The increased usage and popularity of the Internet has influenced the development of the methods used to spread viruses. In the past, many computer viruses spread via floppy disks, but a new generation of email-borne viruses have emerged to threaten the corporate messaging system.
University Policies – Internet Messaging Gateway
A policy is a set of email usage rules applied to enforce email usage standards. Administrators use these policies to filter and eliminate many of the security and productivity threats the messaging system faces.
IT Resources have configured the new central email gateway antivirus product, Trend Micro InterScan, with the polices outlined in Table 1 to filter out potential malicious content. Figure 1 summarises the process in a diagrammatic fashion.
Table 1
Filter Result |
Filter Action |
Mass mailing virus detected: |
Delete |
Virus(es) detected but some/all were not cleaned: |
Quarantine and Notify |
Joke program attachment detected: |
Quarantine |
Virus scanning aborted - message may contain viruses: |
Quarantine and Notify |
Password protected file detected (not scanned): |
Deliver |
Virus(es) detected and successfully cleaned: |
Deliver and Notify |
No virus detected: |
Deliver |
Filter Actions definitions are explained below:
Deliver: Deliver the message.
Delete: Delete the message.
Delete and Notify: Delete the message and send notify the administrator.
Deliver and Notify: Deliver the message and notify the administrator.
Postpone and Notify: Postpone the delivery of the message until after midnight and notify the administrator.
Quarantine and Notify: Send the message to the default quarantine area and notify the administrator.
Virus Mitigation Strategy
Until recently the, virus mitigation strategy pursued by the University centered purely on protection at the desktop, however even when antivirus software has been installed, in some cases, it is not configured to automatically receive updates and, in other instances, the software has actually been disabled by users.
A multilayered approach to virus defence has become necessary as an effective defence to combat the increased prevalence of malicious viruses. This strategy includes integrated protection from the Internet messaging gateway, groupware servers, file servers, and desktops. The strategy dictates that the product utilised at the messaging gateway, be different from that utilised for desktop environment to negate, to a large extent, the possibility of a malicious virus entering the University network and causing widespread infection by identifying and dealing with viruses before they get to the local user, and can provide an extra control by identifying viruses that may not be detected by desktop software.
No virus protection strategy is foolproof, and it is important that users of the University network are aware that certain actions could potentially lead to a virus infestation:
-
via a user, on a virus infected machine, connecting to University resources using a VPN connection;
-
an infected file being loaded onto a staff/student PC via a floppy disk, CD-ROM or USB memory stick.
It is imperative that users who transfer files from home computers to University computing hardware have up-to-date antivirus software installed on their computers.
An example of an effective freeware solution (for home and non-commercial use only – cannot be used on a network), Grisoft AVG, is available at the following URL:
http://www.grisoft.com/us/us_dwnl_free.php
Desktop, File & Groupware Server Virus Protection
Various desktop and server based antivirus solutions are in use throughout the various Faculty and Schools of the University:
IT Resources has standardised upon the aforementioned McAfee products to provide virus protection for desktops managed via the Standard Computer Lease Scheme and file and groupware servers, managed centrally. All installations are configured to check for updates from a central IT Resources update server (Numenor) on a daily basis. This update server currently checks the McAfee website for updates on an hourly basis.
IT Resources also provide for Symantec Norton AntiVirus and Virex updates from this central update server.
Messaging Gateway Virus Protection
After extensive research and trialing, Trend Micro’s InterScan was identified as the most appropriate solution for the University. InterScan provides comprehensive virus protection, flexible policy-based content filtering, and management tools to help monitor and control SMTP traffic (responsible for 87% of all viruses) at the messaging gateway.
Trend Micro InterScan is designed to prevent malicious threats and suspicious content at the messaging gateway while ensuring internal communications comply with legitimate business practices. With flexible, policy-based antivirus and content management security enforcement, InterScan is designed to provide a front line of defense to block unwanted messaging traffic, such as mass-mailer viruses and other malicious code, from infecting the internal messaging environment, and inhibiting sensitive information from being distributed externally.
The product provides virus protection from the following:
Mass Mail / Denial of Service (DoS) Virus Protection
If a virus is a mass mailer, InterScan can be set to delete the infected email at the gateway to ensure internal mail systems and resources are not affected. If a virus is not a mass mailer, the email will be cleaned and then delivered to its destination.
A DoS attack is caused when someone attempts to flood an email system with enormous amounts of email resulting in the disruption of the SMTP gateways' ability to accept incoming or outgoing connections. This prevents employees from sending or receiving Internet email. As recent virus outbreaks have demonstrated, response speed is important during a DoS attack. Mixed-threat viruses possess the ability to spread faster, requiring antivirus vendors to deliver a virus pattern file quickly to avert disaster.
Another form of DoS does not require viruses or malicious scripts to be involved. Email messages with an excessive number of attachments, attachments with excessive levels of compressions, or small compressed attachments that decompress to gigabytes of data, can absorb processing power on the SMTP gateways; resulting in the disruption of processing legitimate email.
Malicious Email Content
Executable programs, Microsoft Office documents with macros, embedded visual basics scripts, and JavaScripts are all potential virus carriers. Malicious email usually includes:
virus-carrier executable programs (.EXE, .COM, .VXD), attachments with macros .DOC, DO, Visual Basic Scripts (.VBS), Java, ActiveX, and/or HTML links, allowing this type of content to enter the email system.
Figure 1
|
