Vendor Voice: Virus Monitoring
The Anti-virus Paradigm Shift

A comprehensive virus monitoring system which is able to monitor and control virus threats across all systems and platforms in an enterprise is necessary to make organizational networks immune to virus outbreaks. A look at possible virus outbreak scenarios. by Goh Chee Hoh

Over the last two decades, computer viruses have evolved from basic computer programs capable of infecting a single PC to complex worms that can inflict nothing short of a disaster on the entire computer network of an enterprise. As new platforms and applications make their way into the market, hackers and virus authors learn to exploit their vulnerabilities and security holes. Increased corporate connectivity has led to faster distribution and replication of viruses. Opposing the malicious code writers are many virus fighters, including the developers of anti-virus software. In a seesaw battle anti-virus companies eventually counter every new move made by the virus writers. Until now, however, they have failed to develop the 'magic bullet' that will secure networks from virus attacks for good.

The focus of both virus writers and virus fighters has increasingly shifted to the network. With the proliferation of various interfaces, organizations have hundreds of 'connected' access points like desktops/workstations, networks servers, gateways, and shared networks where viruses can enter and proliferate. With the advent of outward applications of enterprise management, the ports of entry for viruses and worms have exponentially increased.

Networks face threat
Threats to collaborative networks and servers loom large on a daily basis. These ever-changing competitive business dynamics force enterprises to expose their critical systems and networks to external stakeholders thus increasing vulnerability of their online and physical assets. Paradoxically, it is this global connectivity that has actually increased the probability of large-scale virus outbreaks. Estimates indicate that on an average, more than 500 new and 'smart' viruses attempt to burrow their way into corporate networks, often using stealth methods.

In the nineties, many top-of-the-line anti-virus firms and security solutions companies were actively involved in developing anti-virus packages and programs to counter the virus threat. Years ago, the anti-virus firms recognized the futility of fighting network-wide viruses at the desktop level alone. The recommended model became perimeter scanning to guard all network access points. Powerful server-based scanning solutions were introduced for the Internet gateway and e-mail server and other locations, reducing desktop anti-virus programs to a supporting role. This model has proven to be far more effective than desktop scanning alone, and provides adequate protection for a network in normal circumstances.

The CERT Coordination Center, a security watch group in the US, reported 2,437 security vulnerabilities in software products in 2001, up from 171 in 1995. Commentators attributed the increase to pressure on software vendors to get to market quicker, and noted that there was not much pressure from the government or legal system for companies to avoid such mistakes.

About Worms, Viruses & Anti-viruses
'A computer virus is a segment of code that will copy its 'instructions into one or more larger 'host' programs when it is activated. When these infected programs are run, the viral code is executed and the virus spreads further. A typical strategy for a virus is to maintain replication until a specific date is reached and in the process it deletes crucial files from the hard drive of the desktop.

Worms on the other hand are programs that can run independently and travel from machine to machine across network connections. Unlike early viruses that were programmed to be carried from diskettes to machines and vice versa, current viruses largely depend on infected files being distributed over the Internet. More lethal 'stealth worms' programmed to exploit software vulnerabilities in unpatched servers or browsers, destroy crucial files and then search for new victims at warp speed.

As viruses became sophisticated so did the anti-virus programs and solutions. Today's anti-virus software employs a series of state-of-the-art techniques to identify, capture, and contain the virus. The leading solutions are based largely on signature scanning, which detect viruses by looking for a 'fingerprint' taken from the virus' actual code. As new viruses emerge, the software is updated with new pattern files containing their signatures. However in response to criticism that this method is unable to detect new or unknown viruses, vendors have been adding behavior-blocking and heuristic scanning features. These methods use sets of rules or algorithms based on typical virus behavior to identify suspicious code.

Outbreak Life Cycle Management
As corporations around the globe become increasingly connected, the threat of fast-spreading virus outbreaks looms larger than ever. Although corporate IT departments have taken note, deploying enterprise-wide anti-virus solutions seems to be a daunting task for many IT managers. The reasons vary from cost to the lack of homogeneity of systems and platforms across the enterprise. Over the years, managing enterprise security has grown increasingly complex and challenging. More often than not, companies are dwarfed by the enormity of this cumbersome task and what follows is a trial and error approach based purely on reactive strategies and short-term preventative measures.

However, even the best-prepared organizations are at risk during new and smart worm attacks outbreaks. In spite of massive efforts by anti-virus firms to speed up their response times, the traditional signature-scanning approach simply cannot keep pace when new virus outbreak assumes epidemic-like proportions. Heuristic approaches can occasionally save the day, but this is far from assured. Recent corporate history is replete with such large-scale and fast-spreading virus attacks that assumed epidemic-like proportions, overwhelming short-term preventive measures.

Gateway scanning has proven to be far superior to fighting viruses on the desktop PC. It is powerful and efficient, but it is no cure-all. Wherever located, single point reactive measures to combat virus outbreaks have time and again proved ineffective and inconsistent. Concurrently, there have been business process disruptions with major losses in productivity. From an end-user perspective, there has been steady erosion of brand equity.

To make organizational networks immune to virus outbreaks, a comprehensive virus monitoring system has to be in place i.e. a solution that is able to monitor and control virus threats across the enterprise, across all systems and platforms. Clearly, the paradigm has shifted towards a more holistic enterprise protection solution. This approach binds together the hitherto employed point-to-point preventive methods under strong centralised command and calls for the automation of updates and pattern file deployment methods. In the event of an outbreak or attack, the ultimate goal is to quarantine suspicious code and prevent any infection proactively. But the model acknowledges this will not always be possible, and virus infections must be dealt with when they occur.

By focusing on the critical phases of the typical virus outbreak lifecycle, solution providers determine where intervention can be most effective in helping companies reduce the impact and cost of virus outbreaks. Normally, 'activated' preventive processes will operate in the background without causing a break in actual business operations and other related line functions. When an attack penetrates the network, the focus shifts to containment, then to detection and elimination through quickly updated software. Tools and resources are provided to help clean up any damage and repair critical systems quickly. In effect, this enterprise protection strategy is a scalable, intelligent, lightweight management system that effectively insulates networks from the worst effects of viral attacks.

In Passing
It can be safely said that corporations that pay little heed to security concerns run the risk of erosion of brand equity apart from other allied problems like system failures, disgruntled customers, and last but not the least cost and time spent on systems revival.

The battle lines are drawn. And viruses are here to stay. But on the bright side, anti-virus companies have upped their ante largely due to their investments in research and development. Anti-virus technologies are getting better and more powerful by the minute to combat attacks. Companies that do not address protection issues now must realize that the cost of avoidance is definitely more than the markup price of the product. As they say, prevention is better than cure. And in this case it's very much true.

Goh Chee Hoh is Regional Sales Director Overseas Business Unit Trend Micro Incorporated. He can be reached at goh_chee_hoh@trendmicro.com