This month's feature article is:
"Antivirus Best Practices"
Compare your approach with capsule descriptions of best practices
Net Sense delivers a
full range of IT consulting services.
Download your PDF copy with hot links to full descriptions of
Net Sense provides
consulting services to clients nationwide and internationally.
Your exploratory session is free, so contact us when you need
some expert advice.
Our work comes with a money-back guarantee, so why not?
Here we go 'round the mulberry bush with a pocketful of posies
once again. Haven't we "been here and done that" before with yet
another virus (MyDoom variants) infecting hundreds of thousands of
Maybe it's time to take a good long look at your antivirus policy
and make sure your company is following best practices.
In light of all the damage being done by viruses,
worms, trojans, etc., maybe we need to rethink how we're
protecting our networks at the point of connection to the
Just as we have a DMZ and firewalls to keep out
intruders (when properly configured anyway), shouldn't we be more
careful with the incoming mail?
Many networks let incoming mail onto the network (complete with
attachments) and then attempt to filter out the bad stuff. That's
a strategy that takes unnecessary risk.
Read my article on Antivirus Best Practices and
pay special attention to these two steps - 1) not letting known
spam in at all, and 2) stripping out all suspect attachments from
Common sense goes a long way....
In The News
Here's some article links on MyDoom and the havoc it's
wreaking around the Net:
Antivirus Best Practices
by Greg Reynolds
A virus outbreak on your network creates chaos and bleeds cash. In
2003, corporate giants such as Bank of America, First Energy, and
Verizon were hit hard by preventable virus outbreaks.
Want to make sure that you're not next?
Here is what you need to do:
1) - Use a spam appliance at your internet gateway to block
The vast majority of viruses are spread by unwanted email, i.e.
spam. Using a spam appliance stops 95% of all spam and prevents it
from even entering your network.
Avoid the primary source of contamination and treat it like the
plague that it is. Do everything you can to keep spam from coming
into contact with your servers and workstations, including running
a secondary spam filter on your mail server.
2) - Use two antivirus scanning engines against incoming mail
on the mail server.
Redundancy is a best practice in many fields and antivirus
protection is no exception. No single antivirus solution is
perfect at catching every virus. Your primary defense should be at
the SMTP gateway before viruses reach a server.
Investigate, select, and implement a secondary antivirus solution
that fits your budget and provides an extra layer of protection at
the server level. You'll be pleasantly surprised by what the
safety net catches.
3) - Update all antivirus signature files automatically every
Antivirus vendors create updated signature files for their
detection engines when new virus threats are detected. Unless your
system has the updated files in operation, you are defenseless
against the latest and greatest viruses.
Make sure that your systems are setup to receive these updates
automatically instead of upon administrator request. If your
antivirus solution doesn't have automatic updating, start shopping
for one that does.
4) - Publish and implement on your perimeter SMTP gateway and
mail servers a list of forbidden attachments - .vbs, .pif, .scr,
.bat, .cmd, .exe, etc. - and strip those out.
Dangerous attachments have no business entering your system at
all. Even if they aren't blocked by your antivirus software, you
should filter these types of dangerous attachments from all
incoming and outbound mail.
If necessary, you can setup a "holding area" for stripped
attachments that may contain desirable content (ex: .exe files)
and implement a manual retrieve/review process within the IT
5) - Use antivirus software on every workstation and scan all
Viruses, trojans, and other malware can (and will eventually)
enter your network at the workstation level. An end user can
easily introduce viruses to a corporate network in a variety of
ways including floppy, CD-ROM, external POP3 or IMAP4 mail
servers, USENET newsgroups, instant messaging clients, Web mail,
or email from an Exchange server.
Viruses and worms that can enter a network through mobile devices
or PDAs have already been discovered and future malware of this
class will only be worse. Make sure that all outbound mail is
virus scanned at the workstation level as well as scanned again at
the mail server.
6) - Set antivirus software to always scan all removable media,
i.e floppy disks.
Don't let viruses in through the end user backdoor. Set your
workstation antivirus clients to automatically scan all removable
media the moment it's engaged.
Sure, it's an inconvenience for an end user, but it's an ironclad
security policy in place in every secure military installation.
Don't be fooled into thinking you're not part of the virus war as
7) - Apply all OS and application patches ASAP, preferably
Failure to secure your operating systems and application software
with the latest patches is just asking for trouble. Every virus
out there is designed to exploit a known vulnerability.
If you leave those vulnerabilities unpatched, you will eventually
pay the price. Put a system in place that scans all your
workstations and servers for missing patches and automatically
initiates patch remediation without administrator involvement.
Otherwise, your manual process will eventually fail and your
network will pay the price.
8) - Always upgrade to the latest version of your antivirus
Software vendors issue upgraded versions for a reason (and it's
not to milk your budget). They are providing a new and improved
version with an enhanced feature set.
When you start relying on outdated tools to keep your network
secure, you greatly increase the risk of a security breach. Weigh
the cost of the upgrade against the cost of the downtime and lock
your network down.
9) - Centrally configure all client workstations to the highest
Failing to use centralized configuration files and identical group
policies on software settings makes support a nightmare. It also
greatly increases your risk of a virus outbreak.
Review your standard configurations and make sure your
workstations (and servers) are configured for maximum security. A
good recent example is the DCOM/RPC service in Windows. It's not
needed by any stretch of the imagination, but it's left enabled by
most configurations. Very bad idea.
10) - Regularly scan your client workstations for viruses,
trojans, spyware, and other malware on a weekly basis.
Don't rely exclusively on perimeter defenses and reactive
processes. Initiate a clean sweep on at least a weekly schedule.
A virus or trojan can lay hidden or dormant on a workstation until
activated by a line of code or by remote access (and then it's too
late). For Windows clients, Pest Patrol does a good job of rooting
out hidden agents capable of doing harm.
11) - Communicate security policies and virus alerts regularly
with all users.
Don't keep your users in the dark and expect them to know what to
do. Put out periodic reminders about not opening suspicious
attachments or downloading files from the Internet.
Include a few statistics about the number of viruses caught weekly
and monthly. Remind them to follow security policies. They are
there for a reason.
12) - Have an Acceptable Internet/Email Usage Policy signed by
every user that clearly defines Unacceptable Usage.
Every user should read and sign a copy of your company's
Acceptable Usage Policy that covers Internet and Email Usage. They
should also be given a photocopy of the signed Usage Policy for
Make sure yours includes a clear definition of what is
Unacceptable Usage. In case of a violation, review the Usage
Policy with the end user and issue a written reprimand for their
13) - Have a written escalation policy in place so your IT
staff knows how to block the spread of a virus.
Your Business Continuity/Disaster Recovery planning should
encompass a severe virus attack. Document all steps needed to
isolate the virus and keep it from spreading.
Isolate the infection by taking immediate action to keep it from
spreading. Don't forget you can actually pull the network plug on
a few servers to keep things under control. It also won't hurt to
run through a few simulations with your team to test their
14) - Have current system configuration documentation on all
mail servers, application servers, workstations, etc. in case you
need to restore.
Again, Business Continuity/Disaster Recovery plans should always
include all necessary documentation of servers, workstations,
routers, etc. Keep your records in at least two different places.
Outdated configuration information will hinder a quick recovery.
Make sure you implement an on-demand tool that will automatically
generate these configuration files and then do so on a periodic
15) - Have data recovery tools and processes in place.
Don't leave your team scrambling to assemble the tools and figure
out the correct steps to take. Have all your tools on hand and
your processes outlined before disaster strikes.
Otherwise, your recovery from a virus outbreak will take longer
and cost a whole lot more.
16) - Keep full records of all virus attacks and remediation
Document all virus remediation efforts for two reasons. First, to
provide a record of what was done and second, to allow for a
reversal of one or more steps in case they were deficient or
Recording the work performed can also be used as a business case
for additional preventative resources.
Of course, all of these antivirus best practices will not
completely protect your network if you don't follow best practices
in other network security areas, but they will provide a
high-level of protection all by themselves.
Make sure your the rest of your network is secure by running
vulnerability management systems that scan your network for
security breaches 24x7.
After all, its your business. Let's be safe out there.
Greg Reynolds is a 20-year computer industry veteran and the
President of Net Sense, an IT consulting firm.