0167-4048/01$20.00 © 2001 Elsevier Science Ltd 671

Introduction

At the beginning of the computer era, when onlysecret governmental organizations possessedcomputers, work with computers was carefree.Engineers didn’t even think to bother themselveswith such foolish things such as the development ofcomputer viruses; they were too busy with their dailyduties. However, by the end of the 70’s computerswere already used by many people, and in the middle90’s they became a mandatory attribute of everymodern company, and computer literacy was as muchin demand as the ability to read and write. Nowadays,computers are available for hundreds of millions ofpeople worldwide, and the World Wide Web, that isalso known as the Internet, interbinds them withinvisible links.

Only the naive would believe that all of these millionsof people use computers only for good purposes, suchas production of balance sheets,warehouse database maintenance or to dive into a fascinating computer game. Nowadays, thousands ofhackers of various ages and views run aboutcyberspace, hacking computer systems, stealingconfidential information, emptying bank accountsand destroying data.The most frequent tool they usefor these purposes is a computer virus.

Multiple virus attacks threaten to ruin successful performance of the global economy as a whole.According to a report by Information Week in 2000— the world economy negative profit caused by thevirus and hacker activities equals to US$ 1,6 billion.Another US based research organization, ForresterResearch, forecasts that 2005 companies will spentthree times more for information protection thenthey do now, in order to resist the increasing virusattacks to their computer systems. Not the best fore-cast for the global economy, especially, if we take intoaccount that it will certainly slow down the develop-ment of new cutting-edge information technologiesbecause companies will withdraw substantial financialmeans to redirect them to information security issues.

The most frequent question that arises among corpo-rate customers is how to cut down expenses while atthe same time increasing the protection effectiveness?The answer is in the clear understanding of the localproblem and the establishment of competent computer-protection policies.

Defining virusesThanks to Hollywood blockbusters a virus is nowassociated with demonic nature and with an extraterrestrial intellect invading the Earth. The

Computers & Security, 20 (2001) 671-675

Guidelines for the Protecting the Corporateagainst VirusesDenis Zenkin Ph.DHead of corporate communications, Kaspersky Labdenis@kaspersky.com

COSE 2008.qxd 12/7/01 12:40 PM Page 671

Guidelines for Protecting the Corporate against Viruses/Denis Zenkin

unfounded fear is still more dangerous because of thepanic it produces, as when users detect a virus ontheir computer they tend not to think reasonably anymore. As a result, users in this situation quite fre-quently damage their computers even more seriouslythan the virus they detected. In fact, the virus is anordinary computer program that is able to createcopies of itself in a way that is imperceptible to theuser and embed them into other programs and bootsectors.

Another frequent mistake of the users is that theyextend the term “virus” to all malware types, such asTrojans and network worms. Unlike viruses, theworms are not able to replicate within a system (i.e. toplant copies of themselves inside other files or bootsectors), but they can automatically transmit theircopies via email and other types of communicationchannels.Trojans are not able to replicate and to dis-tribute themselves at all; virus writers usually dis-tribute them as a useful utility, and when started on auser’s computer they perform various intentionalactions that change the system’s functionality, makeunauthorized changes, etc. It is important to note thattoday it is difficult to find a pure virus,Trojan or net-work worm.The modern computer bugs mostly con-stitute complicated multi-component programs withfeatures of two or all the three malware typesdescribed.

How to protect your network?Even a small computer network used by a company isa compound organism that requires much moreknowledge and skills from the system administratorthan a desktop does from its user.

The structure of a normal network includes suchitems as workstations (mobile or fixed), file and appli-cation servers (physical and logical), mail gatewaysand Web servers.

At the same time, you cannot establish a wellthought-out anti-virus protection system by merelyinstalling anti-virus software. Furthermore, this kind of approach can put you in a situation when the company’s computing facilities will be used

incorrectly or ineffectively.As a result, the productiv-ity of your computer network as a whole maydecrease, and even the most effective anti-virus in theworld may miss a virus, and in this case the conse-quences will be unpredictable.

So, what must you do to correctly utilize anti-virusprograms? You must use a complex approach wherethe anti-virus protection of network segments oper-ates as a collection of interconnected and comple-mentary items.This standpoint implies the control ofdata storage locations and communication channels,and distribution of a load over all the corporate net-work items. Let’s discuss the details.

WorkstationsWorkstations constitute the most vulnerable pointson a corporate network, since their users, as a rule,are less experienced in protection against viruses.Nowadays, when computers connected to theInternet are practically in every office workplace, theprotection level of a corporate network automatically decreases many times. 95% of all themalware infecting computers is delivered via theInternet.

