This article focuses on how to protect against malicious software. The key to organizing an effective antivirus protection is the presence of an antiviral agent. To begin, consider the basic requirements that must be met by modern antivirus software.
The requirements for antivirus software are the same as for other software products - ease of use and extensive functionality, determined by the ability to select different scanning modes and high quality virus detection. Despite the diversity of software products, the principles of their work are the same. The main functions of modern antivirus include:
· Scans of memory and disk contents according to schedule;
· Scanning of computer memory, as well as written and readable files in real time using the resident module;
· Selective scanning of files with changed attributes - size, modification date, checksum, etc .;
· Scanning archive files;
· Recognition of the behavior characteristic of computer viruses;
· Remote installation, configuration and administration of antivirus programs from the system administrator console; notifying the system administrator of events related to virus attacks by email, pager, etc.
· Forced verification of computers connected to the corporate network, initiated by the system administrator.
· Remote update of antivirus software and virus information databases, including automatic updating of virus databases via the Internet;
· Filtering Internet traffic for virus detection in programs and documents transmitted via SMTP, FTP, HTTP protocols.
· Identification of potentially dangerous Java applets and ActiveX modules.
· Functioning on various server and client platforms, as well as in heterogeneous corporate networks.
· Keeping protocols containing information about events related to anti-virus protection.
As mentioned in the previous article, one of the main characteristics of modern virus attacks is their high rate of spread. In addition, we can note the high frequency of new attacks. Thus, at present, modern anti-virus software can be required to update the product — the more often the product is updated, the higher its quality is, because it takes into account all current virus threats.
It should be noted that in our country the most popular anti-virus solution is the Kaspersky Anti-Virus Product Family - AVP.
There is an opinion among users that in order to successfully protect against a virus threat, it is enough to have an anti-virus tool. However, as one author said, silver bullets do not exist. The presence of anti-virus software is a necessary, but not sufficient condition for repelling an anti-virus attack (in addition to the availability of a tool, it is necessary to consider methods for using it). Thus, protection against viruses in an organization should be governed by some rules, in other words, to be an element of a security policy that all users of the system should understand and comply with (for developing a security policy, it is necessary to evaluate the risks associated with virus infection and reasonable ways to minimize them) .
In order to formulate the basic principles of anti-virus security policy, it is necessary to recall the following key points related to virus attack.
1. The virus attack consists of two phases - the infection phase and the distribution phase (and, possibly, the execution of destructive actions).
2. Modern viruses often spread not only with the help of executable files, but also with the help of document files of popular programs.
3. Modern viruses in the attack often use the capabilities of the Internet.
Consider what can be recommended to the user in order to prevent infection by viruses (obviously, the best way to fight an attack is to prevent it). So, to prevent virus attacks, it is recommended to perform the following actions:
1. Configure anti-virus software accordingly. To do this, you must make the following installation:
Ø Scanning in real time, in background or similar mode should be allowed;
Ø at system startup, memory, boot sector and system files should be scanned;
Ø timely update virus databases
Ø It is desirable to scan all file types or at least * .com, * .exe files, as well as files of the type * .vbs, * .shs, * .ocx;
Ø establish an audit of all actions of antivirus programs.
2. Use only licensed software. Software obtained from an unknown source may be a Trojan or an infected virus.
3. Restrict the set of programs that the user is able to install on the system (since extraneous programs may be infected with viruses or serve as a reason for the success of other attacks). Special attention should be paid to various Internet services and, above all, to message transfer programs such as IRC, ICQ, Microsoft Chat (these programs can transfer files and serve as a source of system infection).
4. In addition, it is desirable to eliminate known vulnerabilities in software (since their presence may be the reason for the success of virus attacks). Known vulnerabilities are usually published on the Internet mailing lists, as well as on special sites. As a source of information about vulnerabilities, you can recommend a database at www.securityfocus.com.
5. Monitor the use of floppy drives and CDROM drives. Ideally, all information contained on floppy disks and CDROM disks should be scanned for viruses before being accessed by users of the computing system.
6. Develop an email processing policy (as an integral part of security policy). As noted in the previous article, emails are one of the most popular and fastest ways to spread viruses. To protect against virus penetration through e-mail messages, each user of the system must:
Ø never open the email attachment immediately in the email that came to him;
Ø create a "quarantine" directory - save email attachments in a specific "quarantine" directory;
Ø if the sender of the message is unknown, the message with the attachment may even be deleted; if the sender of the message is known, then the message with the attachment may also contain a virus; The general rule can be formulated as follows: never open email attachments that were not requested or about which there was no notification from the sender.
Ø Before opening an attachment, always check it with antivirus software;
Ø if after performing all these procedures there are doubts about the absence of viruses in the email attachment, then you can contact the sender and find out from him information about the attachment sent;
Ø eliminate possible vulnerabilities in client email software;
7. Develop an application security policy (and especially when used in the organization of the Microsoft Office product family) that process documents with interpreted languages (as an integral part of the security policy).
But suppose the infection has already happened. Consider what the user should do in this case. First of all, do not panic in any way.
The first step to be taken when an attack on a system is detected is its identification. To successfully identify an attack, it is often necessary to have a boot disk created during the installation of the system and the loading of the system using it.
If the attack is identified by the antivirus, then everything is obvious. But, if you are dealing with a certain unknown virus, in many cases, the time during which the attack was identified is critical. In this regard, the ability of the user to quickly detect a virus attack is of great importance (signs may be mass mailing, file destruction, etc.). The complexity of identifying an attack often depends on the complexity of the attack itself. At this stage, it is desirable to establish at least the following signs: the fact of the attack, the type of attack (network or local) and the source of the attack.
Regardless of the type of OS you need to pay attention to the following activity in the system:
· The integrity of the software used to detect the intruder;
· Integrity of security-critical programs and data;
· System operations and network traffic.
If you were able to determine the fact of virus infection by an unknown virus (or you have such reasonable suspicions), then it is advisable to contact the manufacturer of the antivirus software you use.
And finally, it is necessary to analyze the effects of a virus attack. If any valuable data were processed in your system, then you, of course, have them backed up. To do this, the organization must have developed backup rules. Unfortunately, if the backup is not available, the data may be lost (it does not depend on you, but on the attacker who wrote the virus that hit your system).
So, we can draw the following conclusion: the presence of adequate means of protection and the discipline of their application allows, if not to avoid a virus attack, then at least to minimize its consequences.