virus prevention: a primer
Jan Hruska, firstname.lastname@example.org,
Sophos Plc, Oxford, UK
First published: August 2000
Revised: February 2002
This white paper describes the current virus situation, common virus entry
points, procedures for preventing infection, types of anti-virus software,
deployment and administration of anti-virus software, and measures for
recovering from a virus attack.
The number of known viruses surpassed 70,000 in January 2002. Of those,
26.1% are macro viruses, 26.1% are Trojan horses, 19.2% are executable
and 6.8% are script viruses. Other virus types (Unix, boot sector, internet
worms, file, Macintosh and multipartite) account for the remaining 21.8%.
During 2001 79% of infections reported to Sophos were due to executable
viruses, 12% were due to script viruses and 4% were due to macro viruses.
The remaining 5% of infections were due to Trojan horses, UNIX and boot
sector viruses. Note that a reported infection is counted as a single
unit regardless of whether the virus infected one machine or 10,000 machines:
the statistics quoted are not 'bomb-proof' but simply an indication of
what is out there. The number of new viruses discovered every month continues
to increase. In the last quarter of 2001, the Sophos virus lab was processing
around 1200 new viruses each month.
Using anti-virus software should not be the only component of an effective
anti-virus defense. What are the other components?
Stop using DOCs
Use Rich Text Format (RTF) files instead. All the Word text formatting
will be saved, but RTF files cannot contain macros and, hence, cannot
be used to spread viruses. Beware, though: a received Word file with an
RTF extension is not necessarily a Rich Text Format file. Word can save
files in Word format (i.e. with macros) under any extension.
Stop using XLSs
Use CSV format instead. Similar caveats apply as for using RTF files.
Use PowerPoint 7 or earlier
PowerPoint 7 or earlier does not have macro capability and, as such, is
inherently virus-proof. Unfortunately, the visual appearance of later
versions of PowerPoint is much better than PowerPoint 7 and the struggle
to convince users that a virus-free environment is preferable to a visually
more appealing one is very much uphill.
Use viewers, not applications
When the user double-clicks on an email attachment, most systems are configured
to start the application associated with the file type. For example, a
DOC file will start in Word, an XLS file in Excel, etc. The trouble is
that these applications will also execute any macros within the received
file, thus enabling the virus to infect. Most email applications can be
configured to view a received file using a 'viewer'. Viewers normally
do not have macro capabilities. Even if an infected file is examined in
such a way, the virus will not infect the environment. Most users do not
need to edit the received attachments, which makes using this strategy
throughout the organization a very effective anti-virus technique.
Block receiving/sending of executable
There is very little need for executable code to be received or sent.
In most instances it is also illegal, usually breaching the software copyright.
Some people are fond of using self-extracting ZIP files to send compressed
data files: for security reasons using statically compressed ZIPs (which
need PKUNZIP to be decompressed) is a much better solution. The blocking
of executable code transfer is often best achieved on the Internet gateway.
Unfortunately, it is impossible to detect executable code with 100% certainty
by analyzing either the file content or the file extension. However, blocking
files with executable extensions such as EXE, VBS, SHS etc. contributes
to overall anti-virus measures. User education also plays a significant
part in preventing infections by executable code received by email: the
temptation to install a cute screensaver can be very, very high for a
PC user who is not security aware.
Change the CMOS boot-up sequence
Most PCs are configured as delivered from the manufacturers to boot from
drive A: first, and to boot from drive C: only if there is no disk in
the drive. If a user leaves an infected disk in the floppy drive, the
PC will become infected as a result. On modern PCs the booting sequence
is stored in the CMOS memory and is very easy to change. Changing the
PC to boot from drive C: completely eliminates the danger from pure boot
sector viruses. If the PC needs to be booted from the floppy in the future,reversing
the boot sequence is easy.
Most organizations, however, do not use this simple technique.
Turn off Windows Scripting Host
If the Windows Scripting Host (WSH) is not used, it should be turned off.
The procedure is described in the Disabling Windows Scripting Host article.
