Mounting an anti-virus defense

Anti-virus software, which often was viewed as the security stepchild to sibling powerhouse technologies such as intrusion detection and firewalls, has been elevated to a new market status following the "Melissa" virus, which in March infected machines worldwide via e-mail.

Once sold mainly as a single desktop solution - which users often labored to disable or bypass - anti-virus software is being bundled with other security solutions designed to secure entire enterprises from security threats. Anti-virus software has emerged as an integral component of agency security efforts because viruses are more easily transmitted in today's networked world, and the viral breeding ground of the Internet has spurred phenomenal virus growth.

Although the majority of viruses in 1997 were transmitted by floppy disks, the major source of virus infections today are from e-mail attachments, which can be used to spread a virus at alarming speed. The Melissa virus affected more than 100,000 machines worldwide in just days by seizing users' computers and e-mailing copies of itself to the first 50 names in the e-mail address book.

In 1986, there was one known computer virus; in 1990 that number had jumped to 80. From December 1998 to January 1999, the total virus count jumped from 20,500 to 36,500. Today, there are about 45,000 computer viruses in existence, with new ones appearing every day.

"A lot of the virus attacks...are starting to blur the lines between [a virus or a vulnerability?]" said Sal Viveros, group product manager for Network Associates Inc.'s Total Virus Defense Division.

"It is much easier for a hacker to send an e-mail attachment than it is to penetrate a firewall. We're seeing more destructive viruses that are hitting more people."

Network Associates offers an anti-virus package that provides virus protection spanning the desktop, groupware and gateways, and it also has a security suite offering anti-virus software coupled with firewalls, intrusion detection and encryption.

Viveros said the common alerting and reporting mechanisms from the security suite enable a network administrator to react more quickly to problems. For example, if a hacker finds an open port and uses it to insert a virus, intrusion-detection and anti-virus software can work in tandem to provide an accurate picture of what is happening on a network.

"You're starting to have rules-based reactions," Viveros said. "You're taking away the need for the network administrator to be sitting there monitoring those different things when they happen. By setting rules, the different components are talking to each other."

Symantec Corp. in May announced its Digital Immune System, a strategy to capitalize on its anti-virus technology, while coupling it with intelligent tools designed to keep systems running at peak performance. With its anti-virus software, the company will offer tools for server management, desktop configuration, remote system operation and disaster recovery - all from a single console.

Chris Mills, Symantec's product manager for Digital Immune System, noted that the strategy will include advanced anti-virus management tools that enable a network administrator to lock down policy requirements on the desktop and configure virus responses that automatically go into effect upon detection. In addition, the company plans to add security mechanisms such as e-mail scanning, Uniform Resource Locator filtering and protection from malicious Java applets, he added.

"What [customers are] worried about are threats to their enterprise," Mills said. "It's not strictly an anti-virus concept. We're talking about protecting your enterprise from unknown threats that will negatively affect your credibility, your cost and your uptime."

Worldtalk Corp. has bundled multiple security mechanisms into its secure server product, which is being used by the Energy Department and the Food and Drug Administration. In addition to a server-based virus detection solution, the company also offers access control,which regulates who a user can send e-mail to and receive e-mail from, and encryption controls.

DOE's headquarters used Worldtalk's secure server to begin containing the potentially devastating Melissa virus before a fix was even discovered for it, said Charlie Smith, information management consultant at DOE.

Smith said that although many other anti-virus products provide the ability to disinfect incoming viruses before they are passed on to users, Worldtalk's server enabled him to program a policy that would target and quarantine any incoming e-mail with a specific message in its header.

"The quarantine allowed us to really track Melissa," Smith said. "It gave us a history to trace back to the originator."

Bill Mann, director of product management at Worldtalk, noted that the ability to program policies into the server also could be used to fend off potentially damaging mobile code, such as hostile Java applets, that users unknowingly can download from World Wide Web sites.

"Literally anything that can be done by a program can be done by mobile code," Mann said. "It can open database connections. It can install viruses on your PC. Mobile code gives the hackers so much more flexibility than virus writing."

