Computer virus prevention: a primer

Jan Hruska,, Sophos Plc, Oxford, UK
First published: August 2000
Revised: February 2002

This white paper describes the current virus situation, common virus entry points, procedures for preventing infection, types of anti-virus software, deployment and administration of anti-virus software, and measures for recovering from a virus attack.

Viruses today
The number of known viruses surpassed 70,000 in January 2002. Of those, 26.1% are macro viruses, 26.1% are Trojan horses, 19.2% are executable and 6.8% are script viruses. Other virus types (Unix, boot sector, internet worms, file, Macintosh and multipartite) account for the remaining 21.8%. During 2001 79% of infections reported to Sophos were due to executable viruses, 12% were due to script viruses and 4% were due to macro viruses. The remaining 5% of infections were due to Trojan horses, UNIX and boot sector viruses. Note that a reported infection is counted as a single unit regardless of whether the virus infected one machine or 10,000 machines: the statistics quoted are not 'bomb-proof' but simply an indication of what is out there. The number of new viruses discovered every month continues to increase. In the last quarter of 2001, the Sophos virus lab was processing around 1200 new viruses each month.

Anti-virus procedures
Using anti-virus software should not be the only component of an effective anti-virus defense. What are the other components?

Stop using DOCs
Use Rich Text Format (RTF) files instead. All the Word text formatting will be saved, but RTF files cannot contain macros and, hence, cannot be used to spread viruses. Beware, though: a received Word file with an RTF extension is not necessarily a Rich Text Format file. Word can save files in Word format (i.e. with macros) under any extension.

Stop using XLSs
Use CSV format instead. Similar caveats apply as for using RTF files.


Use PowerPoint 7 or earlier
PowerPoint 7 or earlier does not have macro capability and, as such, is inherently virus-proof. Unfortunately, the visual appearance of later versions of PowerPoint is much better than PowerPoint 7 and the struggle to convince users that a virus-free environment is preferable to a visually more appealing one is very much uphill.

Use viewers, not applications
When the user double-clicks on an email attachment, most systems are configured to start the application associated with the file type. For example, a DOC file will start in Word, an XLS file in Excel, etc. The trouble is that these applications will also execute any macros within the received file, thus enabling the virus to infect. Most email applications can be configured to view a received file using a 'viewer'. Viewers normally do not have macro capabilities. Even if an infected file is examined in such a way, the virus will not infect the environment. Most users do not need to edit the received attachments, which makes using this strategy throughout the organization a very effective anti-virus technique.

Block receiving/sending of executable code
There is very little need for executable code to be received or sent. In most instances it is also illegal, usually breaching the software copyright. Some people are fond of using self-extracting ZIP files to send compressed data files: for security reasons using statically compressed ZIPs (which need PKUNZIP to be decompressed) is a much better solution. The blocking of executable code transfer is often best achieved on the Internet gateway. Unfortunately, it is impossible to detect executable code with 100% certainty by analyzing either the file content or the file extension. However, blocking files with executable extensions such as EXE, VBS, SHS etc. contributes to overall anti-virus measures. User education also plays a significant part in preventing infections by executable code received by email: the temptation to install a cute screensaver can be very, very high for a PC user who is not security aware.

Change the CMOS boot-up sequence
Most PCs are configured as delivered from the manufacturers to boot from drive A: first, and to boot from drive C: only if there is no disk in the drive. If a user leaves an infected disk in the floppy drive, the PC will become infected as a result. On modern PCs the booting sequence is stored in the CMOS memory and is very easy to change. Changing the PC to boot from drive C: completely eliminates the danger from pure boot sector viruses. If the PC needs to be booted from the floppy in the future,reversing the boot sequence is easy.
Most organizations, however, do not use this simple technique.

Turn off Windows Scripting Host
If the Windows Scripting Host (WSH) is not used, it should be turned off. The procedure is described in the Disabling Windows Scripting Host article.

