Endpoint Protection

You've seen the alarming news reports and read the Loveletter and Melissa articles in e-zines. Maybe one of your friends has been victimized by a virus infection, and you?ve seen what it took to repair the damage. Now you?ve decided that it?s time to buy anti-virus software. How do you know what to buy? What?s the best software for your use? Will you be really protected? How much will it cost?

All anti-virus products are not created equal. Before you run down to your local computer store or jump on the Internet and order some anti-virus software, take a moment to think about what you need and why you need it. This article will provide readers with an idea of the things they should consider when they are considering which anti-virus software to purchase. Although this discussion will not assess software from specific vendors, it will offer some resources to allow readers to assess the best software for their purposes.

Computer Usage and Anti-Virus Protection

Since how you use your computer determines which anti-virus product may be best for you, it is important that you start there. If you don't use your computer to connect to the Internet, you don't need the same protection as someone who does. If you not only connect to the Internet but you also use chat or ICQ frequently, you need much greater protection than someone who only ?surfs? occasionally.

How are Viruses Transmitted?

To know what you protection you need, you first need to know how viruses are transmitted. (For the purposes of this article, the term ?viruses? is meant to include ?worms?, ?Trojans? and ?viruses?. It is outside the scope of this article to discuss these terms in detail, however a good overview of the terms can be found at Vanderbilt University.)

Viruses come in many forms and are transmitted in different ways. In ?the good old days? viruses were usually transmitted from one computer to another by exchanging floppy disks. This was a slow, methodical method of infection, and it could usually be stopped before a lot of computers were infected. ?Modern? viruses take advantage of the Internet by using e-mail, various messaging programs, newsgroups and web sites to spread. Consequently they spread much faster and up-to-date protection is much more important.

Virus writers have also learned that a bit of "social engineering" can do more to spread a virus than well-written code. (In the context of viruses, social engineering is the process of using knowledge of a person to lure them into unwittingly being infected by and transmitting a virus.) The Melissa and Loveletter viruses took advantage of human curiosity and set the standard for most new viruses. Since then virus writers have attempted to refine social engineering to the point that viruses will be ?irresistible?. The recent outbreak of Anna Kournikova showed that, given the right incentive, many people who should know better would still open a virus infected e-mail attachment.

Viruses also take advantage of security weaknesses in an application or operating system. Some viruses even use ?normal? features of an operating system, such as Windows File and Printer Sharing, to spread from one computer to another. Viruses are also ?planted? in newsgroups, as attachments, where many people are fooled into thinking they are harmless files and download them.

Virus writers have also used familiarity to spread their wares. Many modern viruses use the address books built in to e-mail clients to spread the virus. When the unsuspecting victim receives the message it appears that a friend or acquaintance sent it, so the victim is more likely to think there is nothing wrong with the attachment and open it.

People who use IRC (chat), ICQ (I Seek You) or IM (Instant Messenger) are especially susceptible to virus infections, because they can receive infected files without their knowledge or consent. They can also be tricked into thinking they are getting a harmless file, when it is actually a virus. Finally, visiting web pages with a browser set to its default configuration can expose the viewer to unwanted malicious code.

All these avenues of infection are under the control of the user. This points out the importance of secure user behaviour in the prevention of virus infection. When you receive e-mail attachments, you could just delete them. You could not use chat programs or instant messenger programs. You could never read newsgroups. You could even decide never to surf the web again. These actions would ensure that you have much less exposure to risk. They would also make life on the Internet so useless that you may as well unplug! While anti-virus software is a powerful weapon in the prevention of virus transmission, secure user behaviour is just as important, if not more. For that reason, users should always practice the following ten rules for safe computer usage.

Ten rules for practicing "Safe Hex"

1. Never trust e-mail attachments. Even if they come from members of your own family, you should never open an e-mail attachment without first verifying that the person who sent it meant to send it. Many viruses send e-mail without the knowledge of the sender.

2. Keep your computer's operating system up to date. If you use Windows, become familiar with the Windows Update function. Click on Start/Windows Update, go the Windows Update page and make sure you install all the ?Critical Updates? you find there. Download the ?Critical Update Notification Service? and install it. This will warn you any time a new security patch is available.

3. Use the security features of your e-mail client. Did you know that it is possible to configure Outlook Express so that viruses like the Kak worm will not be able to infect your computer? Were you aware that Microsoft released a patch in 1999 for the security weakness that Kak exploits to infect computers? (If you use the Windows Update feature built in to the operating system, you will already have this patch installed.) Other e-mail clients, such as Eudora, also have the ability to restrict active content from running in e-mail.

4. Use the security features of your web browser. Most browsers today can be configured to prevent some malicious content from running. In Internet Explorer, you have the option of controlling each type of content (Active X, JavaScript, Java, etc.) to either prompt you before running or to not run at all. Internet Explorer also allows you to use ?Zones? to classify content that you consider ?safe? or ?unsafe?. Netscape can be configured to ?turn off? JavaScript and Java. (Other browsers, such as AOL or WebTV may have similar features. Check with your vendor for details.)

