Lesson 2:Antivirus Policies

Most business networks provide users with access to the Internet, and although there might be a firewall in place to prevent outside users from breaking in, this doesn't mean that the network is completely protected. Potentially damaging programs such as viruses, Trojan horses, and worms can still find their way onto the network through file downloads, e-mails, or even floppy disks. It's possible to screen out and eliminate most of these hazards using any one of many antivirus software products intended for stand-alone systems, but network administrators often use products that centralize the virus-scanning process so that every file transmitted over the network is checked.


After this lesson, you will be able to

  • Understand how viruses work
  • List the major types of viruses
  • Describe the functions of antivirus software

Estimated lesson time: 15 minutes


A virus is a software routine that is deliberately designed to attach itself to another piece of software on a computer and perform some preprogrammed activity. The worst types of viruses are engineered to irretrievably destroy all or part of the data stored on the computer by wiping out hard drives. However, there are many viruses with effects that are not so catastrophic. Some viruses can cause intermittent problems on the computer, such as system lockups or specific feature failures, whereas others do nothing but display a message programmed by its author. Viruses are created deliberately by unethical individuals who think that tampering with other people's property is an amusing way to spend their time. Antivirus software products must be continually updated to cope with the constantly evolving techniques used by the creators of viruses.

Like biological viruses, computer viruses are designed to replicate themselves by infecting other entities, in this case, other pieces of software. If you insert a virus-infected floppy disk into your computer, the virus can migrate from the floppy disk to the computer's hard drive, infecting the code that it finds there in one of several ways. In some cases, viruses are designed to remain dormant until the computer's clock registers a particular date and time. There have been, at various times, well-publicized scares about "time bomb" viruses that are due to trigger on a particular date. There is usually a rush to purchase antivirus software on these occasions, but the danger is always overrated, as few cases of the virus in question are found.

When a virus-infected computer is connected to a network, you have the functional equivalent of one sick child sharing a room with a group of healthy children. When one gets sick, the others are likely to get sick also. Files transferred from the infected computer to the other systems on the network can spread the infection, as shown in Figure 16.6. Depending on the design of the virus, the effect can range from a nuisance to a catastrophe. Once the network is infected, it can be very difficult to completely remove the virus. If you miss one infected file on one computer, the virus can reassert itself and start spreading all over again.

Figure 16.6  A virus can spread from a floppy disk to one computer, and then through the network to other computers

Viruses can attach themselves to various parts of a computer's software, and they are often classified by the area of the disk in which they reside. The most common types of viruses are as follows:

  • Boot sector viruses.  A boot sector virus can come from a floppy disk or an executable file. It infects your computer by inhabiting the master boot record (MBR) of your hard drive. Because the MBR executes whenever you start the computer, the virus is always loaded into memory, and is therefore very dangerous. Unlike a virus that infects files (which you can remove by deleting the file), to remove a boot sector virus, you must either delete and re-create the MBR (which causes the data on the disk to be lost) or use an antivirus program.
  • Executable file viruses.  An executable file virus attaches itself to .exe or .com files or, less often, to other types of application modules, such as .dll and .bin files. The virus is loaded into memory when you run the infected program and can then spread to other software that you execute. You can receive executable file viruses in e-mail attachments and downloads, but they can only infect your computer if you run the infected program.
  • Polymorphic viruses.  A polymorphic virus can reside in both the MBR and in executable files, and is designed to change its signature periodically to fool virus-scanning routines that search for the code associated with particular viruses. The virus modifies itself and uses encryption to hide the majority of its code. This type of virus is a direct result of the ongoing competition between the people who design viruses and those who design the tools to protect against them.
  • Stealth viruses.  Many virus-scanning products function by detecting changes in the sizes of files stored on a computer's hard drive. Normal viruses add code to executable files, so the files grow in size by a small amount. This is why installing an updated version of an application can sometimes trigger false positive results from a virus scanner. Stealth viruses attach themselves to executable files in the normal way, but they disguise their appearance by subtracting the same number of bytes from the infected file's directory entry that their code added to the file. The end result is that the file appears not to have changed in size, even though virus code has been added to it.
  • Macro viruses.  A more recent innovation in the world of technological delinquency is the macro virus, which can infect data files. It used to be that viruses were only able to infect executables, but data file viruses attach themselves to documents and spread themselves using the application's macro capability. Microsoft Word documents in particular were the original targets for this type of virus. When a user opens an infected document file, the macro code executes, enabling the virus to enter into memory and spread to the template file (NORMAL.DOT) that Word uses for all open documents. Once in the template file, the virus is read into memory whenever the application is launched and it spreads to all of the documents the user loads afterward. Macro viruses don't usually cause severe damage, but because many businesses frequently exchange document files using e-mail and other methods, they spread very rapidly and are difficult to eradicate. Applications with macro capabilities now usually have a switch that lets you disable any macro code found in a document. If you don't use macros, you can protect yourself from virus infections by using this feature.
  • Worms.  A worm is not really a virus, because although it is a program that replicates itself, it does not infect other files. Worms are separate programs that can insinuate themselves into a computer in various ways, such as by inserting an entry in the Run Registry key that causes them to execute whenever the computer starts. Once in memory, worms can create copies of themselves on the same computer or replicate to other computers over a network connection.
  • Trojan horses.  A Trojan horse is not a virus either, because it neither replicates nor infects other files. These are programs that masquerade as other, innocuous programs, so that the user doesn't suspect that they are running. Once loaded into memory, Trojan horses can perform any number of tasks that can be dangerous to the computer or to the network. Some Trojan horses are essentially remote control server programs that open up a "back door" into the computer where they are running. A user elsewhere on the network or on the Internet can run the client half of the program and access the remote computer through the back door. Other types of Trojan horses can gather information on the remote system, such as passwords or data files, and transmit it to a host program running on another computer.

