Antivirus safety net has too many holes

The largest risk my company faces for downtime and lost revenue comes from virus infections. Viruses used to be a nagging little problem that affected only those who trafficked in copyright-infringing software on floppies.

The largest risk my company faces for downtime and lost revenue comes from virus infections.

Viruses used to be a nagging little problem that affected only those who trafficked in copyright-infringing software on floppies. Then Microsoft decided documents should also be virtual machines that run macros, and the virus world became a lot more exciting. Just when we got our heads around that, Microsoft decided email clients should also be able to run scripts and our address books should be open to all software.

There are thousands of viruses, each trying to spread, and many leaving damaged data and public relations woes in their wake.

We run the best antivirus defences money can buy. We update our software every time the vendors release new patches. We spend a great deal of effort on the problem, and yet we still suffer occasional virus infections. Why?

Chinks in the armour

First of all, we must continue to do business. Our development teams need to share code. Our sales teams have to send documents and presentations, our finance teams have to share spreadsheets and databases. These days, all these files can contain viruses.

I remember recruiting new staff to address virus issues and interviewing a string of ex-military and intelligence types. Short haircut after short haircut explained to me that the way to eradicate the virus threat was simply to remove all floppy drives and CD-ROMs from all machines, disable internet access and discipline anyone caught with a virus on their machine. We could never get away with that.

The business benefits we derive from allowing documents and spreadsheets in and out of our environment far outweigh the downside of the rare virus epidemic that overloads the email system or of the requirement to go to backups to recover some corrupt files after an infection.

Of course, we work to reduce the risk as much as we can. But best efforts don’t give us 100% protection; every system has a chink in its armour. Once in a while, a new virus finds a way through our lines of defence.

In the good old days, it would take many months for a new virus to become a global issue, leaving plenty of time for virus updates. Today, a hacker can execute a few mouse clicks using a virus generator tool kit and make headlines on CNN the same day.

In response, vendors have developed faster ways to deploy updated signatures. Most are now web-enabled with automatic updates and central management consoles. Their deployment packages, which push protection onto user desktops and servers, could teach intrusion-detection system (IDS) vendors a thing or two.

Most IDS deployments require you to visit each machine in turn. That’s fine when you have five machines in a demilitarised zone, but what if you have more than 4000? Even with these improved tools, it still takes a lot of effort to deploy a new signature to every desktop. If the machine is turned off or the user has disabled the virus checker, then you’re still exposed.

As the number of virus signatures grows, the desktop virus scanner runs slower and slower, tempting users to disable it. Vendors have tried to work around this by limiting what they scan: They usually just look for program files — the .exe, .com, .vbs and .doc files known to contain viruses. This means that, even with all the latest signatures loaded and the desktop antivirus software enabled, infected files can still get through undetected. So we can’t trust the desktop to be timely or even there at all. We have to have gateway protection as well.

By forcing the entire web and email content in and out of the company through gateways, we can check it all in one place. This used to be foolproof: keep it up-to-date and you’d never have a virus. People even began to wonder if we needed desktop protection at all, with such good border protection.

Then, like good security people, we improved the confidentiality of our users. Shopping online? Use a Secure Sockets Layer encrypted session to protect your credit card from prying eyes. Sadly, our gateway protection is a type of prying eye. If users encrypt, we can see nothing and can do nothing to help them keep viruses at bay.

The same problem affects the use of web mail services like Hotmail. We encourage staff to use these to reduce the risk of company liability. If they are going to say something foolish, we prefer our company name not be associated with it. While our email servers have antivirus software installed, many web mail providers don’t. If they use a decent web mail provider, like Hushmail, the content is protected, so the virus gets through our proxy web checking. Microsoft doesn’t bother to encrypt the session containing your email on Hotmail. That’s bad for your privacy but great for our ability to check for viruses.

Viruses also have a nasty habit of coming back to bite you after you think you have eradicated them. After our last .vbs infection, we cleaned all the Windows NT file servers, and yet the virus was still active. It had sneaked onto some OpenVMS Pathworks and Unix Samba file servers. It’s very hard to get decent antivirus software for these operating systems because they rarely have viruses of their own.

Once all that was cleaned out, the virus was still hiding on our backup tapes. When we restored the files, we found ourselves introducing a threat back into the environment. The worst time to suffer a virus problem is when things are bad enough that you need to go to backups.

Any attempt to reduce the risk of viruses also decreases the ease and functionality for users. Luckily, hardly anyone uses .vbs files for business purposes within our company, so we have been able to disable the running of these files on desktops. This makes us immune to any variants of the Love Bug virus, but it doesn’t mean we feel safe. So far, the viruses making global headlines haven’t carried significant payloads, but everyone working in this field can imagine an Armageddon virus that would make the famous Morris worm look like a tempest in a teacup. Viruses have become a fact of modern computing life, and they don’t look like they’re going away anytime soon.

Tuesday is the pseudonym of a US IT manager.

Join the newsletter!

Error: Please check your email address.

More about CNNHotmailMicrosoft

Show Comments
[]