BUYERS GUIDE

To take arms against a sea of computer troubles—power outages, hard drive
failures, server crashes—you can choose from a veritable arsenal of weapons.

To tame a virus, however, software is your best choice. And of the threats to federal
systems, the computer virus is one of the most pervasive.

The International Computer Security Association Inc. of Reston, Va., surveyed 300 large
organizations in the United States and found that 80 percent reported computer virus
infections during the year before the survey.

Like all computer programs, a virus is written to fulfill a specific purpose. Although
each virus is different, they all cause a change in how a computer operates. A relatively
benign virus might simply display a message. Malicious ones can decrease performance, eat
up hard drive space, or corrupt or delete files.

Viruses are usually classified by their target, such as boot sector or Microsoft Word
files. But virus classification is an onion of layers. Within the target areas are
families of similar viruses. Within those families are versions of viruses with the same
name or basic code.

A further classification divides viruses into zoo and wild varieties. Of the 11,000 or
so viruses, most, like zoo animals, exist only in captivity—in this case, in the
computer virus research facility. But nearly 400 are in the wild, and that number is
rising all the time.

Just as the most successful hunters are those who know how their prey behaves, a
systems administrator’s best shot at effectively dealing with viruses is learning to
identify them by their behavior. This can be at least as tricky as tracking a big cat
because often the problems that viruses cause are intermittent and difficult to diagnose.
If you don’t catch a virus the first time it surfaces, it will likely infect another
system before you finally snare it.

An all-too-easy way to be vulnerable to a computer virus is through handing diskettes
around an office or bringing them in from home. Once the biggest culprit in spreading
viruses, diskettes have been superseded by the Internet and e-mail attachments. One reason
the Word macro virus spread so quickly is because infected Word files are often sent as
e-mail attachments.

Although macro viruses comprise only about 20 percent of viruses, they account for more
than 80 percent of virus incidents reported.

For these reasons, antivirus software should reside on every machine on your network,
every server—especially every mail server—and every notebook PC your
organization uses. Employees who work at home should use notebooks you provide for them,
not their home machines.

Setting security guidelines is a good first step, but a policy that calls for each user
to manually scan each diskette or downloaded file before opening is unlikely to work.
Automation is the key to an effective antivirus policy.

Look for antivirus products that load an application or service that automatically
scans each file accessed. Buy an antivirus package that can be set to automatically
download new virus definitions. For both desktop PCs and network servers, the most
reliable antivirus protection is software that is kept up to date and used all the time.

You can also take preventive steps. For example, the Word macro virus works by
replacing the normal.dot Word template file—inoculate your system by making that file
read-only.

Mission-critical installations are a special problem for antivirus applications. There
are versions of antivirus packages available that deal with applications such as Lotus
Notes and Microsoft Exchange that can disinfect files without bringing down either the
application or the server on which they reside.

So how do you know if you have a virus?

First, if you get an e-mail warning of a virus, what you most likely have is a hoax,
not a virus. For more on virus hoaxes, visit http://www.datafellows.com/news/hoax.

You cannot get a virus from opening an e-mail message, but you can from e-mail
attachments.

But it’s rarely that easy. The problem is, lots of computer software does things
viruses also do. For example, many programs create new files and modify existing files.
Microsoft Windows actively manages your hardware and multitasks software, which can cause
unusual, if legitimate, activity on your computer.

The most effective way to watch for virus activity is at the operating system level.
Changes to the size of executable files, alterations in memory use as a result of unknown
programs, and changes in system resource allocations such as changes to the interrupt
requests (IRQs) are good indications of an ongoing virus attack.

Experts also watch for unusual computer activity, such as writes to the hard drive, use
at strange times, odd screen activity, unusually slow operation and erratic hardware
problems.

Trying to discover a virus through your own observations is a fool’s game,
however. Unless you want to spend more time looking for viruses than getting work done,
you must rely on antivirus software.

