Although it used to be possible to avoid viruses by avoiding software downloads and avoiding clicking on e-mail attachments, it's no longer feasible to think that every user will always do the right thing in the face of the rampant virus propagation going on now. Especially with e- mail viruses and Internet worms (which you can receive irrespective of how you behave), you can no longer guarantee that you'll remain virus free no matter what you do.
You must implement virus scanners in order to protect your computer and your network from virus attack. But purchasing software once is not sufficient for staying up to date with the virus threat, because new viruses crop up every day. All major virus protection vendors offer subscription services that allow you to update your virus definitions on a regular basis. Whether or not this process can be performed automatically depends on the vendor, as does the administrative difficulty of setting up automatic updating.
Tip Frequent (daily) automatic updates are a mandatory part of anti-virus defense, so don't even consider virus scanners that don't have a good automatic update service.
Virus scanners can be effectively implemented in the following places:
• On each client computer
• On servers
• On e-mail gateways
• On firewalls
Larger enterprises use virus scanners in all of these places, whereas most small businesses tend to go with virus protection installed on individual computers. Using all of these methods is overkill, but which methods you choose will depend largely on how you and your users work.
Client Virus Protection
Client-based virus protection is the traditional method of protecting computers from viruses. Virus scanners are installed like applications, and once installed they begin protecting your computer from viruses. There are two primary types, which are combined in most current packages.
Virus scanners The original type of virus protection. In the days of MS-DOS and Windows 3.1, these programs ran during the boot process to scan for viruses and disinfected your computer each time you booted it. They did not protect you from contracting or spreading viruses, but they would make sure that it would not affect you for long.
Inoculators A newer methodology that wedges itself into the operating system to intercept attempts to run programs or open files. Before the file can be run or opened, the inoculator scans the file silently in the background to ensure that it does not contain a known virus. If it does, the inoculator pops up, informs you of the problem, disinfects the file, and then allows you to proceed to use the file. Innoculators cannot find dormant viruses in unused files that may have been on your computer before you installed the scanner or in files that are mounted on removable media like zip disks or floppy drives.
Both types are required for total virus defense on a computer, and all modern virus applications include both.
The dark side of client-side virus protection software is the set of problems it can cause. Besides the obvious problems of buggy virus software, all virus software puts a serious load on your computer. Inoculators that scan files that are being copied can make transporting large amounts of data between computers extremely time intensive. Virus scanners will also interfere with most operating system upgrade programs and numerous setup programs for system services. To prevent these problems, you will probably have to disable the virus inoculators before installing many software applications on your computer.
Another problem with client-side virus protection is ubiquity: all the clients have to be running virus protection for it to remain effective. Machines that slip through the cracks can become infected and can transmit viruses to shared files, causing additional load and recurring corruption for users that do have virus applications.
Client-side virus scanners are good enough to keep most smaller businesses virus free. Even if dormant viruses exist on the server, they will be found and cleaned when they are eventually opened, and if the files are never again opened, the virus is irrelevant.
Server-Based Virus Protection
Server-based virus protection is basically the same as client-side protection, but it runs on servers. In the server environment, the emphasis is on virus scanning rather than inoculation because files are not opened on the server, they're merely copied to and from it. Scanning the network streams flowing into and out of a busy server would create far too much load, so server-based virus protection invariably relies upon scanning files on disk to protect against viruses. Servers themselves are naturally immune to viruses as long as administrators don't run applications indiscriminately on the servers while they are logged in with administrative privileges.
Server-side scanners are normally run periodically to search for viruses, either nightly (the preferred method) prior to the daily backup, or weekly, as configured by the administrator. Server-based virus protection does not disinfect clients, so it alone is not sufficient for total virus protection. It is effective in eliminating the 'ping-pong' effect where some clients that don't have virus protection continually cause problems for clients that do.
E-mail Gateway Virus Protection
E-mail gateway virus protection is a new but important method of controlling viruses. Since nearly all modern virus infections are transmitted by e-mail attachments, scanning for viruses
on the e-mail gateway is an effective way to stop the vast majority of virus infestations before they start. Scanning the e-mail gateway can also prevent widespread transmission of a virus throughout a company that can occur even if most (but not all) of the clients have virus protection software running.