It is not only traditional anti-virus and computer security companies that are homing in on technology to combat viruses. Companies targeting the electronic-commerce market are bundling anti-virus software with other computer security solutions. In July, Computer Associates International Inc. introduced its eTrust security solution, which bundles anti-virus technology with public-key infrastructure technology, encryption controls, intrusion-detection scanners, firewall components, network surveillance and authentication tools.

Kurt Ziegler, senior vice president for CA's security business, said the eTrust network surveillance component is crucial to containing viruses because users have not always updated their software to detect the latest viruses. Because these identification delays can de devastating, a containment strategy is crucial, he said.

"We include some technology that lets you identify movement, to get a pattern," Ziegler said. "It scans the network on the inside...so you can see a neighbor sending it to a neighbor inadvertently. Should you get an identification...you can quickly go back over the that traffic and say who's carrying what where."

Judith Spencer, director of the Center for Governmentwide Security at the General Services Administration, said the Melissa virus - combined with other incidents, such as a hacker group threat to target the federal government - has helped increase government security awareness. She noted that though anti-virus software is "indispensable" on systems today, it should be viewed as only part of an agency's security arsenal.

"Integrated security solutions are a good idea," Spencer said. "[But] the way that you implement security solutions as opposed to whether or not the product comes bundled is more important."

Bundling anti-virus software with security mechanisms located at the perimeter of a network is advantageous because everything coming in to the environment is checked, and network administrators do not have to worry if end users have updated their software, said Lance Travis, service director at Boston-based AMR Research Inc. However, that method also has its drawbacks, he noted.

"You're now scanning every e-mail message [and] every Web page that comes through your firewall," Travis said. "There's a huge performance penalty you could potentially pay."

Trend Micro Inc. is an anti-virus firm that has chosen not to bundle its anti-virus software with other security products. Instead, the company is designing its products so that they will interoperate with other key products needed for security, said Dan Schrader, Trend Micro's vice president of new technology.

Trend Micro offers an integrated border security approach, scanning for viruses at perimeter points such as e-mail servers and Internet gateways. That approach was designed to stop viruses and malicious code before they enter the network.

Trend Micro's anti-virus software is being used by the Department of Housing and Urban Development on 75 servers to support about 11,000 users. The product was designed to eliminate the expensive and disruptive "pre-

emptive e-mail shutdown" strategy that many government agencies are forced to deploy when threatened with viral infection, Schrader said.

"You want to identify where key Internet traffic enters your organization and have the code scanner at those entry points," Schrader said. "Anything that relies on the end users for best practices is doomed to fail."

Many anti-virus vendors are moving to take control of the software away from end users, who notoriously try to bypass the software safeguard or forget to update it to protect from new viruses. But Roger Thompson, technical director of malicious code research at the International Computer Security Association, noted that anti-virus software still must be multilayered.

"If an infected document is attached to an e-mail, then something at the mail server or firewall wouldn't pick it up if the document was encrypted," Thompson said. "You still have to have detection on the desktops."

Anti-virus software vendors may see the demand for their products increase even more in the future as virus-like threats to networks continue to grow.

William Orvis, security specialist at the Computer Incident Advisory Capability at Lawrence Livermore National Laboratory, noted that he is seeing an increasing incidence of worms - programs that crawl through networks, automatically making and distributing copies of themselves while installing dangerous back doors in systems as they move. As a result, unauthorized users can remotely control a system with a back door installed.

Anti-virus software can be designed to watch networks for worms. However, Orvis said products of the future will have to "intelligently" detect viruses that have never been seen before, instead of relying on tracking viruses by their "signatures," which is the most common viral-detection method today.

"We need a way that we can have smart computer code...and say, 'That is probably a virus,' " Orvis said. "We need to learn to teach a machine to recognize a virus."

-- Harreld is a free-lance writer based in Cary, N.C.

****

At a Glance

Status:

E-mail has overtaken the floppy disk as the primary carrier of electronic viruses, leading vendors to bundle anti-virus software with other desktop and server management tools.

Issues:

Anti-virus programs tackle viruses at different levels: Some packages work on the desktop, scanning files as they are opened; others sit at the server or Internet gateway, scanning files before they can reach the desktop and proliferate. Ultimately, anti-virus software is only as good as an organization's overall management scheme.

Outlook:

Very good. Although more and more destructive viruses are appearing on the scene, the Melissa virus earlier this year has focused the attention of both users and the software industry.