A System Administrators Guide to Implementing Various Anti-Virus Mechanisms: What to do When a Virus is Suspected On a Computer Network

This paper, presented in the form of sample guidelines/procedures, will express in much detail the steps, techniques and methods of defense utilized/implemented in the detection, investigation and tracing of a suspected computer virus. Proposed courses of action will be discussed. The effectiveness of these actions, as well as the use and effectiveness of established mechanisms of defense will be evaluated. Fried & Fried Securities, in reality, a fictitious privately owned corporation, will serve as a model of a real life company. It will be assumed that Fried & Fried Securities will be operating on IBM compatible, Pentium/Celeron® class systems, designed by a reputable national computer manufacturer. The LAN (Local Area Network) will be running on Microsoft Windows 2000, under the authority and supervision of a System Administrator. Each system tied to the network, will be loaded with software necessary to run a securities brokerage house. Privilege and security levels of access will be determined and configured by the System Administrator. Furthermore, each system will have access to the Internet. E-mail will be available for each computer user in the corporation. This e-mail will be filtered using e-mail scanning software installed on the network's mail server. Moreover, a regularly updated anti-virus software package supplied by the manufacturer of the computer systems, and maintained by the System Administrator will be loaded onto each computed owned by or housed on the premises of Fried & Fried Securities. A Definition From An Expert Dr. Fred Cohen is best known for his work and research on areas relating to computer viruses. Dr. Cohen's definition of the term 'computer virus' is widely accepted. Cohen asserts "a computer virus is a program that can 'infect' other programs by modifying them to include a, possibly evolved, version of itself" [1]. Statement of Fried and Fried Securities' Concern As technology continues to advance, so does the threat of computer viruses and other forms of malicious code. Computer viruses are becoming more sophisticated in regards to how they are written, how they are transmitted and how they deliver their payload. New tools and strategies of defense need to be implemented to protect against computer virus infections. In a survey conducted in October 2000 by ICSA.net, a security assurance firm, it was found that the number of companies experiencing computer disasters due to viral infections has increased by 20 percent from the previous year. It is estimated that the number of reported incidents will double by October 2001. This survey, which compiled data from over 300 companies, found that the loss of productivity due to virus infections is on the rise and that financial losses can cost a company anywhere from $100,000 to $1,000,000 a year [2]. Computer viruses should not be disregarded. They are, and will probably always be a potential threat. To prevent infection and the possibility of losses, be they financial, time or company resources, it is the position of Fried & Fried Securities to implement the precautions and procedures as we see fit and necessary to combat the threats associated with computer viruses. Precaution Level One: Effective Training Most computer viruses tend to spread due to human interaction/intervention [3]. Through attending a mandatory professional training course on how to prevent against computer viruses, the level of employee awareness in regards to the threats/dangers associated with computer viruses will rise. This course will focus preliminarily with the different types of viruses and simple means of prevention. Computer viruses such as file infectors, .com infectors, .exe infectors, disk infectors, and partition infectors; boot infectors, macro viruses, Trojan horses, worms and Visual Basic Scripting Viruses will be discussed in detail. The various ways in which each of these of viruses can be transmitted will also be covered. Moreover, employees will be trained on how to determine whether their computer system possesses symptoms characteristic of a computer virus. Furthermore, this course will help employees evaluate whether an e-mail qualifies as being trustworthy enough to open, read or download attachments from. Precaution Level Two: Periodic Employee Assessment Upon completion of the training course, employees of Fried & Fried Securities will be subjected to periodic employee assessments. These assessments will ensure that each employee is aware of the threats/dangers associated with computer © S A N S In st itu te 2 00 3, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. viruses and that he/she is taking the proper precautions to protect the integrity of his/her particular computer system. These assessments may be in the form of a short written exam with multiple choice or true false questions. However, assessments may also take the form of a practical exam. For example, an employee may be chosen at random to receive an e-mail that appears to be from or of an unfamiliar source. It will be up to that particular employee to decide whether that e-mail is of or from a trustworthy source. If the employee fails to successfully pass/complete exams of such a nature further training will be implemented. Precaution Level Three: Established Mechanisms of Defense Probably the most common and established mechanism for combating computer viruses is the use of anti-virus software. However, anti-virus software can be deemed effective only if it is frequently updated. Many anti-virus software vendors provide periodic updates, enhancements and patches to their software products. If such updates are not taken advantage of, a computer system or network of computers can be left vulnerable to virus infection. In a survey conducted in June 2000 by Central Command, an anti-virus company, it was found that nearly 25 percent of computer users do not periodically update their anti-virus software suites. Furthermore, the survey concluded that nearly 62 percent of those surveyed had their computer become victimized by a virus infection. Moreover, 22 percent claimed that they had lost data due to their computer becoming infected by a computer virus [4]. Each computer system or network server brought to, or housed on the premises of Fried and Fried Securities must contain anti-virus software program. Anti-virus software, as provided by the computer vendor of Fried & Fried Securities will be periodically updated. The anti-virus program will be configured to perform automatic inspection of all files accessed on the computer system in which it is installed. Furthermore, any options allowing for automatic and on demand scanning will be utilized if available. Each hard drive connected to the network will be scanned daily for the presence of computer viruses. Moreover, any and all removable hard drive peripherals/devices will be scanned for the presence of computer viruses [3]. Many computer viruses spread via e-mail. Although, each employee will be trained in how to evaluate if an e-mail if from a trusted or an unsafe source, chances cannot be taken. As a result, Fried & Fried Securities will have an e-mail scanner installed on all mail servers. E-mail scanners have the ability to intercept any viruses that may be present [3]. Always Expect the Unexpected Despite the implementation and utilization of proper precautionary measures, computer viruses may/can still slip through the cracks. This may occur because the virus may be undetectable by the anti-virus’ scan engine. Problems relating to computer hardware/software such as configuration errors can also allow for a virus to infect a computer system. Furthermore, an action caused due to human interaction or intervention may have caused a virus to make its way onto a particular system. In any case, any suspicions that a virus may be present on a computer system must be reported immediately to the Fried & Fried Securities’ System Administrator. The machine is to be left in its original state and should not be logged off the network or shut down. The System Administrator Steps In Not every irregular activity on a computer is due to a virus. Other errors, such as computer software bugs may occur. In order to truly identify/verify if a computer virus is present on a particular computer system, the individual who brought the concern to the System Administrator will be asked to fill out the following questionnaire: Fried & Fried Securities Inc. Suspicious Computer Activity / Incident Report Workstation ID: Date: Time: Employee: Department: Ext: Last Application Utilized: Last file executed: Last System Reboot: © S A N S In st itu te 2 00 3, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights. Recent Symptoms Please Place a Check By All That Apply: ___ Computer system appears to be running/loading programs slower than usual ___ Computer system appears to hang/freeze when using a specific file/program (specify) _______ ___ Computer's hard disk drive appears to be constantly working (hard drive light is on often) ___ Computer system time/date settings appear to have been modified ___ There are noticeable changes in file sizes and available memory ___ Strange things are appearing on the computer's monitor ___ Unusual/Unfamiliar programs running in the background ___ Something out of the ordinary occurs when using the computer (unusual messages appear)