Even the best antivirus software is effective only when used religiously. The easier it
is to use, the more likely that users will take advantage of it.

If your office is running Windows 9x or NT OSes, get an antivirus package that can
leverage such features as the ability to scan files from Microsoft Corp. Explorer.
Programs such as Symantec Corp.’s Norton AntiVirus for Win95 and Toolkit from Dr.
Solomon’s Software Inc., have a long history of helping users maximize the Windows
OS’ innate capabilities.

Other antivirus software can perform additional tasks. Integrity Master from Stiller
Research, for example, can detect any form of file corruption.

Of course, you should stick with a well-known vendor with a track record in the field,
but most antivirus software offers the same features and detects viruses in almost the
same way.

Reviewing antivirus products presents problems. Unless all the programs tested were
updated at the same time, the test is flawed. If one antivirus package was in an update
cycle that changed its virus signature database the day after the test was conducted, it
wouldn’t do as well as the others one day but would be the superior performer the
next.

Some antivirus vendors release new virus definition files weekly; others make biweekly
or monthly updates.

Detection rates can be misleading if they don’t measure the effectiveness of a
product in detecting the viruses that are most likely to infect your systems.

Although a high overall detection rate is good—a zoo virus might make its way out
into the wild—more important is how effectively a product can detect wild viruses.
ICSA last year changed its certification requirements. Certified products still must
detect 90 percent of zoo viruses, but also must detect 100 percent of wild viruses. For a
current list of certified products, visit the ICSA Web site at http://www.icsa.net.

If your office is at high risk for viruses transported via the Internet, you should
install a stringent antivirus scanner at the firewall or server level. The higher up the
network hierarchy you stop the virus, the fewer systems are at risk.

Where you install antivirus software is crucial. All products scan files and folders on
your hard drive, but not all can detect a virus on the boot sector of a floppy disk or
within a compressed file.

Even if users never boot from a floppy, such protection can be important. A user can
easily forget and leave a diskette in a drive, shut down the computer and later restart
it. This will cause any other diskettes put into the machine to become infected.

This is a perfect example of why, when developing an antivirus strategy, you should
always plan from the worst case scenario.

Until a couple of years ago, all viruses attached themselves to programs or boot
sectors. The Microsoft Word Concept macro virus, written in Microsoft’s own WordBasic
scripting language, changed all that. It infects Microsoft Word’s default document
template and replicates to other Word documents. As a result, you can infect your computer
merely by opening a Word attachment to e-mail.

Macros, created as a way to automate simple tasks, have moved far beyond their
well-intentioned beginnings. Today’s macros are created by sophisticated programs
that rival early Basic for complexity and can perform operations on text, data or even an
OS. The latest virus threat could be hidden inside word processing documents or
spreadsheet files.

Symantec’s AntiVirus Research Center (AVRC) on Sept. 14 numbered Word macro
viruses in the thousands, and estimated the number of Excel viruses at 200, with a new
Excel virus being discovered every two days.

The ability to discover new viruses is vital. The Symantec Bloodhound technology
included in Norton antivirus is a heuristic detection tool specifically tuned to look for
Microsoft macro viruses.

Besides searching for virus activity in macros, Bloodhound also lets users send copies
of files to AVRC for analysis. Symantec will determine if it’s a new virus and e-mail
an update to the user.

Symantec goes a step further than some antivirus software makers do. In early 1997, it
introduced a Java-based combination of scanner and heuristic programs that would actively
search the Internet for new viruses. When it finds a new virus, it reports back to
Symantec’s antivirus lab, where programmers create a scanner string for the new
strain.

Still, most antivirus software looks for pieces of code from known viruses. By
definition, these efforts are always behind the curve—no matter how fast a fix is
found for a new virus or how fast users update their software, the virus can be there
first, possibly infecting entire networks before it is eradicated.

