Lesson 2: Protecting Against Computer Viruses | MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)

In this lesson, you will learn about viruses, worms, and Trojan horses, investigate what they do, and look at methods of protecting against them. Although worms and Trojan horses are not viruses, technical literature often categorizes all three types of threat as virus attacks, and this lesson takes the same approach.

A key to combating viruses is to understand the processes by which they spread in an Exchange organization. You can then take sensible precautions.

Real World: Taking Precautions

The key phrase here is "sensible precautions." There is no such thing as perfect security, and security always needs to be balanced against usability. You must always be aware of fresh threats, and your organization should present as small a target as possible to an attacker. It must also be a moving target; what is secure today is not secure tomorrow. Security is not just a case of purchasing a good firewall and reputable antivirus software and then forgetting about it.

After this lesson, you will be able to

Explain what computer viruses are
Distinguish between viruses, worms, and Trojan horses
Describe how viruses are spread
Prepare an antivirus strategy
Choose antivirus software
Explain what virus-clean policies and procedures are and create such policies and procedures
Explain why security updates are necessary and locate and download such updates

Estimated lesson time: 45 minutes

Viruses, Worms, and Trojan Horses

A computer virus is a piece of executable code that can attach itself to files or programs. The virus then replicates and spreads its infected files over the network, from one computer to another. A virus requires a host program to work—that is, the virus must be run before it can replicate and infect other computers.

Viruses often deliver a payload. This is an action that a virus carries out in addition to replication. While some viruses simply replicate, tying up resources but causing very little damage otherwise, the more unpleasant strains can drop payloads that can corrupt software or data. Even if a virus does not deliver a payload, replication can cause problems by consuming storage space, memory, and bandwidth, and degrading the performance of the infected computer and the network to which the computer is attached.

A worm is a program that can replicate itself in the same way as a virus. However, a worm does not require a host program and can replicate itself automatically whenever an application or the operating system transfers or copies files.

A Trojan horse is a program that pretends to be one thing (usually something benign, such as a computer game or a utility) but does damage when it is run. A Trojan horse cannot replicate itself. It relies on users to spread the program through e-mail.

Virus Transmission

Viruses are typically transmitted in e-mail attachments or in programs downloaded from the Internet. A user activates the virus by opening the e-mail message or by starting the program. The virus then loads itself into a legitimate program's memory space and searches for other programs. If the virus finds another suitable program, it modifies that program by adding its virus code. The next time the program is run, it infects other programs, and the virus spreads. If a virus infects a messaging system, it spreads quickly because e-mail clients send messages to other clients and also provide access to software such as address book programs.

A virus can infect secure resources, such as files, applications, and operating system source files. Therefore, you should always install and configure new computers while they are disconnected from an external network. Before you reconnect to the network, you can apply software upgrades, and then install antivirus software and run a manual scan of the software by using the latest signature files.

Preparing an Antivirus Strategy

You need to prepare an antivirus strategy to protect your messaging system. This strategy should include educating users about viruses, installing antivirus software in the appropriate locations, and ensuring that the antivirus software is current.

You educate users by making them aware of current virus threats and the importance of keeping their computer systems up to date with the latest signature files and security updates. If users are aware of viruses, they may be able to help stop the spread of a virus that is attacking the system. For example, users should know not to open attachments that they receive from any application (including e-mail clients and instant messaging applications) unless they know the sender and they are expecting the attachment.

Important

Many users believe it is sufficient to install antivirus software and to regularly update virus signatures. It is not. Users also need to download and install operating system updates that include security patches to fix known holes, or security weaknesses. You need to make users aware of this, and whenever possible, encourage them to take advantage of the various auto-patching functionalities made available by Microsoft, such as Windows updates.

You can use a variety of methods to alert users of an e-mail virus threat, including email messages explaining what attachments not to open and information about current virus threats, known viruses, and how to combat them.

Blocking Downloads

Your advice on this topic needs to be reasonable and sensible. You cannot advocate blocking the download of all attachments if, for example, you work for a publishing company that frequently receives work from authors by this method. You should instead inform users (and management) about known exploitable file types, such as .bat, .com, .scr, .vbs, and embedded Hypertext Markup Language (HTML) scripts. Some organizations prohibit the download of any executable code from the Internet. These organizations can still be attacked but will not have downloaded up-to-date virus signature files or security updates.

Installing Antivirus Software

Your antivirus strategy should include plans for installing antivirus software. This can be installed on client computers, servers, and firewalls.

Client-Side Antivirus Software Viruses are activated when users open infected attachments. Therefore, you should install client-side antivirus software on all the clients that connect to your network, including remote clients. Client-side antivirus software installs file system filters that check files for the signatures of known viruses as these files are written to disk. Some antivirus software searches e-mail attachments for virus code on the e-mail client. If a virus is detected, then the software deletes the attachment or copies the attachment to the local hard disk and disinfects the file.

