14.2 Virus and Worm Scanning

How much virus and worm scanning is enough? After all, a good security administrator is running virus scans on the mail server to catch any incoming, or outgoing, worms. Virus scanners are being run on all of the file servers, the web server, and possibly even on the firewall. Is virus scanning on the workstations necessary?

Of course it is. As has been repeatedly stated, security works best when applied in a layered approach. The more areas in which security checks are performed, the more secure the network.

Virus scanning has become a fundamental part of the security process. There are too many viruses ^[3] and worms on the Internet today not to perform virus scans at multiple layers , and not to have multiple levels of protection. Even if mail and files are protected at the server level, without workstation virus protection, there is nothing to prevent a user from introducing a virus through a floppy, CD-ROM, or website download.

^[3] Some people are unsure whether the plural of virus is viruses or virii. According to the alt.comp.virus FAQ, both are acceptable.

Some security experts recommend running products from different vendors at different layers of the network. For example, a company can run Sophos MailMonitor to protect e-mail on the mail server, and McAfee VirusScan to protect workstations. This does improve the level of protection slightly: One program may catch a virus that is missed by the other. On the other hand, it also means monitoring at least two sets of virus updates, and storing at least two sets of signatures. The decision whether or not to use two or more software vendors for virus protection is dependent largely on how problematic viruses and worms have traditionally been in a given network.

If proper precautions have been taken and security patches are applied regularly to all workstations, a single vendor solution may be enough. If, on the other hand, viruses and worms have been a problem in the past, and they still occasionally slip through the virus protection that is in place, a multivendor solution may be in order.

As with software updates, new virus definitions should be downloaded to a local server from the vendor's website. The workstations should then be programmed to download the new definitions from that server. New virus definitions should be downloaded at least weekly. (Daily is probably too frequently, unless there is a sudden surge in virus activity around the Internet. Biweekly is too infrequently, as many worms can spread across most of the Internet in a shorter span of time.) Of course, if the virus vendor has a mailing list that informs users of new viruses that pose a serious threat, server administrators should subscribe to the list and make adjustments to the download policy as needed.

To further assist in virus and worm protection, programs that are particularly susceptible to viruses and worms (e-mail programs being a prime example) should run in the most secure or restrictive mode. This type of restriction may cause users to complain; however, as long as programmers are going to make worms that take advantage of weaknesses in common programs, it is a necessary step in the process of securing a network.