For a long time, it was believed that a good antivirus and a firewall was all that was necessary to protect efficiently a network. Of course, this is not true anymore (see "Autopsy of a successful intrusion"), but we must not neglect an antivirus solution in the means of securing our network. It is important to know that an antivirus software is not a panacea, and that it is easy for someone who knows about antivirus to circumvent such a software (which is why we are taking a multi-level approach), but it is even more important to know that in order to be efficient, the antivirus product have to be regularly updated and properly configured.
In most of the cases, default installation is the norm, and this kind of configuration usually leaves holes in terms of antivirus protection. Also, sometimes we see antivirus installed only on critical machines or servers, while each and every workstation on the network should be equipped with one, even if your mail server is equipped with antivirus and content-filtering products. All that is needed to compromise the security of a network is a single vulnerable machine, so it is necessary to define protection measures that take this reality into account.
In order to have maximum protection from your antivirus product, the chosen product must be able to scan files and programs in real-time in memory as well as files residing on the hard-disk. Practically all antivirus products offer this functionality nowadays. It is important to configure the antivirus product in order to scan for every type of file, since it is very easy to camouflage a virus to look like an innocuous file (I Love You, Life Stages et Anna.Kournikova are good examples, check "Invisible file extensions on Windows" in Appendix A for more technical details on the possible ways to do this). With the processing power available in today's machines, there is no reason not to scan every file on a machine. You may have to put some exceptions however, depending on your environment (for example, I exclude for scanning my big 1 Gig .pgd encrypted disk file). If the software lets you do so, you should also scan compressed files. And if the antivirus software offers a heuristic detection engine on top of signature-matching, then you should enable this also.
So far, in this chapter, I only spoke of options regarding the protection of a machine against viruses, but what good is it to put in place protection measures if we are not in a position to evaluate their efficiency. One more time, default configuration is often in place, which means that in the best of cases, the software will write its log files on the local hard drive on which it is installed. However, some products gives you the possibility to chose the destination of your logs files, preferably on a central server (often a simple UNC path like \\centralserver\sharedfolder will work), so I strongly recommend to use this functionality, as it will increase your staff capacity to understand and evaluate the scope of a virus infection when it happens, without having to hop from machine to machine to review log files. In a crisis situation, such a setup saves you time and gives you the global pictures, which is primordial while trying to stop the crisis. If the software also lets you send alerts by e-mail or pager, then it should be turned on. This will notify your staff as soon as an infection occurs, and from their desk they can easily check the centralized log files and make the call: simply an old virus that got cleaned on the way to the network, or a large-scale infection prompting for more immediate action? However, some products do not let you change the log files destination, which means that good products may be overlooked simply because they lack this feature. To solve this, there is LogAgent, a program written in Perl that will monitor log files for changes, and will forward these changes to a central location when it occurs.
The last aspect to consider is the updating of the antivirus definition files used by the software to identify the possible viruses that could try to get on your network. Because of the way that signature-matching works, if a virus signature is not included in the signature database, then chances are strong that it will go undetected (heuristics tries to solve this problem, but induce the possibility of false alarms). Usually, the software will be configured to be updated once a month, fetching its files directly from the vendor's website. Depending on the level of paranoia expressed by your company (and the rapid growing rate of virulent activity), these should be done daily or weekly, and the updates should be done from an internal server, where the network administrator have previously put up-to-date files. This will prevent network congestion as all your workstation would all connect to the vendor's website, which can be tricky during wide-scale virus attacks. I will cover later in this paper how to deploy your solutions on your network containing your custom configuration.
One last word relatively to virus protection: for the past 4 years or so, virus writers primarily focuses on exploiting some flaw in a well-known software in order to propagate their piece of malicious code, I named Outlook (and its cousin counterpart, Outlook Express). This software, which features various functionalities such as e-mail, agenda, calendar, and so on... that sports multiple vulnerabilities, makes it the number one choice for virus propagation. Before Outlook, it was considered impossible to get infected by a virus simply by reading e-mails. One had to open an attachment in order to be infected. Anyone pretending the opposite would quickly be made fun of and proved to his peers that he didn't grasp the mechanics of computer science. This is not true anymore since the coming of Outlook, because of these new functionalities (others would say vulnerabilities) that makes it now possible.
It is very hard to secure Outlook in order to make it inoffensive, and on top of that, the default configuration (which is highly insecure) is the most used in companies. For these reasons, many companies will put in place several antivirus utilities on various points on the network architecture, but these utilities are for the most part useless against new, unknown threats. The analogy of a chain, where the weakest link is the one that will break when the chain breaks, is often applied in the world of computer security. By strengthening all the other links in your computer architecture (antivirus on servers and workstations, mail filtering, etc.), but keeping the weakest link on your network (Outlook), then you can only be sure that the chain will break with yet another wave of Outlook virus. I know that what I am saying here is not popular, but if you really make a big step forward in virus protection, ban Outlook and Outlook express from your network (and I point here the clients, not the Exchange server, which can be used with other mail clients).
I cover antivirus protection more in technical depth in the paper "Virus protection in a Microsoft Windows network, or How to stand a chance", that you will find in Appendix A.
2. Definition of the multi-level approach
4. Setting up personal firewalls