Security pros recognized that what was needed was an artificial intelligence engine
that could look at new code and discern whether it would perform the same actions as a
virus, a process known as heuristics. Such analytical software watches for the activity a
virus triggers rather than for specific code.

Although you’ll see references to heuristic algorithms, the term is a misnomer.
Heuristic processes are the opposite of algorithmic processes. Algorithms use precise
procedures, while heuristics is based on learning and commonsense processes.

When heuristic programs work correctly, they can detect a new virus, even when
it’s the virus’ first attack on a computer.

But because heuristic software watches for changes in files or virus characteristics in
code, false alarms are common. Most heuristic detectors in programs have user-selectable
sensitivity settings. The trick is striking a balance between a setting that is too
sensitive and causes too many false alarms, and one that is insensitive and misses real
infections.

The catch-22 aspect of heuristics means it must be monitored by a security expert to
get the best results. Combined with conventional scanner software updated monthly, a
well-managed network can gain almost complete protection. Heuristics is best used in
conjunction with more common virus detection techniques.

Advantages: Heuristics can detect new viruses with no periodic
database updates.

Disadvantages: False positives show up. The software requires careful
management and adjustment.

Checksummers keep track of all software on a hard drive and report a problem condition
if the length of the file changes. Restrict this to executable files or you’ll be
swamped with alerts.

Advantages: Because checksummers don’t depend on virus detection,
only on one category of changes to files, they have no upgrade cycle.

Disadvantages: Smart viruses may hide in places the checksummer
can’t see. They can generate false file size reports to fool checksummers.

If you know a virus exists, the easiest way to eliminate it is to scan for its code.
That is what scanners do.

F-Prot Professional lets you scan any combination of files or drives and schedule
repetitions of the sequence whenever you want. You can even schedule scans to run after a
set amount of inactivity by the computer. The F-Prot Agent component runs in the
background, scanning accessed files.

Scanners come in two forms. On-demand scanners test all of a certain category of files
only when the program is activated. The scan is usually done on boot-up by inserting a
command in the autoexec.bat file.

On-access scanners reside in memory and test each executable file before it is run. You
can also set them to scan each file before it’s copied to your hard drive—an
important protection against downloaded viruses.

Advantages: If you know the virus you’re looking for, scanners
are the fastest way to find it and eliminate it.

Disadvantages: Constant upgrades are essential to add new virus code
to the scanned database. Scanners will always be behind on new viruses.

Change detectors are not antivirus programs—they don’t watch for viruses but
instead monitor all changes to files. Essentially, this is how they work:

The first time your word processor tries to modify a file, you’re notified and
asked if the action is permissible. You can tell the change detector to ignore changes by
legitimate applications and soon you’ll get only an occasional warning, which you
should take seriously.

Although their antivirus engines may be similar, even identical, programs designed for
standalone PCs are not suitable for network use and vice versa. Your choice may be further
dictated by special features you need. The most important difference is often how
customizable the software is and the sort of reports it generates.

But even the best antivirus program is next to useless if the software and virus
definition files are out of date. When you’re shopping, look for antivirus software
that’s easy to upgrade.

Most antivirus makers offer upgrades at least every quarter. ICSA aims at recertifying
products at least four times each year. Symantec’s Norton AntiVirus for Win95 updates
monthly or when a new wild virus is discovered. Dr. Solomon’s updates its virus
profiles online, via either a dial-up connection or the Internet.

For servers—NetWare or NT—InocuLAN is even more automated. It dials into
CAI’s update facility at intervals preset by the LAN administrator.

After it downloads the updates, it automatically distributes them to all desktop
computers connected to that server.

Also remember that if you have an on-access antivirus application running, you will
probably need to disable it when installing new software. This is true on desktops and
servers. Just remember to enable your virus protection when the installation process is
finished.

Unlike many other areas of information technology, the number of antivirus makers is
small and getting smaller. In an ongoing industrywide game of PacMan, Symantec and IBM
Corp. will merge their antivirus technologies under the Norton brand name.