Note

This system is not perfect. Sometimes useful and required attachments are detected as viruses. If you send zipped files as self-extracting executable (.exe) packages, some filters may block them.

Server-Side Antivirus Software Server-side antivirus software scans mailbox and public folder stores, and some server-side antivirus software can also scan transports and eliminate any virus that it finds before that virus enters your network.

Antivirus software that you install on an Exchange Server 2003 server must be developed specifically for Exchange, because Exchange has a large database and the antivirus software must differentiate between the signature of a known virus and a random string of bytes that matches a virus signature.

You should install server-side antivirus software on every Exchange server in your organization. This helps to prevent viruses from spreading to users who are not using client-side antivirus software.

Firewall Antivirus Software A firewall protects your network from unauthorized access and can also provide virus protection. Antivirus software on a firewall scans files as they enter the firewall and filters out the viruses before they reach your network. It also destroys any viruses exiting from your network. This last is an important consideration. Security systems need to protect against the malicious or careless insider as much as against external attack.

Typically, firewall antivirus software enables you to specify how viruses are processed. You can configure firewall antivirus software to remove an attachment, to send e-mail to an administrator, or to hold the suspect message in a queue for later review.

Keeping Your Protection Current

New computer viruses, or new strains of old viruses, constantly appear. You need to ensure that your antivirus software is up to date and that you have downloaded signature files for the latest viruses. You must configure every component in your organization in which virus protection is implemented to receive updates automatically. Automatic updates do not require administrator or user intervention and are particularly important on client computers because users often do not regularly update their software or definitions.

Caution

Virus protection updates can introduce new code. If you configure systems for automatic updates, then you do not have a chance to test the code in your environment and therefore cannot tell in advance if the new code causes problems with your software. This is not a reason for failing to implement automatic updates, but it is something you should be aware of.

Choosing Antivirus Software

Microsoft does not currently distribute an antivirus package, and you need to choose software from a third-party vendor. You need to take a number of factors into account when you choose antivirus software, including the following:

Does the software integrate with Exchange Server 2003 and with other services in your environment?
Does the software significantly degrade Exchange Server performance?
Does the vendor support the software for use with Exchange Server?
Does the software guard against viruses, worms, Trojan horses, and other malicious code?
Does the software support automated deployment of client-based software?
Do mechanisms exist for monitoring clients from a single, central location?
Does the software provide the same level of security for remote systems as it does for locally connected computers?
Does the software scan both inbound and outbound e-mail?
Does the software support automated updates?
How often does the vendor release product updates—especially in the event of a virus attack—and does the vendor guarantee that the product will be updated to detect new viruses as required?
Does the software provide virus scanning at the Exchange Server client, the Exchange Server IS, Exchange Server transport, and firewall level?
Is the vendor TruSecure International Customer Service Association (ICSA) Lab or CheckMark certified?

Tip
To obtain more information about security software vendor specifications, access http:// trusecure.com, http://www.icsa.com, and http://www.check-mark.com.

Virus-Clean Policies and Procedures

Virus attacks can still occur, even after you have prepared an antivirus policy and installed antivirus software. Your security strategy should include virus-clean policies and procedures that will help to prevent such attacks. You also need to plan what to do when a virus does attack your system.

These policies and procedures should be in position before a virus attack occurs. They should help you to:

Understand the extent and source of an attack
Protect sensitive data
Protect systems and networks
Recover infected systems
Enable your organization to continue operating
Collect information about the attack
Prevent further damage
Support legal investigations

Real World: Virus-Clean Policies

The list of policies and procedures in the main text gives a number of good reasons for implementing virus-clean policies. In the real world, their major advantage is that you have a policy in place that you can follow in a difficult situation. The stress, and sometimes panic, that occurs when your organization is under serious attack is not conducive to cool and coherent strategy planning.

If a virus attack occurs that could cause extensive damage, then your planned procedures should enable you to isolate the affected systems by taking them offline. If your antivirus software does not then completely remove the virus from the affected system, you must restore the system to its original state by using backup data that has not been compromised. You may also need to reinstall the operating system and all of the applications by using source disks.

Tip

If a virus-infected e-mail message spreads to a user mailbox, you may be able to remove the virus from the mailbox by using the Exmerge.exe tool. Exmerge.exe usually exists in the C:\Program Files\Exchsrvr\bin subdirectory. If not, it can be downloaded from http://www.microsoft.com/exchange/2003/updates. For more information on this utility, search the http://support.microsoft.com site for article Q265441.

When you restore a system, you must ensure that it is functioning normally by using historical baselines. Historical baselines allow you to compare the current performance for items such as message delivery rates to those of your system before the system was restored. You must also monitor your system for repeat virus outbreaks.

