Back to basics this week: antivirus again. This project has been one of my main priorities for the past three months, and we're finally beginning to see results. Unfortunately, not all of them are good results.
We have antivirus scanners on all of our servers and desktops. We update them regularly, but we don't manage the software properly and it's gotten out of hand.
The Status Quo
Symantec Corp.'s Norton AntiVirus 5 is installed on our desktops, file servers and internal mail servers, and we have Trend Micro Inc.'s InterScan VirusWall installed on our external (Internet) mail gateway.
Whenever a user opens, moves, reads, copies or does anything to a file, the Norton AntiVirus AutoProtect mechanism on his PC scans it for known viruses. Every e-mail going through any of our mail servers has its attachments scanned by that mail server's scanner. All servers are automatically scanned overnight for infected files.
Antivirus scanners are good only if they're kept up-to-date. So every week, we download Symantec's new version of virus definitions to our testing area and distribute it to 30 or so test PCs and servers. If we have no problems with the test machines for 24 hours, we move the upgrade into the production environment. Our desktop support staff then pushes the upgrades out to each of the PCs around the company.
We still got hit by viruses - probably. I say "probably" because no one really keeps an eye on virus infections unless they get out of hand, and no records are kept. As a result, we would know of virus infections on a workstation only if the user called the help desk to report it.
The eagle-eyed among you may have noticed a few potential holes in this solution. We don't have anything scanning Internet downloads - so Web-based e-mail, for example, doesn't get scanned until it hits the user's desktop.
The process also depends on support staff pushing upgrades out manually - and these guys are busy and often get sidetracked onto more urgent problems. In truth, the very fact that there's human involvement in the process means that it's slow and unreliable.
Ever since I joined the company, I've been keeping records of how up-to-date our PC virus scanners are. Each Monday morning, I run a script that scans the Windows Registry of every PC connected to the LAN at the time and checks for the value of one particular key (HKEY_LOCAL_MACHINE\Software\Symantec\SharedDefs\NAVNT_50_AP1, if you're curious) that tells me what version of the virus definitions each PC is using. So far, in our best week, we had 40% of the company's PCs up-to-date, but it's usually 30% or below.
Our servers are much more reliably up-to-date - the update process is almost completely automated - so any virus infection that gets in should run up against the servers soon enough.
But we're placing a lot of reliance on the servers, and some viruses could spread quite a way or do a lot of damage without touching them.
So I'm now putting in a four-point solution as follows:
Step 1: Secure the perimeter. Make sure that data and applications get scanned for viruses before they reach the PCs or the servers.
Step 2: Make sure the workstations are kept up-to-date in case something does get past the perimeter.
Step 3: Develop an emergency procedure to update all the workstations and servers in a hurry - just in case my company gets hit by something particularly new and nasty.
Step 4: Get some management and reporting procedures in place so we get enough warning of infections to stop them before they spread too far.
Progress is slow. I know how to implement each of these steps, but everything has to be tested to destruction before it can be rolled out to users. No step is quite as simple as it seems.
As our external mail gateway is already quite well protected, Step 1 consists mostly of installing a content-checking proxy that scans HTTP and file transfer protocol (FTP) downloads for viruses. Our head office has already bought a copy of InterScan VirusWall to do just that, but we've got to get around some of the limitations.
Our Web engineering team claims that it will slow down Internet access and cause some browsers to go to timeout while waiting for downloads to be scanned for viruses. No one's quite sure what effect it will have on automatic FTP scripts.
We have to install a new Web proxy server with VirusWall so we can test all the performance implications, and that takes a lot of time and resources from a Web engineering team already working flat out to implement an e-commerce project. Hopefully, we'll have that up in a month or so.
As for Step 2, our existing workstation-update procedure was born out of mistrust of Norton Antivirus that started when one antivirus update caused some PCs to crash. Although this happened at least a year ago, such mistrust takes a long time to fade. In fact, we've never had a virus infection that did as much damage as that one update, so you can understand why people are nervous.
That mistrust meant that the desktop support staff insisted on being able to control the update procedure so that they could back it out immediately if they encountered problems. I'm trying to replace this with an automatic procedure - Norton's built-in scheduled update procedure, in fact - so that each workstation checks a central server for updates on a regular basis.
So far, we've piloted the procedure on 10 workstations without a hitch; now we're piloting it on 100 workstations. If we still have no problems in a couple of weeks, we'll roll it out to all users. But in the meantime, we have to try to scale the solution up, and Norton doesn't seem very scalable.
The existing program lets us schedule updates daily or hourly; we want something in between. It also doesn't allow us to randomize the time at which each PC checks for updates, so we're faced with the possibility of every PC across the company trying to open an FTP session to the same server at the same time. That isn't going to be easy on the server.
I've managed to palm Step 3 off on our head office, and Step 4 is relatively easy. We have hit problems trying to get our PCs to report details of virus infections into a central database. I still treasure the response from Symantec's support line when we asked for help with this. We asked how to export data from the antivirus scanner's log files into a database. Its response? "Open the log file, then select File/Print."
I don't have a large enough budget to hire dedicated typists to transcribe log entries into a database, but I have a feeling that our intrusion detection software, RealSecure from Internet Security Systems Inc. in Atlanta, may be able to do the job for us.
I just hope we don't get hit by the next headline-grabbing virus before I have a chance to sort this one out.
This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager - let's call him Jude Thaddeus - better solve security problems. Contact Jude at firstname.lastname@example.org or click on Computerworld.com's Security Watch community forum to participate in discussion topics.
This Week's Glossary
Virus definitions: Most antivirus software works by looking for known, defined viruses that have already been found and dissected by antivirus companies. Virus-scanning software uses definition files and updates to detect new viruses. links:www.symantec.com:
The source for information on Cupertino, Calif.-based Symantec Corp.'s Norton AntiVirus 5 software.www.antivirus.com: Cupertino, Calif.-based Trend Micro Inc.'s Web site contains information on InterScan VirusWall, which detects and removes viruses found in SMTP, HTTP and FTP gateway traffic. It also offers a wide variety of antivirus programs for e-mail, desktop software and other applications.www.iss.net: Internet Security Systems Inc.'s home page includes information on RealSecure security management tools and SafeSuite scanning software.