In this section, I will cover the *really obvious* things if you're serious about virus scanning.
First, if you have to administer a site and want to stand a chance at protecting your site, read. Read about new viruses outbreaks as soon as they get out, learn the different methods they propagate, know the difference between a virus, a worm and a trojan, and learn why some malicious code can belong to more than one of these categories, ... Mailing lists are a good idea.
Second, give yourself a chance, DON'T USE Outlook or Outlook Express if you can avoid it. No personal anti-Microsoft feeling here, but get real! For the past year or so, most new viruses worth mentioning (Melissa, I Love You and variants...) use flaws present in this software. They all use the same method of picking addresses in Outlook address books, auto-launches other programs, and stuff like that. By using software other than Outlook, you already have a better protection against these kinds of viruses, even if you do not use virus scanners at all! Of course, this would not be a good idea to only rely on this. But it works. Remember Worm.Explore.Zip? It became famous for being quite fast spreading and destructive. It replicated by sending itself by using Outlook, Outlook Express and Exchange, installed itself in the windows directory, and destroyed files dear to both management and software development staff. I had to handle with Worm.Explore.Zip. I was saved *only* because we were using a combination of Lotus Notes and Netscape, and no Outlook at all. It infected only one machine, proving to be a dead-end (well, almost, more on that later). I wonder why companies using Microsoft mail clients bother to run a firewall at all; they have a big hole on ports 25 and 110 (SMTP and POP3 protocols in case you're wondering).
Third, to be effective, virus scanners have to be updated. If you don't take care of it, nobody will. (And especially not your users.)
Fourth, whenever you try new versions of software, or new ways do remotely do things, test it before deploying it. I know this sounds obvious (which is why I discuss about it here), but I have seen too many software deployment projects go ka-boom because of poor testing. It is easier to correct a mistake or a flaw on the original before deployment, than to correct it manually on each machine after (you can easily put yourself in deep shit remotely, but most of the time you have to dig out of it locally) :-)
Fifth, if you install software or updates remotely, let your users know it. You don't want to be running updates during lunchtime and have zealous (but little computer-literate) users noticing unknown activity on their machines and trying to prevent what appears for them to be a virus infection. Let them know about serious threats (only the really serious ones, because if you put notices up too often, people stops reading them, which defeats the purpose). Also, make clear once a while what are the various precautions taken at the site to prevent virus infections, what they should do if they think they are infected with a virus (-->you want them to call you!), and what are your policies about how virus-related information and virus alerts should be handled at your site (-->all hoaxes should be sent to you, and *only* to you for your evaluation/authentication of the so-called alert). There again, once in a while, but not too often. Too much information is the same as no information.
Sixth, knit your network tightly. At least the part you have control over, the one that is relevant to virus infections. That means know what's installed on your users PC. Make restrictions about desktop modifications but don't be too harsh, because people will go against it anyway. Let people change their bitmaps and the colors if they want, but make it clear that no custom screen saver or non-approved software should be installed on their machines. You don't need to implement restrictive schemes with policy editor to achieve this, simply make a clear policy that absolutely NO support will be provided by the techs if such a software or screen saver is found on a machine, no matter if the problem is caused by such software/screen-saver or not. That should scare enough people that they won't try anything too fancy, and the power users would have found a way to do it anyway, so when they get stuck, you let them deal with the brown stuff. (I hate these super users, they are the worst. They actually know enough about technology to be not impressed by it, but they have the astounding ability to make just one "enhancement" too many to completely screw up a system.) Make sure that everyone who logins gets automatically a login script, and make sure that you follow some standards in your login scripts to easily manage them (if you want a batch to run, make a single batch file and call it from the login scripts, don't put the batch commands in the scripts themselves).
Seventh, know your virus scanning software. Know what options are available, how they work, and compare it from time to time with competitors software to see if one implements better detection schemes than other. You have to take the edge if you want to stay ahead. Also analyze where your software installs itself, what files or registry entry controls what settings... Know your software inside out.
And of course, scan everything. You can never be too careful (in college, there was only two time that I got a virus encounter on college computers, and these were the only two times that I thought I didn't have time to do scan the machine first, and I lost files on both occasions; Murphy's law in action), and with the processing power at hand these days, there's no reason to limit only to certain files. Next thing you know, a new type of virus will propagate in .XYZ files by some stealth process changing the file's extension to .exe prior to execution. And when I say scan everything, I also mean scan your files servers (daily, system AND data), scan all mail at the server level if you can, and get all your stations to get up to date and scanned entirely at regular intervals (a weekly basis seems reasonable). Use live scanning software also, these will prevents machines from being infected at all before detection.
I could also add... Know your users, and their machines. I know this isn't something that can be easy to do in some corporate environments, just because of the way computer support is dealt with. Some guys on the servers, changing passwords and restoring files from the backup tapes. Inexperienced tech support people who answer calls from a remote site, some guys knowing only about the e-mail system, some others knowing only about in-house apps, and on-site people always on the go fixing this and that. But if you can actually land in a place where you get to do support and server admin, don't disregard it. I know that to some (especially developers), desktop support isn't very glamorous in the computing jet set, but you get to be in the first seats of your network. You never know what you might learn while your answering to a support call, or just by chatting with a usually-happy-from-your-services user. You get to see the new junk such as Internet newsticker with push technology and the likes when there's still only a few people having it. That gives you the chance to get the thingy, try it, evaluate impact on network traffic, Windows stability (yes, Windows 95 CAN be stable, but you have to be careful with it) and security, and turn around with a policy going against the use of the thingy (unless it proves to be quite a useful piece of software) before it becomes widespread in your PC base. It also serves you by being on the floor for some periods of time (not necessary that much if your systems are knit tight), and you never know when you might fall on some unknown guy in a suit using someone else's PC.
Oh! And one more thing that can never be said too much: use your head! And learn about batch files, it's a lifesaver...
1. In the begining
3. The batch file strategy
Table of contents