Technically Speaking: Protecting the Network From Virus Attacks
Articles and Tips:
01 Oct 1998
Editor's Note: "Technically Speaking" answers your technical questions, focusing on network management issues. To submit a question for a column in a future issue, please send an e-mail message to nwc-editors@nwconnection.com, or send a fax to 1-801-228-4576.
Network administrators frequently ask two questions about viruses:
What is the best way to protect a network from virus attacks?
What is the best virus-protection software for servers?
The purpose of virus protection is to maintain data integrity by preventing outside agents from accessing and modifying that data. Because a network has many different components, there are several entry points for viruses to attack the network. This article describes how to protect your company's network from virus attacks, explaining how to identify points of entry and implement appropriate protection.
ALL EYES ARE NOT ON THE SERVER
There are many misconceptions about virus attacks. The first misconception is that the server is the primary target for virus attacks on a network. Although a lot of virus-protection software play off this misconception, it is still just that--a misconception.
You must protect your company's network against two types of viruses: file viruses, which attach themselves to binary code (such as application files), and boot sector viruses, which attach themselves to executable code. Viruses are spread when a user opens or runs an infected file on a computer.
A virus cannot be spread if the user cannot run the infected file directly on the computer. As a result, the NetWare server console is secure from virus attacks because you cannot run an infected DOS or Windows 95 application on the NetWare console. The same is true of viruses that are written to infect Macintosh or UNIX workstations. Because you cannot run Macintosh or UNIX programs on the server console, such viruses cannot attack the server itself.
However, the server console becomes vulnerable when you reboot it: Before NetWare is loaded, you can access DOS on the server. At this point, you could insert an infected diskette into the server's diskette drive and unknowingly run an infected file.
Infecting the server at this level can cause problems when you copy files (such as updated versions of the SERVER.EXE file or LAN or disk drivers) to the DOS partition. This virus infection might also cause RAM integrity problems when NetWare is running and you are performing DOS access operations on the server's A or C drive. For example, updating drivers from the server console or installing new services on the server could cause RAM integrity problems.
To protect the server console when it is in DOS mode, you should install a DOS virus-protection utility on the server's DOS partition (C drive) and run this utility whenever you need to perform any operations (such as copying files) on the server's C drive. However, you should not leave the DOS virus-protection utility in memory when NetWare is running. Since you will not be using this utility when NetWare is running, you can free up server resources.
You should also install server-based virus-protection software. Several companies such as Network Associates, Symantec Corp., and Computer Associates Inc. offer this software, which allows you to check every read and write operation made on the server. (Network Associates Inc. was formed by the merger of McAfee Associates, Network General, and Dr. Solomon's Software.)
For most networks, you can configure the server-based virus-protection software to perform scheduled checks on the volumes mounted on the server. As the next section explains, most viruses enter the network through workstations, and checking each read and write operation on the server may not detect viruses introduced on workstations.
By running scheduled checks on the server, you provide adequate protection for the server and improve the performance of the server. You can also schedule the check to coincide with other disk operations such as the backup.
VIRUSES SNEAK ONTO THE NETWORK THROUGH WORKSTATIONS
The second misconception about viruses is that if you run virus-protection software on the server, your company's network is secure. Although that particular server may be protected from viruses, the entire network is not secure. You must protect the network at the point of attack--the point at which the virus has the greatest potential for entry to the network.
The most vulnerable part of your company's network is the workstations. If you run virus-protection software at the point of entry--in this case, each workstation--a virus cannot attack the local drives on the workstation, and a virus-infected file cannot be transferred to another workstation on the network.
By providing virus-protection software at the workstation level, you are providing the highest level of security against attack. The following examples show the importance of running virus-protection software on each workstation.
The Danger of Unprotected Workstations
Suppose a network administrator installed virus-protection software only on the server. By configuring this software to scan all read and write operations in real-time, the network administrator was confident that his company's network was protected against virus attacks.
Now suppose a user downloaded a file from the Internet onto a diskette in his workstation's A drive. The user then ran the file to install a utility on his workstation's C drive and made copies of the diskette to give to other users.
The user's workstation would be infected as soon as he ran the file he downloaded. The virus would quickly and easily spread to all of the files on his C drive. Of course, all of the users who ran the same file would also infect their C drives.
Since no read or write operations were made on the server, the virus-protection software running on the server never had the chance to check the infected files. As a result, the company would have a full-blown virus infection and no way to stop it. Worse, the network administrator might not be notified that a problem existed until users began experiencing serious problems on their workstations.
The Safety of Protected Workstations
Suppose that the network administrator had installed virus-protection software on the workstations as well as on the server. Also suppose the network administrator had configured the virus-protection software to check all read and write operations to all local drives (including floppy diskette, ZIP, JAZ, or CD-ROM drives). If a user downloaded a file from the Internet and saved this file to the A drive, the virus-protection software would alert the user that a virus was found in the file.
Now suppose a user brought a diskette from home and inserted the diskette into her workstation. When this user attempted the first file read, the virus-protection software would alert the user that a virus had been detected.