In practice, long-term and detailed anti-virus educa-tional programs do not produce much effect; usersstill open pictures “featuring” popular tennis-players,actors and singers and that have been delivered viaemail from unknown senders.

With this in mind, it is especially important toexclude the human factor from the corporate virusprotection policy and to install the appropriate anti-virus software.This means installing software that:

• Checks in real-time for viruses in objects (files orboot sectors) that are used, i.e. at the time whenthey are being modified, created or executed;

• Automatically notifies the user and the administra-tor if the user user tries to execute an infected file;

• Informs the administrator what actions to take atthe correct time;

• Checks for viruses on demand. This tool isrequired to perform a full-scale check for viruses

672

COSE 2008.qxd 12/7/01 12:40 PM Page 672

673

on workstations’ local disks with the deepest possible immersion on a daily basis. The deepestpossible immersion in this case means applicationof the heuristic tool (searching for unknownviruses) and the redundant scan tool (detectingviruses that use unusual file-penetration technolo-gies). Both the tools consume a lot of computing resources. However, the scanning canbe carried out at the end of a working day or inthe nighttime when the effect on the resources isnot so critical.

Mobile usersDo not forget about the mobile users; they frequently bring up the real malware-zoos on theirnotebooks or personal digital assistants (PDAs).Theircomputers must be controlled using an even moreserious approach: the disks must be fully checkedevery time the user connects his/her notebook to thenetwork.

Very often users try to disable ‘inconvenient’ anti-virus programs or redefine their settings. At the sametime they usually do not understand the possible con-sequences of this action.Therefore, our next advice tosystem administrators is to prohibit users from changing the anti-virus settings on their computersand from disabling their anti-virus programs.

The system administrator of a large network mightpanic and say — “How can I do this on my 5000workstations?” Indeed! How can one simultaneouslyprotect so many computers? Or must he/she runaround all the working day checking anti-virus mon-itors on these 5000 workstations and starting anti-virus scanners on every computer separately?

The answer is simple:The most up-to-date anti-virussoftware packages already include the technologyallowing the required functions to be performedremotely and automatically. For example, KasperskyAnti-Virus is supplied along with Kaspersky NetworkControl Center that allows the administrator to forgetabout this headache once the package settings onworkstations are predefined and the autopilot system

is enabled. Network Control Center also allows for acentralized deployment and full control over anti-virus software installed on other nodes of the net-works such as file and application servers, email gate-ways and firewalls.

Another weak point of the corporate network is anemail gateway supporting incoming and outgoingcorrespondence of the entire enterprise.According toKaspersky Lab, in 2000 more than 80% of all regis-tered cases of infection occurred because of virusescarried by e-mail messages.

Why is email so popular among malware-writers?

First of all, we should understand that email is theideal transport for a computer virus and allows it tospread at incredible speed. Due to the recent progressin communication an electronic-message may bedelivered to the most distant place on Earth in minutes and, sometimes, in seconds.You may compareit to diskettes, when distributed by this medium thevirus may arrive at the nearest city in several months.

The extraordinary popularity of the Internet prede-termined the rapid development of the messagingtechnology that resulted in the current millions ofpeople all over the world that use email services.Furthermore, today it’s practically impossible to run asuccessful business or manage an enterprise or organi-zation without using email tools.

The second thing that encourages the computerunderground to take to email is that it can be easilyused for malware development. There are a lot ofmanuals and books describing how to embed a sub-program that is designed to interact with messaging clients.Thus any student is able to developa simple program capable of sending malwarearmored messages by email.

And finally, we should not forget about the veryimportant motive that drives people to develop harm-ful programs. Most of them simply want to declarethemselves, to make others to notice and remember

Computers & Security, Vol. 20, No. 8

COSE 2008.qxd 12/7/01 12:40 PM Page 673

Guidelines for Protecting the Corporate against Viruses/Denis Zenkin

them.And they are ready to do their possible for theircreations to cause as much damage as it is possible. It’shard to imagine anything more useful for this purposethan email.

Thereby, the anti-virus protection of enterprise-wideemail systems is currently the most critical element ofthe information security policy of any organization.It is obvious that in the near future this element willbe the determining factor of the effectiveness androbustness of any corporate computing infrastructure.However, it does not mean that once installed theappropriate anti-virus with default settings on theemail gateway the administrator may forget about it.

The primary rule is to protect all the items of yournetwork and install the multi-level system that wouldfilter all incoming and outgoing email messages.Themost popular approach to allocation of your anti-virusstrongholds is the so-called “2+1” layout. Accordingto this layout you must install an anti-virus module onthe corporate mail server that pre-checks all incomingmessages. As the server is usually heavy loaded withwork, it’s advisable to configure the anti-virus moduleto use the minimum resources of your system, i.e. youshould make sure to disable such resource-hungrytools as the redundant scan, the heuristic checking andthe unpacking and the extracting tools.

