Some Aspects

of Virus Prevention

Content:

Introduction

This article is based on experience gathered through a large number of advisory talks with midsized and large corporations. This experience demonstrates the surprising fact that whereas the will to prevent infestations by computer viruses is present, the will to accept the necessary preventive measures is often lacking. In order to unterstand this problem it is necessary to examine through which channels computer viruses are introduced into larger organisations.

Only two physical possibilities for a computer virus to enter a computer exist: Network connections, and physical data media, in practice diskettes. By far the most common path of infection is through diskettes, so this is what we are going to look at here.

Over a number of years it has been demonstrated that computer virus infestations via diskettes always have the same sources. The most common path is through employees, i.e. persons internal to the company, who wish to entertain themselves during lunch breaks, bring games or other software from home and install it on company computers or even servers (work-related diskettes visiting home computers carry the same diseases). In most organisations this is in effect illegally installed software, partly because the copies are often pirated, and partly because it is normally a violation of company policy to install or use software that is not suplied by the company, on company-owned computers.

The secondmost prevalent course of computer virus infections turned out to be diskettes brought in by people visiting the company. In most cases these were service technicians bringing diskettes containing diagnostic software, drivers, etc.

An increasing number of infections are caused by driver software supplied with hardware components. This has mostly been the case with no-name products from the Far East, which are imported in very large quantities and traded at low prices. Because many users treat the diskettes supplied with this type of products with the same level of confidence as software from wellknown software manufacturers, they cause a high and widespread infection rate.

An often overlooked source of infections is demo-diskettes supplied to companies and individuals for purposes of advertising. Many examples of infected diskettes of this type have been observed.

A very rare cause of infection is presented by brand name software on original distribution diskettes. It is true that a few spectacular cases have been seen, in which software has become infected in the production process and distributed. In most of those cases the manufacturers have been responsive and warned users, supplied free anti-virus software and virus-free replacement diskettes.

This list of sources of virus infection is far from complete, but is does contain the sources from which most infections actuaby originate.

Whoever takes a look at this list will probably reach the conclusion that the existence of diskette drives in Computers of large organisations constitutes a considerable hole in the information security defence system. However, a number of possibilities do exist to successfully close this hole.

Who needs diskette drives, anyway?

To close the security hole in a large organisation it is first necessary to conduct a bit of research to find out, which of the computers present in the organisation really do need a diskette drive, and which do not. A number of factors influence this distinction, e.g. whether or not the Computer is connected to a LAN, whether software maintenance is performed centrally from servers, or each individual user is tasked with this process, whether the jobs performed on the individual computer requires exchange of information or back-up on diskettes, etc..

Particularly in large organisations this exercise normally (surprise, surprise) shows that 90% of all diskette drives are not in everyday use, be it for software maintenance or exchange of information.

In most cases this result can confidently be taken to mean that these diskette drives are not required and could safely be removed from the computers. This type of drastic measure would undoubtedly reduce the security hole in question, but from a practical point of view removal of diskette drives is rarely a viable path to follow for a number of reasons. The most important of these is cost. It costs staff and time to open hundreds or thousands of computers to remove their diskette drives. Furthermore, diagnosing and repairing faulty computers without diskette drives is time-consuming and difficult. The normal procedure is to boot the Computer from a diskette and use diagnostics software to isolate the fault, which is often repaired by means of additional software loaded from diskettes (hence the many virus infections brought by service technicians).

Many older computers containing obsolete bios types require a diskette drive to be installed for the computer to start in a reasonable manner, because these bios'es do not allow the drive search sequence upon boot to be changed.

In other words, it is necessary to find other means to protect against the misuse and accidents brought about by the presence of readily available diskette drives in PCs, means which should preferably be economically attractive, maintenance free and administratively easy to implement.

Lock'm!

One such relatively unknown but nevertheless very effective method does exist, namely locks that block the drive entrance slot. In large quantities these cost but a couple of ECUs (or Euros ?), take a few seconds to install, require no maintenance and are very effective in case the keys are stored centrally with the department information security function.

Although this article is oriented towards prevention of computer viruses it seems reasonable to mention that diskette drive locks also tend to help preventing data theft and industrial espionage.

Another possibility is to use a small resident utility, which demands a password from the user whenever an attempt is made to access the diskette drives. This type of program can easily be installed centrally across the network, and it is probably sufficient to discourage computer illiterate users. Employees with a bit more computer knowledge can easily bypass this type of preventive measure, at least if it is not particularly intelligently designed and integrated with the network software. A knowledgeable malicious attacker can always bypass this type of protection. Add to this that small nifty tricks to circumvent company-instituted measures often tend to travel fast, even to the less initiated part of the user base. In other words, this type of protection is of limited value.

Teach'm!

For those who are less inclined to impose restrictive measures, but would rather bank on the cooperative spirit and intelligence of their user community, a number of different avenues exist. The most important of these is user training. Without educated users it is almost impossible to implement an efficient information security policy in any organisation. Unfortunately training is neglected in many organisation with the excuse that "we do not wish to turn every employee into a computer professional". Even proper computer user training of work leaders and department heads is often neglected, a potentially extremely expensive omission!

Good anti-virus software also offers the possibility to supervise diskette drive access. Whenever the user accesses the diskette drive the anti-virus scanner is automatically started and the inserted diskette examined for known viruses. Furthermore, whenever a Ctrl-Alt-Del boot is attempted drive a: is first checked to see if a diskette resides in the drive. lf this is the case the boot process is halted and the user asked if he really wishes to boot from the diskette, and if not, to remove it from the drive. This should prevent infections by boot sector viruses in most cases. Also this type of protection can be bypassed by a knowledgeable user, but since the measure is hardly restrictive it is normally widely accepted by users. The level of user acceptance may be increased through schooling in this case, too.

As shown in this article it is indeed feasible to significantly reduce the security hole presented by freely available diskette drives. Problems regarding user or company acceptance can be managed as shown. No architect would design a building without door locks, and diskette drives are the entrances into computer systems. It is easy to understand that the same security used at the front door at home should also be used for computer doors.