E-mail gateway virus protection works by scanning every e-mail as it is sent or received by the gateway. Because e-mail gateways tend to have a lot more computing power than they actually need, and because e-mail is not instantaneous anyway, scanning mail messages is a very transparent way to eliminate viruses without the negative impact of client-side virus scanning.
Modern e-mail scanners are even capable of unzipping compressed attachments and scanning their interior contents to make sure viruses can't slip through disguised by a compression algorithm.
Like all forms of server-based virus protection, e-mail gateway virus protection does not disinfect clients, so it alone is not sufficient for total virus protection. However, since the vast majority of viruses now come through e-mail, you can be reasonably secure with just e-mail gateway virus protection, a firewall to block worms, and prudent downloading practices. Tip Rather than installing client-side virus protection for computers behind a virus-scanned e-
mail server, I just use Trend Micro's free and always-up-to-date web-based virus scanner to spot check computers if I think they might be infected. Check it out at
housecall.antivirus.com.
Firewall-Based Virus Protection
Some modern firewalls include a virus-scanning function that actually scans all inbound communication streams for viruses and terminates the session if a virus signature is found. This can prevent infection via e-mail and Internet downloads.
Like all forms of server-based virus protection, e-mail gateway virus protection does not disinfect clients, so it alone is not sufficient for total virus protection.
Warning Unlike e-mail gateway-based virus scanners, firewall scanners cannot unzip compressed files to check their contents for viruses. Since most downloaded programs are compressed, these scanners won't catch embedded viruses in them either.
Enterprise Virus Protection
Enterprise virus protection is simply a term for applications that include all or most of the previously discussed functions, and include management software to automate the
deployment of client's virus protection software and the updating of this software.
A typical enterprise virus scanner is deployed on all clients, servers, and e-mail gateways, and is managed from a central server that downloads definition updates and then pushes the updates to each client. The best ones can even remotely deploy the virus-scanning software automatically on machines that it detects do not already have it.
Tip Symantec's Norton AntiVirus for Enterprises is (in my opinion) the best enterprise virus scanner available. It works well, causes few problems, automatically deploys and updates, and is relatively inexpensive.
Review Questions
1. Where do viruses come from? 2. Can data contain a virus? 3. Do all viruses cause problems? 4. What is a worm?
5. Are all applications susceptible to macro viruses?
6. What is the only family of e-mail clients that are susceptible to e-mail viruses? 7. If you run NT kernel-based operating systems, do you still need anti-virus
protection?
8. What two types of anti-virus methods are required for total virus defense? 9. How often should you update your virus definitions?
10. Where is anti-virus software typically installed? Answers
1. Hackers write viruses.
2. No. Pure data can be corrupted by a virus, but only executable code can contain a virus. 3. No. All viruses waste computer resources, but many have no other effect than to
propagate.
4. A worm is a virus that propagates without human action.
5. No. Only applications that allow you to write macros and which contain a scripting host powerful enough to allow self-replication are susceptible to viruses.
6. Microsoft Outlook and Outlook Express are susceptible to e-mail viruses.
7. Yes. NT kernel-based operating systems are only immune to executable viruses when run under non-administrative privilege and do not prevent the spread of macro viruses. 8. Inoculators to block an infection and scanners to eliminate dormant viruses are required
for total virus defense.
9. You should update virus definitions daily.
10. Anti-virus software is typically installed on clients, servers, and e-mail gateways.
Terms to Know • benign viruses • boot sector • data • executable code • execution environments • inoculator • interpreter • macro • macro virus
• malignant viruses • propagation engine • scripting hosts • self-replicating • shell • signature • virus scanner • worms
Chapter 9: Creating Fault Tolerance
Overview
Security means more than just keeping hackers out of your computers. It really means keeping your data safe from loss of any kind, including accidental loss due to user error, bugs in software, and hardware failure.
Systems that can tolerate hardware and software failure without losing data are said to be fault tolerant. The term is usually applied to systems that can remain functional when hardware or software errors occur, but the concept of fault tolerance can include data backup and archiving systems that keep redundant copies of information to ensure that the information isn't lost if the hardware it is stored upon fails.
Fault tolerance theory is simple: Duplicate every component that could be subject to failure. From this simple theory springs very complex solutions, like backup systems that duplicate all the data stored in an enterprise, clustered servers that can take over for one another
automatically, redundant disk arrays that can tolerate the failure of a disk in the pack without going offline, and network protocols that can automatically reroute traffic to an entirely different city in the event that an Internet circuit fails.