General

The Plague Upon Us

AntiVirus protection has become an IT staple. It's bundled with home PCs and deployed on corporate desktops, e-mail servers, Web servers, and firewalls. In fact, AV scanners have become so ubiquitous that one begins to wonder ... Do we really need to run them everywhere?

by Lisa Phifer Core Competence, Inc. [May 17, 2002]

Posing this question is not intended to make light of the threat. Viruses are proliferating at a phenomenal rate, causing enormous damage. According to Computer Economics, the worldwide economic impact of malicious code attacks in 2001 topped $13.2B. Nimda alone infected over two million servers and 700,000 PCs in just 24 hours. Downtime and recovery from this single worm rang up a $635M price-tag last year. And there's more to come: Eight months after being released into the wild, Nimda remained on the top ten list of viruses detected last week.

SonicWALL claims there are over 50,000 known viruses, with 200 to 800 new viruses discovered every month. This month, the new kid on the block is W32/Klez. According to Sophos, Klez-G and H accounted for 77.8 percent of all virus activity last week. Klez propagates with its own SMTP engine, mailing itself to addresses harvested from Windows address books, ICQ lists, text files, Word documents, Acrobat files—even cached Web pages. By exploiting an old Microsoft Outlook preview pane vulnerability, Klez spreads without requiring naïve users to execute file attachments.

McAfee, Symantec, TrendMicro, Sophos, and other AV vendors quickly supplied Klez signature updates and disinfectant programs. But after these vendors finally wrestle Klez variants into submission, another prolific worm is sure to follow. According to ICSA, 87 percent of major virus infections today are carried by e-mail. Business use of e-mail has become so mission-critical that reacting to new threats by temporarily blocking all incoming e-mail or file attachments is impractical, prohibitively expensive, and ultimately doomed to failure.

An effective antidote?
Virus protection is clearly warranted, but where are AV measures best deployed? Major AV software vendors produce a dizzying array of products for desktops, PDAs, mail servers, Web servers, Web caches, file servers, and firewalls. Some even market AV appliances: turnkey hardware dedicated solely to virus scanning. What are the benefits of virus scanning in each of these locations? Is there value in scanning at all of these locations?

Stand-alone AV products like McAfee VirusScan, Norton AntiVirus, Trend Micro PC-cillin, and F-Secure Anti-Virus Personal Edition are appropriate for individual users and small businesses. These desktop scanners are foot soldiers—our first and last line of defense in the war against computer viruses. However, end users retain control over repair, quarantine, and delete actions taken when a virus is detected. Furthermore, although most of these products can automatically download updates, users may disable auto-update, suspend scanning, or remove the product entirely. A survey conducted by Central Commands found that 25 percent of all users neglect to install or update their AV software.

Boris Yanovsky, Director of Software Engineering at SonicWALL, strongly recommends using some mechanism to enforce timely updates. "This is where the concept of time to protection comes in: the time between a virus being released into the wild and the time to distribute and install updates," said Yanovsky. "On average, time to protection is 48 hours. That is only for highly publicized attacks where people realize they need to install an update."

Forced inoculation
For central AV enforcement, larger enterprises typically use products like F-Secure Anti-Virus for Desktops & Laptops, Norton AntiVirus (NAV) Corporate Edition, McAfee VirusScan Thin Client, Trend Micro OfficeScan, and Sophos AntiVirus. Such products can provide a single point of control for cross-platform policy management, virus event monitoring, automated response, and large-scale deployment of updates and remedies. These products also use volume licensing to reduce cost. For example, one retailer that sells single-user NAV for $52.47 sells NAV Corporate Edition from $30.58 for 10-24 users, dropping to $12.66 for 5,000-9,999 users.

Smaller companies can also benefit from central AV enforcement but may lack the IT staff to administer it. In this case, consider enforcing desktop AV updates with an Internet security appliance like SonicWALL. This appliance prevents users from accessing the Internet unless they have current virus protection installed on their desktops. "This is safer because updates are deployed upon release, in fastest possible time, protecting against users who would uninstall or turn off AV," said Yanovsky. But comparing total cost of ownership is difficult. For example, one retailer sells the SonicWALL SOHO3 for $820 with a 50-user AV upgrade for $1,300. Although these AV licenses alone may be similarly priced, how do you quantify the "hidden cost" of administration?

Multi-tier protection
Centrally administered desktop AV is popular and, by most accounts, highly effective. However, many security experts recommend complementing best practices—this includes, eliminating unused services, applying patches, maintaining security logs, and auditing them for suspicious activity—with multi-tiered virus protection.

"Considering the prevalence and proliferation of e-mail borne viruses, desktop AV is necessary but is no longer sufficient," said Fred Avolio, principal of Avolio Consulting. "I recommend to my clients, supplementing desktop AV (which also deals with viruses from mobile PC and removable disks, as well) with AV software on either the firewall or the e-mail server. And I recommend that priority order: desktop first, firewall or server next."

Software deployment is simpler when there are fewer copies to administer. As Trend Micro put it, "When a threat like the LoveLetter can spread around the world in less than an hour, the time required to update all networked PCs is completely inadequate [and] can cost a business millions of dollars. On the other hand, a handful of Internet and E-mail gateways can be updated in a matter of minutes."

Gateway scanning can also be more efficient. An infected document on a file server can spread rapidly to networked clients. Even if desktop AV detects the virus on file access, it is computationally less expensive—and less risky—to repair, quarantine, or delete the virus at the source. Similarly, malicious mail attachments that are stripped at the SMTP or POP server never get the chance to spread to unprotected desktops or PDAs.

Despite these added efficiencies, gateway AV should not be used alone. Scanning at the mail server, Web server, or firewall may stop Internet-borne viruses, but cannot prevent propagation by other vectors—notably, the floppies, zip drives, and CDs that carry files (and viruses) from home to office to customer site and back again. Scanning at the gateway and desktop is a one-two punch that provides more comprehensive coverage.

Go to page 2: Complementary or Competing? >