither complete security, nor zero, but a compromise - balancing the cost of a virus infection with the everyday degradation of system performance that countermeasures inevitably will cause.

Take the first Step

The first step toward developing a policy is to identify the solutions available to you and how they will fit in your working environment.

As computers become more and more interconnected, a network solution - one that automates virus scanning and closes one of the most dangerous infection channels for a virus - becomes more attractive. When creating your anti-virus defenses, make sure your solution can address the following points:

A software based scanner is not the only solution to the threat of viruses. In high-security environments, integrity checkers and hardware solutions are also worth considering.

Most problematic in selecting an anti-virus product is also the most important aspect of the software - its ability to detect real viruses - and this is not readily testable.

A common mistake made by those evaluating software is to use a "test collection" of viruses, either obtained on a CD-ROM or from the Internet. Although this might sound like a great idea, in practice it can lead to misleading or skewed results and often does not give a true measure of the product's effectiveness.

The reason? Many testing viruses are not viruses at all. Although there are several sources of viruses on the Internet that offer supposedly infected files for downloading, the quality of these collections is unknown. Often, the collection contains damaged replications, text files renamed to an executable extension, or files which a scanner has wrongly identified as a virus. The resulting detection scores will be questionable.

CD-ROM viruses

Leaving aside the ethical issues of buying virus collections on CD-ROM (buying viruses for testing could lead the way to more CD-ROMs full of viruses, which leads to the wider availablility of viruses and virus source code), there is the problem that every vendor has access to such a test set and to the exact structure of every file in its collection. Thus, although the vendor may tailor its product to detect a particular file, you have little guarantee that it will detect the cousins. This is particularly true of polymorphic viruses.

As you review and evaluate anti-virus software, it is important to put the threat in perspective. Although there are now 8,000 viruses for PCs alone, fewer than 300 are thought to be actively spreading "in the wild." It is useful to know that a scanner can perform well when tested from a large collection, but the critical information is whether the product can detect the 200 viruses that compose a real threat.

You Are Not Alone

Fortunately, help is at hand. The National Computer Security Association and the monthly Virus Bulletin conduct tests based on a collection of known active viruses.

Virus Bulletin offers in-depth reviews of products. The NCSA focuses on a formal certification standard that requires the product to detect 100 percent of the viruses known to be in the wild two months before the date of the test. With this informaton, you can determine if a product meets at least the minimum detection standard required by the agency.

Although the virus threat is growing and evolving, it is important to realize the problem is not insurmountable. By crafting a policy that is usable and understandable by your users, and choosing a product with the functionality for your job, you can reduce the risks.

Software can protect your computers. But it is up to you to implement the software to its maximum advantage.

About the Author

Sarah Gordon's work in various areas of IT Security can be found profiled in various publications including the New York Times, Computer Security Journal and Virus Bulletin. She is a frequent speaker at such diverse conferences as those sponsored by NSA/NIST/NCSC and DEFCON. Recently appointed to the Wildlist Board of Directors, she is actively involved in the development of anti-virus software test criteria and methods. She may be reached as [email protected]