Preventing Virus Infections

To protect your network against virus infections, you should implement a series of policies that affect both the behavior of your users and the configuration of their computers. All users should be wary of floppy disks from outside sources and particularly of files attached to e-mail messages. One of the most common techniques for disseminating viruses these days is code that causes the victim's computer to send an e-mail message with an infected attachment to all of the people in the user's address book. Because the recipients recognize the name of the sender, they often open the e-mail and launch the attachment without thinking, thus infecting their own computers and beginning the same e-mail generation process.

Antivirus software products can protect individual computers from infection by viruses and other malicious programs arriving on floppy disks, through Internet downloads, and in e-mail attachments. A typical antivirus program consists of a scanner that examines the computer's MBR when the computer starts and checks each file as the computer accesses it. A full-featured program also checks e-mail attachments and Internet downloads by intercepting the files as they arrive from the e-mail or Internet server and by scanning them for viruses before passing them to the client application.

A virus scanner works by examining files and searching for specific code signatures that are peculiar to certain viruses. The scanner has a library of virus definitions that it uses to identify viruses. To keep your computers fully protected, you must update the virus signatures for your program on a regular basis. In many cases, antivirus programs have a feature that automatically connects to a server on the Internet and downloads the latest signatures when they become available. The product you select should update its virus signatures at least once a month. In addition, be sure to check on the software manufacturer's policies for virus signature updates. Some products include perpetual updates in the price of the software, but others include updates for a limited period of time before you must purchase a subscription.

In a network environment, all of the computers, both servers and workstations, should run an antivirus program so that the entire network is protected. Antivirus programs designed for use on networks do not provide greater protection against viruses, but they simplify the process of implementing the protection. The centralized management and monitoring capabilities in network-enabled antivirus products typically allow you to create policies for the computers on the network that force them to run the virus-scanning mechanisms you specify. They also simplify the process of deploying virus signature updates to all of the computers on the network.

Exercise 1: Virus Types

Match the virus types in the left column with their characteristics in the right column.

  1. Executable file viruses
  2. Trojan horses
  3. Stealth viruses
  4. Boot sector viruses
  5. Macro viruses
  6. Worms
  7. Polymorphic viruses
  1. Modify a file's directory entry size
  2. Replicate themselves, but do not infect other files
  3. Load into memory when the computer starts
  4. Infect document files
  5. Periodically change their signatures
  6. Do not replicate or infect other files
  7. Load into memory when you run a specific program

Lesson Review

  1. Why is a worm not considered to be a true virus?
  2. How does a stealth virus disguise its presence?
    1. By masquerading as an innocuous file
    2. By changing the size of the infected file's directory entry
    3. By encrypting its signature
    4. By infecting the disk's master boot record
  3. How does a macro virus differ from the other major types of viruses?
    1. It doesn't replicate.
    2. It infects data files.
    3. It doesn't infect other files.
    4. It hides itself using encryption.

Lesson Summary

  • Viruses are dangerous programs that can damage the data on a computer and spread to the other computers on a network.
  • There are many different types of viruses that are constantly being modified to make them even more destructive than their predecessors.
  • To protect your network against viruses, you must run antivirus software on every computer.


Network+ Certification Training Kit
Self-Paced Training Kit Exam 70-642: Configuring Windows Server 2008 Network Infrastructure
ISBN: 0735651604
EAN: 2147483647
Year: 2001
Pages: 105

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net