Keep an eye on security bulletins
Up to November 1999, anti-virus experts could state authoritatively that a PC cannot become infected by simply reading email. Of course, they had analyzed the current technology specifications and there really was no apparent way of infecting a PC purely by reading email. Unfortunately, there was a difference between the specification for Microsoft Outlook and what the code was actually doing (also known as a programming bug), which allowed the virus BubbleBoy to infect when a user read email. Microsoft issued a patch which corrected the problem (see Microsoft Security Bulletin MS99-032) but very few users implemented it. Kakworm, which exploits the same loophole, is still infecting a significant number of users today. The complexity of today's software required by the never-ending thirst for new features, pretty pictures and sophistication, results in more people writing software to ever tighter deadlines (invariably reducing the average programmer competence level and the software quality). There is little point in complaining that the Windows operating system and the software written for Windows is unreliable: market demand is by far the main culprit in indirectly causing the unreliability. This situation is not going to get better. The best that an organization can do is to keep an eye on the various security bulletins which publicize security-related bugs.


Data destruction is only one of the side-effects found in viruses. It is neither new nor the worst thing that can happen to data. Backups have been a component of computer security from the early days of computers, guarding against the inevitable component failures and resulting loss of data. Data corruption is much worse than data destruction. It is often difficult to detect, which means that it may take months before it is noticed. Resorting to backups to retrieve the data is not often an option, since documents and spreadsheets change and the document retrieved from the backup may be far too old to be of use. Nevertheless, backups continue to be a necessary part of an effective defense against computer viruses.

Anti-virus software types

Scanners remain the most popular type of anti-virus software used today. They contain detection/disinfecting information for all known viruses. They are intuitive to use and capable of identifying a virus (e.g. "ABC.DOC is infected with the 'Blah' virus").The main disadvantage of scanners is that they need to be kept updated with the latest virus information in order to remain effective.

Checksummers rely on detecting change. When a virus infects an object, the object will change. The change will be picked up by the checksummer. Checksummers will pick up both known and unknown viruses, as long as the virus changes an object monitored by the checksummer. The main difficulty with using checksummers is distinguishing between legitimate and viral change. In other words, the results from checksummer findings need expert interpretation (normally not available at the user level). Another problem is that checksummers will only detect a virus once an infection happens; they cannot be used to prevent an infection. Virus detection alone is clearly undesirable.

Heuristics (from the Greek heuriskein, to discover, find) is a rule of thumb, strategy, method or trick used to improve the efficiency of a system that tries to discover the solutions to complex problems. In the context of anti-virus software, it is used to describe software which applies rules to distinguish viruses from non-viruses. Heuristic software is initially attractive for users since it is often presented as not needing updates. Unfortunately, heuristics is not problem-free. The main problem is that the virus writing community learns the rules used by heuristic software very quickly and starts writing viruses which circumvent them. The anti-virus companies then reformulate the rules and reissue the software etc., annulling the 'no updates' argument. Heuristic software also has a propensity to 'false-alarm', i.e. to label objects as viruses when they are not. Because of this, heuristics have to be tempered effectively, in order that they are not oversensitive and to minimize the likelihood of false-alarms.


Virus entry points
In order to establish where anti-virus software should be deployed in an organization, it is important to establish the common virus entry points.

An overwhelmingly large proportion of infections today are caused by infected email attachments. The ease with which a user can click on an attachment and launch an application is a significant factor in the spread of email-borne viruses. If the email content is sufficiently inviting (e.g. 'kindly check the attached LOVELETTER coming from me'.) and the visible attachment extension sufficiently innocent in the eyes of the user (e.g. LOVE-LETTER-FOR-YOU.TXT.vbs - text files cannot carry an infection, can they?), the temptation for a user can become overwhelming. The danger of infection through attachments is, of course, not confined to email. Newsgroup postings are also capable of carrying attachments.

World Wide Web
The web is full of sites carrying virus-infected material. Desktop access to the Internet is viewed as an 'expected' in today's workplace, meaning that downloading potentially infected files is too easy. Several organizations have, however, found that providing physically separate PCs to access the web is a much better arrangement. Not only is the Internet physically separated from the company main network, but employees tend to waste much less time 'surfing' non work-related sites, since it is obvious when they are not seated at their desks.

Floppy disks and CDs
The use of floppy disks has decreased radically with the advent of networks, but most PCs still come with a floppy drive fitted as standard. 0.5% of all infections are due to boot sector viruses, which shows that floppy disks are not dead (yet). CDs (especially magazine cover CDs) have also been shown to be relatively frequent virus carriers.

Anti-virus software deployment points
There are three main points where it makes sense to deploy anti-virus software: on the Internet gateway, on the servers and on the desktop.

Internet gateway
The Internet gateway is the point that connects the Internet and internal company networks. It is a good place to install anti-virus software which will check incoming and outgoing email attachments. The main advantage of using anti-virus software on the gateway is that incoming infected attachments sent to multiple email addresses will generate a single virus alert (on the gateway) instead of multiple ones if the infected email is allowed to get through to the desktop. A problem of using anti-virus software on the gateway which is important to bear in mind is the increasing use of encryption. There is no point in checking encrypted attachments since viruses will be safely hidden inside the encryption envelope. At the moment, only relatively small numbers of emails are encrypted and the effectiveness of gateway scanning is still high. However, this may alter in the future creating something of a dilemma for those wishing to deploy anti-virus software and use desktop-to-desktop encryption.

Using anti-virus software on servers to scan centrally held files has several advantages over trying to scan the servers from a workstation. Firstly, network traffic is minimized since the scanning processes runs locally on the server. Secondly, any virus stealth mechanisms are not effective since the virus is never 'active' on the server. Most organizations deploy anti-virus software to scan their servers at regular intervals, usually during periods of low user activity.

Virus scanning on the desktop is probably the most important part of the three-point scanning strategy. Even if the virus penetrates the Internet gateway scanner by arriving in an encrypted email, even if it is not caught by the server scanner (which does not scan email), it will have to be caught by the desktop before it is allowed to infect. It is often the case that keeping desktop anti-virus software up to date is one of the hardest tasks faced by the system administrator. This is especially the case on the desktops not permanently connected such as laptops with docking stations.

Anti-virus software administration
Since the effectiveness of anti-virus software in use today depends on frequent updates, it is very important that effective tools are available to deploy, upgrade and administer anti-virus software throughout the organization

Updates over the Internet
Automatically updating anti-virus software over the Internet is an attractive (zero workload) concept for system administrators. It does, however, have deep implications for the overall security of the organization since it effectively outsources the control and the decision-making process over what software is installed on the company network to the anti-virus software supplier. Many organizations prefer to place a human specialist in the loop. The specialist can then decide what, how and when to deploy the updates. Any new software can also be tested before being deployed company-wide. For this reason it is essential for companies to be able to choose which parts, if any, of the process they would like to automate.

The administrator of a large anti-virus software installation needs the tools to communicate with the anti-virus software effectively (admin->software->admin). The software needs to be kept up to date (admin->software) while the administrator needs regular feedback, both virus and non-virus related (software->admin).Three main techniques are used to distribute updates over the company network: push, pull and combined push/pull. Each has its advantages and disadvantages and the decision on which is best suited will depend heavily on the network structure, speed of connections, network usage patterns, etc.

Recovery from virus attack
Should the unthinkable happen and a virus manages to penetrate all the defenses put in its path, the company must have effective procedures in place to be able to contain the infection on as few PCs as possible as well as restoring these PCs to their pre-infection state. Such virus penetration usually occurs when the anti-virus software used does not recognize a particular virus. Cultivating a good relationship with the anti-virus software supplier and knowing that they will jump in an emergency is an important factor in the company's anti-virus strategy. Dealing with a virus that has been allowed to enter a company will be orders of magnitude more expensive than the cost of any anti-virus software. One main expense will be time, since it may be necessary to visit every infected workstation to perform the disinfecting and its restoration to the pre-infection state. Not only this, but an infection can also cost companies in terms of lost credibility and breaches of confidentiality, depending on the nature of the virus.

Having company-standard software installations, possibly supplemented by disk imaging software, can be very helpful in restoring infected workstations.