Virus protection

This article is devoted to methods of protection from malicious software. The key to effective antivirus protection is the availability of an antivirus. First, let's look at the basic requirements that modern anti-virus software should meet.

Antivirus software has the same requirements as other software products - ease of use and wide functionality, determined by the ability to select different scanning modes and high quality of virus detection. Despite the diversity of software products, the principles of their work are the same. The main functions of modern antivirus software are:

· Scan the memory and contents of disks on a schedule;

· Scanning of computer memory, as well as recorded and read files in real time mode with the help of a resident module;

· Selectively scan files with changed attributes - size, modification date, checksum, etc .;

· Scanning of archive files;

· Recognition of behavior typical for computer viruses;

· Remote installation, configuration and administration of anti-virus programs from the system administrator console; Alerting the system administrator about events related to virus attacks, e-mail, pager, etc.

· Forced checking of computers connected to the corporate network, initiated by the system administrator.

· Remote updating of anti-virus software and databases with information about viruses, including automatic updating of databases on viruses via the Internet;

· Filtering Internet traffic for viruses in programs and documents transmitted via SMTP, FTP, HTTP protocols.

· Detection of potentially dangerous Java-applets and ActiveX modules.

· Operation on various server and client platforms, as well as in heterogeneous corporate networks.

· Maintaining protocols that contain information about events related to anti-virus protection.

As it was said in the previous article, one of the main characteristics of modern virus attacks is their high propagation speed. In addition, we can note the high frequency of new attacks. Thus, at present, to modern anti-virus software, it is possible to present a requirement for the update frequency of the product - the more frequently the product is updated, the higher its quality; It takes into account all the current virus threats.

It should be noted that in our country the most popular anti-virus solution is the product family of the Kaspersky Lab's AVP.

Among users there is an opinion that for successful protection against a virus threat it is enough to have an antivirus. However, as one author said, silver bullets do not exist. The presence of antivirus software is necessary, but not sufficient, to repel an anti-virus attack (except for the availability of a tool, it is necessary to think over the methods of using it). Thus, the protection against viruses in the organization should be regulated by some rules, in other words, be an element of the security policy that all users of the system should understand and observe (for the development of a security policy, it is necessary to assess the risks associated with infection with viruses and reasonable ways to minimize them) .

In order to formulate the basic principles of the anti-virus security policy, it is necessary to remember the following main points related to the virus attack.

1. The virus attack consists of two phases - the phase of infection and the phase of distribution (and, possibly, the execution of destructive actions).

2. Modern viruses often spread not only with the help of executable files, but also with the help of document files of popular programs.

3. Modern viruses during an attack often use the capabilities of the Internet.

Consider what you can recommend to the user in order to prevent infection with viruses (obviously, the best way to combat an attack is to prevent it). So, to prevent virus attacks, it is recommended that you do the following:

1. Correctly configure the anti-virus software. To do this, perform the following settings:

Ø Real-time scanning, in the background or similar mode, must be enabled;

Ø At system startup, memory, boot sector and system files must be scanned;

Ø timely update the virus databases

Ø It is desirable to scan all file types or at least *. Com, * .exe files, as well as files of type * .vbs, * .shs, * .ocx;

Ø establish an audit of all actions of anti-virus programs.

2. Use only licensed software. Software obtained from an unknown source may be a Trojan or an infected virus.

3. Limit the set of programs that the user is able to install on the system (because extraneous programs can be infected with viruses or cause success of other attacks). Particular attention should be paid to various Internet services and, first of all, to messaging programs, such as IRC, ICQ, Microsoft Chat (data of the program can transfer files and serve as a source of infection of the system).

4. In addition, it is advisable to remove known vulnerabilities in the software (since their presence can be a reason for the success of virus attacks). Known vulnerabilities are usually published in the Internet mailing lists, as well as on special sites. As a source of vulnerability information, you can recommend a database on www.securityfocus.com.

5. Monitor the use of floppy disk drives and CDROM drives. Ideally, all information contained on floppy disks and CDROM disks should be checked for viruses before it is accessed by users of the computer system.

6. Develop an e-mail processing policy (as an integral part of the security policy). As noted in the previous article, e-mail messages are one of the most popular and fastest ways to spread viruses. To protect against the penetration of viruses through e-mail messages, each user of the system must:

Ø never open a mail attachment immediately in the mail message that came to it;

Ø create a "quarantine" directory - save mail attachments in a specific "quarantine" directory;

Ø If the sender of the message is not known, then the message with the attachment can even be deleted; If the sender of the message is known, then the message with the attachment may also contain a virus; The general rule can be formulated as follows: never open mail attachments that were not requested or about which there was no notification from the sender.

Ø always check the antivirus software before opening the attachment;

Ø If, after performing all these procedures, there are doubts about the absence of viruses in the mail attachment, you can contact the sender and find out from him information about the sent attachment;

Ø eliminate possible vulnerabilities in client mail software;

7. Develop an application security policy (especially when using the Microsoft Office product family in the organization) that process documents with interpreted languages ​​(as an integral part of the security policy).

But, suppose that the infection has already occurred. Consider what the user should do in this case. First of all, do not panic in any way.

The first step that should be taken when an attack is detected on the system is its identification. To successfully identify an attack, it is often necessary to have a boot disk created during the system installation and to boot the system using it.

If the attack is identified by an antivirus, then everything is obvious. But, if you deal with some unknown virus, in many cases, the time for which the attack was identified is critical. In this regard, the ability of the user to quickly detect a virus attack (the signs can be mass mailing, destruction of files, etc.) has great significance. The complexity of identifying an attack often depends on the complexity of the attack itself. At this stage it is desirable to establish at least the following signs: the very fact of the attack, the type of attack (network or local) and the origin of the attack.

Regardless of the OS type, you should pay attention to the following activity in the system:

· The integrity of the software used to detect the intruder;

· Integrity of programs and data critical for safety;

· Operations in the system and network traffic.

If you were able to determine the fact of a virus infection by an unknown virus (or you have such a reasonable suspicion), it is advisable to contact the manufacturer of the antivirus software that you are using.

And, finally, it is necessary to analyze the consequences of a virus attack. If some valuable data was processed in your system, then, of course, you have a backup copy of it. To do this, the organization should develop backup rules. Unfortunately, if there is no backup, the data may be lost (it does not depend on you, but on the attacker who wrote the virus that hit your system).

So, we can draw the following conclusion: the availability of adequate means of protection and discipline of their application allows, if not to avoid a virus attack, then at least minimize its consequences.