Previous | Table of Contents | Next |
Insufficient Scanning Frequency. In theory, a virus infecting a system at 8:59 a.m. could be caught one minute later if the network is routinely scanned at 9:00 a.m. However, the opposite scenario is just as likely. A network may be scanned at 9:00 am and become infected at 9:05 am. If the virus is a fast infector such as Dark Avenger or Frodo, once it is in memory it can infect not only executed programs, but even those that are merely opened. Such a virus has almost 24 hours of free time to wreak havoc in the network. Even worse, because many signature scanners open files in order to scan them, the very act of using the scanner can allow the virus to infect all programs at once.
Slow Scanning. Any scanner takes a finite amount of time to scan a machine for viruses perhaps five minutes or more. If the 70 million U.S. employees who use PCs spend five minutes a day scanning, and earn $15 an hour, the annual cost of scanning(260 days a year) is more than $22 billion. The costs of scanning exceed the purchase price of antivirus software after just a few weeks of scanning. More sophisticated tools can cut this time drastically by scanning checksums instead of the entire contents of every file. The more viruses a scanner must search for, the more places within a file it must search, and the more files it must search across, the slower the search must be. Because strings must be stored in memory, and memory is limited, there will soon be two-pass products that load one set of strings, scan, then load a second set and scan. Although computers are faster now, hard drives are also getting larger.
Dependence on User Compliance. Traditional scanners do not work unless employees remember to use them. Some users are inclined to value their own productivity and convenience more than their employers security concerns, and thus are not motivated to consistently scan. Even diligent users tend to get lax if scanning every day for a month produces no alarms.
As long as there are hackers inventing new forms of maliciousness, no antivirus vendor can guarantee that their products will completely eliminate viruses. However, there are advanced products that come very close to providing the ideal defense. Knowledgeable implementation of advanced protection strategies and products can prove an effective deterrent to viruses in the short and long term.
The first priority for an antivirus strategy is that any defenses put in place must be used. Many approaches emphasize end-user convenience to the point of rendering defenses useless. A company can, however, set up antivirus software on its LAN servers so that each time a user logs in, the program checks for its own presence on the users workstation. If such antivirus software is not present on the workstation, the program loads itself onto the PC and scans the PCs hard drive before allowing the user to continue. If the program finds an earlier version of itself, or a modified version of itself on the workstation, it loads the newer, clean version onto that workstation and scan. The entire process happens rapidly enough not to harm user productivity. Many users do not even notice it happening.
This approach is far preferable to that of programs that depend on users remembering to scan periodically. Such programs leave holes in a systems defenses every time even one user forgets to scan. Users are often tempted to skip scanning, especially if the scanning process is slow. This adds an even more haphazard quality to network defense. Antivirus software should offer an unobtrusive way of forcing users to keep their machines clean.
Repelling Viruses Proactively. An antivirus strategy should be proactive. It should detect and repel viruses before they infect anything on the system. A signature scanner working as the sole defense of a network can do nothing more than occasionally report bad news. The ideal system must be able to stop boot viruses before they infect and must be able to remove all viruses without necessarily knowing the virus. Proactive antivirus software provides signature scanning as well as multilevel generic detection, a TSR approach, and behavior blocking to remove viruses that are known and unknown.
Comprehensive Security. Some antivirus software scans only for the 200 most common viruses, which account for the majority of infections. Protecting a system from these common viruses may offer sufficient protection, because the likelihood of infection by another virus is quite slim. However, the ideal system is not one that usually works, or hardly ever misses a virus, but one that seals off every conceivable intrusion point.
In addition, viruses tend to spread in a regional fashion, turning up much more frequently in one particular country or geographical area than other areas. If a virus common in a particular region is one that the software perceives as uncommon, the scanner could miss the virus. This is especially threatening in companies that have international offices. Effective antivirus software uses a combination of traditional and proprietary heuristic techniques to ferret out even the trickiest viruses, Trojan Horses, and logic bombs. Scanning alone is not sufficient. The most effective antivirus system should use the latest generation of defenses in concert.
Automatic Logging. Antivirus systems should document any security events that occur so that managers can stay informed about threats to their defense system. Documentation should include log-ins, log-offs, program execution, and a separate log of failed log-in attempts. Effective antivirus software should also require password entry upon any boot-up and prevent access to hard disks any other way. After a period of inactivity at the keyboard, a time-out feature should inhibit input from the keyboard and mouse. Documentation and automatic logging requirements help management restrict physical access to workstations, which is vital to maintaining a protected environment.
Previous | Table of Contents | Next |