Keep an eye on security bulletins
Up to November 1999, anti-virus experts could state authoritatively that
a PC cannot become infected by simply reading email. Of course, they had
analyzed the current technology specifications and there really was no
apparent way of infecting a PC purely by reading email. Unfortunately,
there was a difference between the specification for Microsoft Outlook
and what the code was actually doing (also known as a programming bug),
which allowed the virus BubbleBoy to infect when a user read email. Microsoft
issued a patch which corrected the problem (see Microsoft Security Bulletin
MS99-032) but very few users implemented it. Kakworm, which exploits the
same loophole, is still infecting a significant number of users today.
The complexity of today's software required by the never-ending thirst
for new features, pretty pictures and sophistication, results in more
people writing software to ever tighter deadlines (invariably reducing
the average programmer competence level and the software quality). There
is little point in complaining that the Windows operating system and the
software written for Windows is unreliable: market demand is by far the
main culprit in indirectly causing the unreliability. This situation is
not going to get better. The best that an organization can do is to keep
an eye on the various security bulletins which publicize security-related
Data destruction is only one of the side-effects found in viruses. It
is neither new nor the worst thing that can happen to data. Backups have
been a component of computer security from the early days of computers,
guarding against the inevitable component failures and resulting loss
of data. Data corruption is much worse than data destruction. It is often
difficult to detect, which means that it may take months before it is
noticed. Resorting to backups to retrieve the data is not often an option,
since documents and spreadsheets change and the document retrieved from
the backup may be far too old to be of use. Nevertheless, backups continue
to be a necessary part of an effective defense against computer viruses.
Scanners remain the most popular type of anti-virus software used today.
They contain detection/disinfecting information for all known viruses.
They are intuitive to use and capable of identifying a virus (e.g. "ABC.DOC
is infected with the 'Blah' virus").The main disadvantage of scanners
is that they need to be kept updated with the latest virus information
in order to remain effective.
Checksummers rely on detecting change. When a virus infects an object,
the object will change. The change will be picked up by the checksummer.
Checksummers will pick up both known and unknown viruses, as long as the
virus changes an object monitored by the checksummer. The main difficulty
with using checksummers is distinguishing between legitimate and viral
change. In other words, the results from checksummer findings need expert
interpretation (normally not available at the user level). Another problem
is that checksummers will only detect a virus once an infection happens;
they cannot be used to prevent an infection. Virus detection alone is
Heuristics (from the Greek heuriskein, to discover, find) is a rule of
thumb, strategy, method or trick used to improve the efficiency of a system
that tries to discover the solutions to complex problems. In the context
of anti-virus software, it is used to describe software which applies
rules to distinguish viruses from non-viruses. Heuristic software is initially
attractive for users since it is often presented as not needing updates.
Unfortunately, heuristics is not problem-free. The main problem is that
the virus writing community learns the rules used by heuristic software
very quickly and starts writing viruses which circumvent them. The anti-virus
companies then reformulate the rules and reissue the software etc., annulling
the 'no updates' argument. Heuristic software also has a propensity to
'false-alarm', i.e. to label objects as viruses when they are not. Because
of this, heuristics have to be tempered effectively, in order that they
are not oversensitive and to minimize the likelihood of false-alarms.
Virus entry points
In order to establish where anti-virus software should be deployed in
an organization, it is important to establish the common virus entry points.
An overwhelmingly large proportion of infections today are caused by infected
email attachments. The ease with which a user can click on an attachment
and launch an application is a significant factor in the spread of email-borne
viruses. If the email content is sufficiently inviting (e.g. 'kindly check
the attached LOVELETTER coming from me'.) and the visible attachment extension
sufficiently innocent in the eyes of the user (e.g. LOVE-LETTER-FOR-YOU.TXT.vbs
- text files cannot carry an infection, can they?), the temptation for
a user can become overwhelming. The danger of infection through attachments
is, of course, not confined to email. Newsgroup postings are also capable
of carrying attachments.
World Wide Web
The web is full of sites carrying virus-infected material. Desktop access
to the Internet is viewed as an 'expected' in today's workplace, meaning
that downloading potentially infected files is too easy. Several organizations
have, however, found that providing physically separate PCs to access
the web is a much better arrangement. Not only is the Internet physically
separated from the company main network, but employees tend to waste much
less time 'surfing' non work-related sites, since it is obvious when they
are not seated at their desks.