Spam Masquerading as an Administrator Alert

A recent method of attack that bypasses most firewalls and filters that block unsolicited advertisements (otherwise known as spam) makes use of the Messenger service on User Datagram Protocol (UDP) port 135. This service is used by administrators to send messages to users and should not be confused with Microsoft's MSN chat client that is installed on Microsoft Windows 2000, Windows NT, and Windows XP clients. To date, some companies have this advertising method, known as NetBIOS spam, to market firewall and virus protection software. Neither the companies nor their products appear on any recommended lists issued by reputable software suppliers such as Microsoft. However, a method that sends spam today could be used to send worms tomorrow. Unless the Messenger service is required (and it seldom is on client computers that access the Internet), it should be disabled.

Security Updates

Security updates are product updates that eliminate known security vulnerabilities. When a security update becomes available, you should immediately evaluate your system to determine if the update is relevant to your current situation. Suppliers release security updates for client software such as Web browsers, for client operating systems, and for server software and operating systems such as Windows Server 2003 and Exchange Server 2003. If the Windows operating system is vulnerable, then Exchange is also vulnerable.

You can download security updates from software companies' Web sites. You can find Exchange updates at http://www.microsoft.com/exchange/downloads and http://support.microsoft.com. Depending on the configuration of your operating system, you may automatically be prompted to download Windows updates. You can access the Windows update site by clicking Start and then Windows Update.

You can also access bulletins and utilities to keep you informed about the latest security issues and fixes. Table 11-2 gives details of the available bulletin services.

Table 11-2: Bulletin Services
Service	Location
Microsoft Security Notification Service	http://www.microsoft.com/technet/security/bulletin/notify.asp
Microsoft Security Web site	http://www.microsoft.com/security
Microsoft Windows Update	http://v4.windowsupdate.microsoft.com/en/default.asp

Table 11-3 lists the utilities that can assist in keeping your system secure.

Table 11-3: Security Utilities
Utility	Function	Download location
Microsoft Baseline Security Analyzer (MBSA)	Checks for missing patches, blank or weak passwords, and vulnerabilities on servers running Windows 2000 or later, Microsoft Internet Information Services (IIS), Microsoft SQL Server, and Microsoft Internet Explorer 5.01 or later.	http://www.microsoft.com/technet
Microsoft Software Update Services (SUS)	Helps keep Windows-based computers and servers up to date with the latest critical updates.	http://www.microsoft.com/windows2000/ windowsupdate/sus/default.asp
Microsoft Systems Management Server (SMS)	Automates the distribution and installation of the recommended security fixes for large companies with multiple locations.	http://www.microsoft.com/catalog

Virus Signatures

You need to keep your software and operating system up to date. If you install third-party virus detection software, this must also be kept up to date. However, the task that needs to be done most often is to download virus signatures (or definitions) for the new threats that appear regularly on the Internet. Virus signatures identify viruses, worms, and Trojan horses, and allow virus detection software to detect and eliminate them.

Your virus protection is only as good as your signature list, and this too must be kept up to date. Virus signatures should be downloaded regularly. If a new and serious attack occurs, the virus signature needs to be downloaded as soon as it is available. When you purchase antivirus software, you may also need to purchase a subscription to a professional virus signature update service. Check with your vendor to determine their policies and procedures.

Caution

A virus attack can re-occur some time after you believe the virus was eradicated. A user returning from a vacation or leave of absence can open the attachment to an old e-mail message and re-introduce the problem.

Practice: Downloading Antivirus Software

You can usually download evaluation antivirus software from the Internet before you decide on a purchase. You first need to check that the software supports Exchange. Microsoft publishes a list of approved antivirus software suppliers, as this practice illustrates.

Exercise 1: Download Antivirus Software

To download antivirus software, perform the following steps:

Access http://www.microsoft.com/exchange/partners/antivirus.asp.
Read the disclaimer. Microsoft makes no warranties or representations with regard to these products or services.
Select a supplier (for example, Symantec) and click the hyperlink.
Access the fact sheet and any other resource that assists you in evaluating the product's suitability.
Access the evaluation software (typically called Trialware).
Follow the prompts and complete the necessary forms. Download the evaluation software installation packet to a shared folder on a server and install it on all computers on your trial network.
Obtain details of cost and service contracts. Check out the frequency of virus definition downloads. Apply the criteria listed under "Choosing Antivirus Software" in this lesson.
Repeat the process for other listed suppliers.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the "Questions and Answers" section at the end of this chapter.

What is the difference between a virus and a worm?
How does a Trojan horse spread?
Which Microsoft utility checks for missing patches, blank or weak passwords, and operating system vulnerabilities?
1. SMS
2. SUS
3. MBSA
4. Security Notification Service

Lesson Summary

Viruses, worms, and Trojan horses can attack your e-mail system through the Internet.
You need to keep your operating systems, applications, antivirus software, and virus signature files up to date.
Antivirus software can run on a client, a server, and a firewall.
Virus-clean policies need to be in place before a virus attack occurs.