Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next HOW TO DISCOVER A VIRUS Viruses can continue replicating until they are detected. The most well-crafted viruses show no symptoms to reveal their presence. However, many viruses are flawed and betray their presence with some of these indications: •  Changes in the length of programs. •  Changes in the file date or time stamp. •  Longer program load times. •  Slower system operation. •  Reduced memory or disk space. •  Bad sectors on a floppy diskette. •  Unusual error messages. •  Unusual screen activity. •  Failed program execution. •  Failed system bootups when booting or accidentally booting from the A: drive. •  Unexpected writes to a drive. Instead of waiting for a sign, network managers should use the appropriate tools to seek out viruses before they get far enough to compound problems. The ideal is to repel them before they infect the system. STANDARD APPROACHES TO FIGHTING VIRUSES There are several ways to combat viruses. Computer viruses have become increasingly cunning in their programming and ability to avoid detection or eradication. However, virus-fighting tools have also grown through several generations to meet the challenge. Some of the various approaches are described in the following sections. Signature-based Scanners Traditionally, virus scanners look for known virus code and when they find a match, they alert the user. The leading scanners are signature-based. Signatures are strands of code unique to a single virus, analogous to DNA strands in a biological virus. Virus researchers and antivirus product developers catalog known viruses and their signatures. Scanners use these catalogs to search for viruses on a user’s system. The best scanners have an exhaustive inventory of all viruses known to exist and examine all possible locations for infection, including boot sectors, system memory, and files. Multilevel Generic Detection Generic detectors are used to eliminate unknown viruses. This method performs integrity checking using checksums. A checksum is created when an algorithm reads a file’s bytes sequentially, creating a unique numeric code based on the file itself. Generic antivirus detectors then compare checksums recorded when the system was in a known, clean state with checksums recalculated subsequently. If a virus has attached itself to a file, the bytes will add up differently and the new checksum will no longer match the old (i.e., clean) checksum. Using this method, it is not necessary to know anything about a virus; instead, the system focuses on what the clean file should look like. The Secret Service uses the same method when teaching agents how to spot counterfeit currency. New agents receive extremely detailed training on what a real dollar should look like rather than on what various counterfeits look like. The other techniques used in generic detection enable antivirus programs to distinguish between normal, legitimate writes to a file in contrast to viral additions. Expert systems test a system’s software by examining code flows, calls, and executions, and other functions to spot viral activity. Sophisticated versions of this approach not only spot viruses, but clean them automatically. TSR Monitoring Terminate and stay resident (TSR) programs stay in memory but operate in the background while other programs run. Because most viruses are essentially TSRs, it makes sense to combat them with a TSR. Antivirus TSR programs can provide real-time monitoring of disks and files, expert system analysis of virus-like behavior and code, and may even detect stealth and polymorphic activity. Rather than only working when invoked, TSRs stay on in automatic mode whenever the workstation is in use. Instead of looking for code that matches memorized patterns, as scanners do, antivirus TSRs attempt to catch viruses “in the act.” On a network, antivirus TSRs can download from a server to each client as it logs on so that users do not need to remember to activate antivirus tools. Behavior Blocking This is the only defense that can prevent viral infection, rather than merely detecting viruses after they have infected. Behavior blocking performs on-the-fly code analysis, monitoring the sequence of code behavior until it can distinguish whether the code is safe or harmful. Harmful code is not permitted to execute. Instead, the behavior blocker notifies the user. Behavior blocking programs use some or all of the following techniques. File Attribute Monitors A virus cannot infect (i.e., write to) an executable that is marked read-only. Many viruses work around this by first modifying the file’s attributes so that the file is now a read-write file. Behavior blockers can intercept code that attempts to change or delete the attributes of files. Intercept Reboot Some behavior blocking intercepts Ctrol+Alt+Del warm reboots and checks any inserted floppy for viruses before allowing the computer to warm-boot off that floppy. If the floppy has a virus, the behavior blocker warns the user that the floppy is infected. This technique can halt boot viruses. Smart Blocking This term refers to very sophisticated behavior blockers that are able to distinguish complex virus behaviors from the complex behaviors of a user running complex software. Smart behavior blockers can analyze detailed sequences of behavior, using statistical analysis to determine the probability that a particular sequence is a virus. Rescue Disks Rescue disks are used to salvage data once a virus has infected a PC. It is important that each PC have its own rescue disk. During the installation, an operator must be present to put in the diskette — there is no automatic installation. Users must keep track of their rescue disks. If the disk is lost, there is no way to rescue the PC from the virus infection. Physical Access to PCs One simple but important technique for defeating viruses is to control who is able to use the computers. Despite the rise of the Internet, most viruses still enter machines through floppy disks. Although the majority of infections come through the hands of unwitting employees, a percentage of attacks emanate from hostile intent. Therefore, some viral attacks can be deflected simply by deterring unauthorized personnel from using machines. Besides taking measures such as securing physical access to computer rooms, a manager can also use security products that render physical and logical drives invisible to certain users or user groups on a network. Thus, fewer personnel have the opportunity to hack those drives. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.