Floppy disks and CDs
The use of floppy disks has decreased radically with the advent of networks,
but most PCs still come with a floppy drive fitted as standard. 0.5% of
all infections are due to boot sector viruses, which shows that floppy
disks are not dead (yet). CDs (especially magazine cover CDs) have also
been shown to be relatively frequent virus carriers.
Anti-virus software deployment
There are three main points where it makes sense to deploy anti-virus
software: on the Internet gateway, on the servers and on the desktop.
The Internet gateway is the point that connects the Internet and internal
company networks. It is a good place to install anti-virus software which
will check incoming and outgoing email attachments. The main advantage
of using anti-virus software on the gateway is that incoming infected
attachments sent to multiple email addresses will generate a single virus
alert (on the gateway) instead of multiple ones if the infected email
is allowed to get through to the desktop. A problem of using anti-virus
software on the gateway which is important to bear in mind is the increasing
use of encryption. There is no point in checking encrypted attachments
since viruses will be safely hidden inside the encryption envelope. At
the moment, only relatively small numbers of emails are encrypted and
the effectiveness of gateway scanning is still high. However, this may
alter in the future creating something of a dilemma for those wishing
to deploy anti-virus software and use desktop-to-desktop encryption.
Using anti-virus software on servers to scan centrally held files has
several advantages over trying to scan the servers from a workstation.
Firstly, network traffic is minimized since the scanning processes runs
locally on the server. Secondly, any virus stealth mechanisms are not
effective since the virus is never 'active' on the server. Most organizations
deploy anti-virus software to scan their servers at regular intervals,
usually during periods of low user activity.
Virus scanning on the desktop is probably the most important part of the
three-point scanning strategy. Even if the virus penetrates the Internet
gateway scanner by arriving in an encrypted email, even if it is not caught
by the server scanner (which does not scan email), it will have to be
caught by the desktop before it is allowed to infect. It is often the
case that keeping desktop anti-virus software up to date is one of the
hardest tasks faced by the system administrator. This is especially the
case on the desktops not permanently connected such as laptops with docking
Anti-virus software administration
Since the effectiveness of anti-virus software in use today depends on
frequent updates, it is very important that effective tools are available
to deploy, upgrade and administer anti-virus software throughout the organization
Updates over the Internet
Automatically updating anti-virus software over the Internet is an attractive
(zero workload) concept for system administrators. It does, however, have
deep implications for the overall security of the organization since it
effectively outsources the control and the decision-making process over
what software is installed on the company network to the anti-virus software
supplier. Many organizations prefer to place a human specialist in the
loop. The specialist can then decide what, how and when to deploy the
updates. Any new software can also be tested before being deployed company-wide.
For this reason it is essential for companies to be able to choose which
parts, if any, of the process they would like to automate.
The administrator of a large anti-virus software installation needs the
tools to communicate with the anti-virus software effectively (admin->software->admin).
The software needs to be kept up to date (admin->software) while the
administrator needs regular feedback, both virus and non-virus related
(software->admin).Three main techniques are used to distribute updates
over the company network: push, pull and combined push/pull. Each has
its advantages and disadvantages and the decision on which is best suited
will depend heavily on the network structure, speed of connections, network
usage patterns, etc.
Recovery from virus attack
Should the unthinkable happen and a virus manages to penetrate all the
defenses put in its path, the company must have effective procedures in
place to be able to contain the infection on as few PCs as possible as
well as restoring these PCs to their pre-infection state. Such virus penetration
usually occurs when the anti-virus software used does not recognize a
particular virus. Cultivating a good relationship with the anti-virus
software supplier and knowing that they will jump in an emergency is an
important factor in the company's anti-virus strategy. Dealing with a
virus that has been allowed to enter a company will be orders of magnitude
more expensive than the cost of any anti-virus software. One main expense
will be time, since it may be necessary to visit every infected workstation
to perform the disinfecting and its restoration to the pre-infection state.
Not only this, but an infection can also cost companies in terms of lost
credibility and breaches of confidentiality, depending on the nature of
Having company-standard software installations, possibly
supplemented by disk imaging software, can be very helpful in restoring