In your firm, you can have antivirus software in many places and on many machines. The key element in choosing antivirus software is to ensure that it is in a position to block and scan before the viruses enter your desktops. The optimal goal for the consultant is to ensure that the end user never sees the antivirus warning sign that the virus has gotten to the desktop. It is therefore recommended that the solution be centrally managed, ensuring that the viruses and even potential for viruses do not enter your system. Therefore whether you choose to block attachments using the SBS email attachment blocking, or that of your antivirus program, choose one to remove those attachments that have no immediate business need. Furthermore on a regular and annual basis review the security events in the network and reevaluate as needed. This chapter does not recommend one antivirus over another, with one exception: Ensure that the antivirus solution you choose includes coverage of the server, the workstations and the Exchange server. In the SBS community, the solutions most often installed include the following:
On all these platforms, it is recommended to adjust the automatic download of virus identification signature files as often as you can, or as often as the vendor supports the updating. In the antivirus industry, the vendors call the same virus by different names, thus one of the annoyances of dealing with different vendors in the servers you work with is this lack of naming consistency. The next best practice that is recommended is to choose one antivirus platform and truly understand all the options and settings included in that product. Typically there are tweaks and adjustments in each software. Take the time to learn a platform to best support that. An excellent resource for keeping aware of viruses and other incidents is the FSecure web log at http://www.f-secure.com/weblog/ where the company tracks late-breaking issues. Be aware though that antivirus is reactive and not proactive; thus, the software always needs a computer to get infected first. Blocking your historical methods of infection to ensure that you are protected proactively is the proper solution. Review your vendors' response times and compare them with other vendors that have solutions designed for the small business. One such historical comparison can be found at http://www.f-secure.com/news/response/f-secure_speed_of_response.pdf, but this information is easily found on the Web. When you install any one of these antivirus consoles on the server, you typically need to adjust it to handle a proxy server, and you probably need to add any web interface site to the trusted site zones using the Enhanced IE to get it to function properly. If you need to do any standalone scanning of workstations off the network due to infections (see the "Troubleshooting Workstation Security" section later in this chapter for more information), you may need to have a functioning Internet Explorer to use these web-based tools. You may need to remove the workstation drive to a sandbox, by making it a slave drive on another testing system to scan and clean the drive. When setting up the antivirus, consider your risk zones just like in patch management. Workstations need full scanning with few exceptions. For servers, many database designers recommend that you do not scan their databases. Furthermore it's always recommended that you exclude the file location of Exchange; therefore, the exclusions and settings you need for the server have no bearing on the scan settings you need in place for the workstations. Adjust these based on your data and needs. An example of setting up these zones can be found in Wayne Small's whitepaper on installing Trend Micro CSM on SBS, which can be downloaded at http://www.sbsfaq.com/Visual%20Guides/Trend%20CSM%20on%20SBS2003.pdf. Viruses are nothing more than code whose goal it is to do bad things to your system. Whether the maliciousness is an annoyance or completely destructiveness, it's still code. As such, antivirus scanners will gather examples of this code, determine an identifier of the binary or code, and update the antivirus signature files to block and scan for that malicious code. Most antivirus software performs background monitoring. Every time a file is opened or accessed, the binaries in that file are compared to these signatures. Antivirus software includes the capability for its signatures to scan for other similar style of attacks. This process is called heuristics, whereby the antivirus engine looks for similar patterns of attack and flags that as a potential for viruses as well. The disadvantage to this model is the potential for false-positives. There have been times when software code that is not virus laden is flagged as a virus. When setting up your selections for dealing with non-emailbased viruses, you may not want to set the action to delete but rather to quarantine. On the off chance that a key file is flagged, you can recover from this misidentification easier. More information about antivirus software can be found at http://www.symantec.com/region/reg_eu/resources/antivirus.html and in the book The Art of Computer Virus Research and Defense by Peter Szor, Addison Wesley Professional, ISBN: 0321304543. In an office where the goal is to ensure that you never have a virus show up on the desktop, you may need to use something like the Eicar test virus to showcase how the desktop antivirus interface looks so that the end user understands what to look for. Go to http://www.eicar.org/anti_virus_test_file.htm to find several methods to test entry methods for viruses. Consider preparing a short awareness document to tell the end user how to handle a virus infection. Have a prepared list of procedures for the on-site owner or end user to perform so that the attack can be minimized.
Resources such as the Virus Bulletin that test to ensure that antivirus vendors protect for the top 100 viruses in the wild (http://www.virusbtn.com/vb100/archives/products.xml?table, sign up and register for access) may help you identify vendors. Some, if not many, of these online platforms require ActiveX and a working Internet Explorer so online scanners may not be viable in a severely infected box. Some of the free online virus scanners include
|