Owners of the IBM products are offered free upgrades to similar Symantec products.
Check its Web site at http://www.symantec.com.

Symantec also bought Intel Corp.’s antivirus products. Although Intel will
continue to support its LANDesk Virus Protect and LANDesk Virus Protect for Windows NT
Server until the end of the year, the product is no longer sold.

Next year Symantec will support the product, said a company spokesman. Look for
features of the Intel products to be merged with an upcoming Norton antivirus product,
expected in early 1999.

Look for McAfee Associates Inc. and Anywhere Corp. products under the name of Network
Associates Inc. of Santa Clara, Calif. Network Associates is merging products with Dr.
Solomon’s Group PLC, which it has acquired. Get Cheyenne Software Inc.’s
InocuLAN products from owner Computer Associates International Inc.

We look to certification as a guarantee of quality, but a lack of certification
doesn’t necessarily mean lack of quality.

International Computer Security Association Inc. of Reston, Va., tests antivirus
software and lists products it certifies on its Web site at http://www.icsa.net.

But it doesn’t list as certified the InnoculateIT products from Computer
Associates International Inc.

Delve a little deeper, however, and you’ll discover that CAI acquired the
ICSA-certified InocuLAN antivirus products from Cheyenne Software Inc. You no longer can
buy InocuLAN, you must instead look for InnoculateIT, which ICSA is soon likely to
certify.

Other reasons exist for exclusion of some products from certification. Apple Macintosh
products are not tested. Only MS-DOS, Microsoft Windows 3.1 or newer, Windows 9x and
Windows NT, OS/2 and Novell NetWare products are eligible for ICSA certification.

On its Web site, ICSA refers to itself a completely independent organization. But if
you drill down a bit for details of how products are tested and certified, you’ll
find out that “ICSA runs a group (consortia) of anti-virus vendors named AVPD
(Anti-virus Product Developers). ICSA only tests (and certifies) AVPD members’
products.” Visit http://www.icsa.net/services/consortia/anti-virus/wheresmyproduct.shtml.

Even members’ products may go uncertified because they fall outside testing
parameters or weren’t submitted for testing.

ICSA was founded in 1989 as the National Computer Security Association, but changed its
name this year, so you may still see products that refer to NCSA certification.  

—John McCormick

Repairing a standalone PC infected with a computer virus is usually not too difficult,
especially if you’ve done a little preparation.

Before a problem crops up, load and run an antivirus program on the PC. When you are
sure the PC is virus-free, create and store a clean boot diskette you can use to start
MS-DOS and allow basic access to your system if it has been compromised.

To create the clean boot diskette, insert a clean and blank floppy diskette. Go to the
MS-DOS prompt, and, assuming the floppy drive is a:, key in format a: /s. When it’s
finished, tape it to the side of the CPU so you can find it fast if you need it.

If the day comes when you find your PC has a virus and you must get a few files off the
hard drive, you can usually boot from the clean boot diskette and move the files to it. Be
aware, however, that the process may infect the floppy diskette.

But usually, you’ll want to isolate any infected system and remove the virus
before doing anything else.

Turning off the PC and booting from a clean floppy diskette will do nothing to remove
any existing virus on your hard disk.

You should boot from your clean floppy to load and run any file repair or system
cleanup.

What you shouldn’t do is exchange files you download or try to use recent backup
disks—you don’t know how long the virus has been on your system. Many viruses
sit on a PC until triggered by a specific date or activity; backups made even weeks before
your discovery of the virus may already be infected.

After the virus is removed, the job isn’t done. Removing the virus doesn’t
necessarily return files to their original state; they may still be corrupted. You may
need to reinstall the operating system or application files. Random system failures and
general protection faults sometimes result from the effects of removing a virus.

Don’t forget to include in the cleanup any floppies or removable media.  

—John McCormick

Senior contributing editor John McCormick contributed to this report.