5. Use a ?real? newsreader. Some browsers and e-mail clients offer the ability to read newsgroups. However, browsers are designed to allow active content to run, and some e-mail clients also allow active content to run by default. ?Real? newsreaders, on the other hand, are designed to read newsgroups, and they do not allow active content to run. Two popular programs for Windows are Agent (and its free ?cousin, Free Agent) and Gravity.

6. Use safe networking. If you network your machines at home, use the NetBEUI protocol (or IPX/SPX if you?re a game player.) Then go into Network Neighborhood and change the properties of every instance of TCP/IP so that it is not bound to either Client for Microsoft Networks or File and Printer Sharing for Microsoft Networks. This will ensure that the files on your computer cannot be seen or altered by anyone on the Internet.

7. Use passwords for shared drives and files. This will prevent viruses from using Microsoft Networking to spread from one computer to another. It will also give you an added safety factor from accidental sharing of your drives to the Internet. (You never know when someone else or a program you install will alter your settings.)

8. Don?t accept files in IRC or instant messenger programs. If someone in a chat room wants to give you a file, there iss no reason they can't put it on a website so you can download it. Accepting files that you cannot first virus scan is an invitation for trouble. Always think twice before accepting files from anyone. You can ?adopt any identity you want on the Internet. So can the person on the other end of your ?conversation. You wouldn't accept gifts from total strangers that approach on the street. Why do it on the Internet?

9. Use website virus scanners as a backup. Website virus scanners have become quite popular, but they can only tell you what state your computer is in when it is scanned. They provide no protection against ongoing threats. However, scanning your computer with a different vendor?s product can give you an added degree of certainty that your computer is virus free.

10. Use a good anti-virus program and keep it up to date. the remainder of this article will explain how to determine which program is best for your needs. In addition to purchasing and installing an effective anti-virus program, it is also necessary to keep it updated on a regular basis, as we shall discuss.

Assessing Anti-Virus Products

Matching Anti-Virus Capabilities to Your Needs.

As pointed out earlier, your computer use determines what you should look for in an anti-virus program. For instance, if you exchange Word documents regularly, you need excellent Macro virus protection. If you use e-mail on a regular basis, particularly for the exchange of documents, you need a program that is adept at checking e-mail attachments. If you use IRC or instant messaging clients, you browse ?unusual? web sites or you read newsgroups, you need a program that has excellent on access scanning. There are three ways you can determine the capabilities of anti-virus products so you can match them with your needs.

First, you can read magazine reviews. PC Magazine, eWeek and other computing magazines routinely review anti-virus products. Unfortunately, they tend to only review the most popular products, so you don?t get a balanced view of the available choices.

Second, you can check the Virus Bulletin?s VB 100 Awards. The VB 100 Awards are given out every other month to the products that detect every single virus they are tested against. One thing that you will not learn from the VB 100 Awards is which virus (or viruses) the products that failed to achieve the award missed. The only way to find that out is to subscribe to the Virus Bulletin, and that costs $395 US per year.

Finally, you can look at the results of tests done at AV-Test.org. AV-Test.org ?is a project of the Business-Information-Workgroup at the Institute of Technical and Business Information Systems at the Otto-von-Guericke University Magdeburg in cooperation with GEGA IT-Solutions GbR.? Their testing is quite thorough, and the results are available for download or for reading on their web site. The format makes it a bit difficult to read, but it?s well worth the effort. There you can learn exactly how well a particular product performed against the kinds of threats you are most concerned about.

Product Testing

After reviewing the test results, reduce your selection to two or three products that you think will serve you well. Then download each of the products (most vendors will allow you to download evaluation versions of their products) and, one at a time, take each product for a ?test drive?. Try out the user interface. See how the product interacts with your computer. Download the updates and see how easy or difficult they are to install. Make a list of the good and bad points of each product. This is an entirely subjective evaluation, but you are the one who has to live with the choice you make. You want to choose a product that is easy to use and provides you with good protection, but you also have to like the product or you won?t use it. (Make sure you uninstall each product before installing the next one.)

Look at the vendors' web sites. How easy are they to navigate through? Can you easily find what you are looking for? How do their prices compare? Does the price include version updates? How long can you download definition updates? (Definitions are the files that identify viruses. These must be updated as frequently as daily and at least weekly.) Are updates automatic? Or do you have to start them manually? Does the default configuration of the software give you the protection you need? Or do you have to ?adjust? it? Is adjusting it a problem? Is it clear what protection the various features provide? All these are questions you need to answer to your satisfaction before you decide which one to use.

Once you?ve decided which program to buy, check your local computer stores for sales or promotions. Sometimes you can get a better price locally than you can online.

Conclusion - The Need for Secure Computer Habits

You may find it surprising that this article focuses so little on the products themselves and so much on how you use your computer. (Indeed, we don?t even discuss any products by name.) The reason for that is that how you use your computer (practicing "safe hex") is much more important than what product you use to detect viruses. Most scanners today do a good to excellent job of protecting you from virus infections. It's what you do every day to protect yourself, after you?ve chosen an anti-virus product, that will make the difference between struggling with viruses constantly and enjoying many carefree hours online.

Paul Schmehl is a Technical Support Services Manager with over 25 years experience. He is currently employed in IT management in higher education, in enterprise-wide technical support, help desk management and anti-virus protection. Involved in many new technology projects, web site development and security-related issues.