So we now have everything working just as it should, and you know that there are plenty of people in your organization or school that are counting on you to keep things working. But, rest assured, there are even more people out there who want nothing more than to make sure your network does not work. And why, you might ask? To understand the answer to this question is to understand the tremendous thought process that goes into keying an automobile or heaving a brick through a window. We are talking about computer viruses, of course, and they are a harsh reality in today's computing environment. Consider these facts, published on the highly respected CERT organization(http://www.cert.org):
In 1988-89, the number of reported computer virus incidents to CERT totalled 138 .
By the year 2000, 21,756 incidents were reported.
Through the first two quarters of 2003, the number had grown to 76,404 .
It's easy to tell from just the CERT site alone that, for computer users, the honeymoon is definitely over.
Knowing now that there are so many of them, what exactly does a computer virus do? There are about as many viral functions, or payloads, as there are viruses themselves . Some of these little nasties do harmless things such as change your desktop wallpaper. Others are more insidious, causing your computer to join hundreds or thousands of other infected systems in performing massive internet attacks in an attempt to bring down entire websites .
Unfortunately, the number one target of virus programmers is the Microsoft brand of operating systems, and this includes Windows Server 2003. Some argue the reason for this is the huge number of people using Windows, making it the juiciest target for virus programmers to get their creations distributed to as many systems around the world as quickly as possible. Others argue that although this may be true, security vulnerabilities in Windows make it an attractive target. Whatever the reason, viruses can do enormous damage to a single PC, let alone your domain controllers. The best line of defense is to use antivirus software .
Typically, antivirus software is a program or group of programs that runs in the background on a client or server computer. It scans various activities on the computer, monitoring disk activity and main memory. It contains a catalog of known viruses, and when it spots activity on the computer that matches the information contained in its catalog, the antivirus software can take action to prevent infection. This action may be in the form of repairing the infected file, placing the file in a kind of safe "sandbox" where it can do no harm to the system, or deleting the file. Most antivirus software solutions also include various kinds of artificial intelligence to scan for "virus-like" activity in the event that the system is visited by a virus that is not included in the antivirus program's catalog of known infections.
So if a system has antivirus software installed, is it automatically safe? Absolutely not! The halls of the " I should have done that.." museum of regret are lined with people who had antivirus software installed on their systems, and yet suffered much angst when their systems became infested. No matter how "smart" an antivirus vendor claims its software to be, the best way to keep your systems safe is to keep the antivirus catalog (also called antivirus definitions ) up to date . Your chances of halting an infection before it starts are greatly improved if your antivirus software knows what to look for.
So that brings us to a very important question: What is the best way to get updates to our clients on the network? Updates are typically made accessible to clients over the internet. We could give all our client computers in each domain internet access:
But many organizations simply cannot afford to do this, and quite honestly, it may not be a good working policy to give all your workers access to the internet. Recall that we faced a similar dilemma in a Chapter 4 when we needed to give our network clients access to the newest security updates from Microsoft while limiting those same clients' access to the internet. Recall also that the solution to this puzzle was the Software Update Service (SUS), where an internal Windows Update server was made accessible to all clients.
Wouldn't it make sense to set up a similar solution for clients to receive antivirus updates, as shown here: