Antivirus Software | SSCP Study Guide and DVD Training System

Antivirus software companies are full of solutions to almost every existing virus problem, and sometimes solutions to nonexisting problems as well. The most popular solution is to regularly scan your system looking for known signatures. Which, of course, leads to one of the first caveats for antivirus software: they can only look for viruses that are known and have a scannable signature. This leads to a "fail-open" model—the virus is allowed to pass undetected if it is not known to the Antivirus software. Therefore, one cardinal truth needs to be recognized: Always update your anti-virus software as frequently as possible!

With such wonderful advances as the Internet and the World Wide Web, antivirus software vendors have been known to make updated signatures available in a matter of hours; however, that does you no good unless you actually retrieve and use them!

This, of course, is simply said, but complex in practice. Imagine a large corporate environment, where users cannot be expected to update (let alone run) antivirus software on their own accord. One solution is for network administrators to download daily updates, place them on a central file server, use network login scripts to retrieve the updated signatures from the central server, and then run a virus scan on the user's system.

Wanting to give antivirus vendors some credit, all hope is not lost when it comes to the shortcomings of signature-based scanning. Any decent antivirus software uses a method known as heuristics, which allows the scanner to search for code that looks like it could be malicious. This means it is quite feasible for antivirus software to detect unknown viruses. Of course, should the administrator detect one, they should send it to one of the many vendor antivirus research facilities for proper review and signature construction.

Other techniques for detecting viruses include file and program integrity checking, which can effectively deal with many different types of viruses, including polymorphic ones. The approach here is simple: Rather than try to find the virus, just watch in hopes of "catching it in the act." This requires the antivirus software to constantly check everything the system runs, which is an expense on system resources, but a benefit on security.

Test Day Tip

Basic steps in protecting against viruses:

Make sure users have and actively use current antivirus software.
Make sure they know what viruses are, and who to contact if they find one.
Make sure the people they contact remove the reported infection and research the implications of the infection promptly.
Make sure that your network administrators educate the users and keep all signature databases and OS patches up to date.

Web Browser Security

Unfortunately, when it comes to the Web, the distinct line between what is pure data and what is executable content has significantly blurred. So much, in fact, that the entire concept has become one big security nightmare. Security holes in Web browsers are found with such a high frequency that it is really foolish to surf the Web without disabling Active Scripting, JavaScript, ActiveX, Java, and so on. However, with an increase in the number of sites that require administrators to use JavaScript (such as Expedia.com), they are faced with a difficult decision: surf only to sites they trust and hope they do not exploit them, or be safe yet left out of what the Web has to offer.

If they chouse to be safe, both Netscape and Internet Explorer include options to disable all the active content that could otherwise allow a Web site to cause problems. In Internet Explorer, Active Scripting needs to be disabled in the Internet zone, which is available via Tools | Internet Options | Security. For Netscape Navigator, uncheck the Enable JavaScript under the Advanced Preferences option.

Antivirus Research

Surprisingly, there is a large amount of cooperation and research shared among various vendors in the antivirus industry. While you would think that they would be in direct competition with each other, they have instead realized that the protection of end users is the ultimate goal, and that goal is more important than revenue. At least, that is the story they are sticking with.

Independently of vendors, the ICSA sponsors an Antivirus Product Developers consortium, which has created standards for antivirus products tests for new versions of anti-virus scanners; they issue an "ICSA Approved" seal for those antivirus products that pass their tests.

The Rapid Exchange of Virus Samples (REVS) group, which is organized by the WildList Organization, serves to provide and share new viruses and signatures among its various members. Some of the bigger member names include Panda, Sophos, TrendMicro, and Computer Associates. The WildList Organization also tracks current viruses that are being found "in the wild," and compiles a monthly report. They can be found at www.wildlist.org.

Of course, on the nonprofessional side, there are the free discussions available on Usenet under alt.comp.virus. The alt.comp.virus FAQ is actually a worthy read for anyone interested in virus research. However, for those who really want to get down and dirty, I recommend checking out alt.comp.virus.source.code.