The special anti-virus software that is installed onyour workstations using the email service establishesthe second level of your anti-virus protection system.The best choice is the anti-virus modules integratedwith your local messaging clients. As for these modules, we recommend you enable all availableanti-virus tools. It will certainly have a minor slowingdown effect on the given computer but will not affectthe performance of the network as a whole.

Of course, you may use anti-virus monitors instead ofthe client-integrated anti-virus modules, as theycheck for viruses in the real-time mode in all theobjects that are used. But client-based tools are stillbetter, since they check for viruses in all the incomingand outgoing messages at the moment they arrive orare dispatched, while monitors are able to detect mal-ware only when the user executes it.Additionally, the

client-based anti-virus module is able to disinfect anobject, while monitors just inform the user about thevirus.

On the third level of your anti-virus system youshould use a classical anti-virus scanner that is capableof checking network and local hard disks.You shouldstart it daily to check for viruses in email databasesthat are stored on your server and workstations. Forthis purpose your anti-virus scanner should supportvarious email database formats. Otherwise your scanner will consider your mail databases as ordinaryfiles and will not check their contents for viruses orthe virus check will not be comprehensive.

File and application servers can also become thebreeding-ground for viruses, since these servers areshared by many network users. For example, aninfected program that was copied to the server from a networked computer may be instantly transported to another computer. On servers as wellas on workstations, it is advisable to install anti-virusmonitors to check for viruses “on the fly” and toregularly perform the full-scale virus-check using ananti-virus scanner. Just like with e-mail gateways,you must disable such “heavy” tools as the heuristicchecker etc. on the server level and run them onworkstations.

It is also advisable to install the special anti-virusplug-in module on your firewall, it will serve as anextra barrier on the virus path. This module will filter viruses out of the incoming and outgoing datastreams.

And finally, you must not forget about the corporateWeb server. It may become even more dangerous thanyour email gateways and workstations. Web server isopen to everybody, not only the company employeescan refer to it. You can imagine how destructive itwould be for the company reputation, if the companyWeb server contains an infected file that could bedownloaded by the public.There are a lot of examplesin history when thousands of users downloadedinfected programs and started them on their comput-ers. This resulted in failures and losses of a valuabledata.

674

COSE 2008.qxd 12/7/01 12:40 PM Page 674

675

The sources of infection may be located inside oroutside of the local network.The first problem (whenthe virus source is located within your local network)is solved by the implementation of the anti-virus sys-tem described above.

As to the second problem (when a virus is carried inby a hacker), we must note that nobody can guaran-tee 100% protection for the network software frombeing hacked by a malefactor.The reason may be thatthe breaches in security were not detected in time, oran interception or a simple random pick-up of theappropriate access-password to the Web server. As aresult, the hacker, for example, may substitute someuseful program with his (her) “masterpiece” that willbe later downloaded by your potential customers.Toprevent this you may use the special integrity check-ers. These programs calculate and save the uniqueidentifications (CRC sums) for every file on the Webserver and subsequently check these files against thecollected sums in the real time mode. If the dataintegrity is corrupted, the inspector immediatelyreports this to the system administrator and affords thecomplete recovery of your server.

Of course this layout of the anti-virus system for yourcorporate network will not be effective if you fail toregularly update anti-virus databases used by all anti-virus modules.As it is well known, the anti-virus toolis able to detect and delete only the virus that is

described in its anti-virus databases. The contempo-rary algorithms searching for unknown viruses are noteffective enough and suffer from false alarms.Thereby,the more often you update your anti-virus databases,the more effectively your system will protect youagainst the most up-to-date viruses.The ideal choiceis the real-time update service where a user candownload the anti-virus update right after it is devel-oped and tested by the experts.

In the field of information security just like in anyother field we can ideally apply the famous Murphy’slaw — if anything can go wrong, it will. Some peoplemay hope that the disaster avoid them and forget topatch up a security breach or to update the anti-virussoftware they use. But in this case, you can be sure thatconsequences of such a negligence will not keepthem waiting and very soon the system administratorwill discover that his (her) local network is swarmingwith hackers and viruses. Though it may soundshocking, only extreme pedantry and a modicum ofparanoia can provide success in protecting computernetworks. Even these valuable human characteristicscannot guarantee reliable protection unless all theemployees understand their place and role in thestruggle against external invasions and the companyimplements a strict and well thought-out anti-virussecurity policy. I hope that we helped our respectedreaders to understand basics of this policy. I wish yousuccess in virus defence!

Computers & Security, Vol. 20, No. 8

COSE 2008.qxd 12/7/01 12:40 PM Page 675