Bells and Whistles for Virus-Protection Software
Some virus-protection software may be NetWare-aware and include a server component. In this case, you can configure the virus-protection software running on the workstations to send an alert to you or another network administrator when a virus is detected. You will then know when a user is trying to save or run an infected file.
Because more and more users are accessing the Internet, many virus-protection manufacturers are releasing Internet virus-checking programs that actually read the data stream being downloaded. (The programs read the data stream whether the user is using a modem or LAN connection.) As soon as an Internet virus-checking programs detects a virus signature in the data stream, this program aborts the download and sends the user an alert. The virus never even makes it to the user's workstation.
Virus-protection manufacturers are also providing safeguards to prevent users from disabling virus-protection software. You can configure the virus-protection software so that a workstation cannot connect to the network if this software is disabled or uninstalled.
You can use this feature to ensure that all workstations are protected and cannot spread infected files. Although implementing this feature involves more configuration time upfront, it reduces the network's exposure to virus infection.
If the virus-protection software you are using on the server and workstations is from the same manufacturer, another feature may be available: You may be able to configure the virus-protection software to send an alert to you or another network administrator if a user attempts to log in to the network from a workstation that does not have virus-protection software.
E-MAIL MESSAGES CAN BE VIRUS CARRIERS
Another common misconception is that e-mail messages themselves can contain viruses. Many e-mail messages contain dire warnings about e-mail viruses. According to these warnings, simply opening an e-mail message that has a certain subject line (such as "You Are A Winner") will destroy your entire hard drive.
If you receive an e-mail message warning you about opening a certain e-mail message, don't be alarmed. You cannot get a virus simply by opening an e-mail message. The e-mail message that contains the warning is a virus hoax, making you worry about events that cannot happen. (For more information about virus hoaxes, see the related article.)
Although you cannot get a virus via an e-mail message itself, you can receive an infected file as an attachment to an e-mail message. To protect your company's network from being infected by a file that is sent as an attachment, you should ask users to follow these simple rules:
Neveropen a file that is attached to an unsolicited e-mail message from an unknown sender. If you don't know who sent the file or if you did not explicitly request the file be sent to you, you should simply delete the e-mail message. Do not open or download the attachment.
Never open an attached file directly into an application, such as Microsoft Word. The Concept virus (a Word macro virus) spread quickly because many users had configured their e-mail application to automatically open .DOC files in Word. You should configure your e-mail application to prompt you before opening an attached file.
Open an attached file on a removable media device first. By opening files on a floppy diskette, ZIP, or JAZ drive, you can properly scan the file for viruses. You are also less likely to infect other files on your workstation's hard drive.
Immediately after opening a file, run a virus check on the file. Although virus-protection software runs background checks, you should not rely on these background checks to test all files written from e-mail attachments.
Do not run any file you receive via e-mail until you have run a complete virus check on the file.
Because e-mail attachments can be infected with viruses, some e-mail manufacturers and virus-protection manufacturers now offer e-mail virus-checking software. This software actually runs on the e-mail server and checks all e-mail messages (including attachments) being sent and received for viruses. E-mail virus-checking software can notify you of infected attachments before the intended recipient even has a chance to open the infected file.
CONCLUSION
To protect your company's network against viruses, you need to evaluate the entire network and provide the appropriate type of protection at each point of entry to the network. When creating a virus-protection plan for your company's network, follow these simple steps:
Configure the virus-protection software running on the server to perform regularly scheduled checks on all mounted volumes on the server.
Install a virus-checking utility on the DOS partition of the server. If you down the server and perform maintenance tasks at the DOS prompt before NetWare is loaded, you could introduce viruses on the C drive.
Install virus-protection software on every workstation attached to the network. You should configure this software to check every read and write operation to all drives, including removable media drives (floppy diskette, ZIP, JAZ, and CD-ROM drives).
If your company uses the Internet frequently, you should consider purchasing an Internet virus-checking program. Some of these programs are add-ons to firewall products, and some of these programs are stand-alone gateways that sit between the router to the Internet and your company's network.
If your company receives a lot of e-mail messages that contain attachments, you should consider purchasing an e-mail virus-checking program.
You should teach users how to manually check files for viruses. You should also implement a company-wide policy that provides guidelines for bringing files from home, downloading files from the Internet, and distributing these files. This policy should, at the very least, make users responsible for performing a manual virus check on each file and diskette.
You can find more information about virus protection and virus-protection software at the following World-Wide Web sites:
Network Associates' web site at http://www.nai.com/vinfo or http://www.nai.com/products/antivirus
Dr. Solomon's web site at http://www.drsolomon.com/home/home.cfm
Computer Associates' web site at http://www.cheyenne.com/virusinfo or http://www.cheyenne.com/security
Symantec's web site at http://www.symantec.com/nav
Mickey Applebaum has worked with NetWare for more than 14 years. Mickey provides technical support on the Internet for The Forums (http://theforums.com).
NetWare Connection,October 1998, pp. 38-41
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.