This article is devoted to methods of protection from malicious software. The key to effective antivirus protection is the presence of an antivirus. First, let's look at the basic requirements that modern anti-virus software should meet.
Antivirus software has the same requirements as other software products - ease of use and extensive functionality, determined by the ability to select different scanning modes and high-quality virus detection. Despite the diversity of software products, the principles of their work are the same. The main functions of modern antivirus software are:
· Scan the memory and contents of disks on a schedule;
· Scanning of computer memory, as well as recorded and read files in real time mode using a resident module;
· Selective scanning of files with changed attributes - size, modification date, checksum, etc .;
· Scanning of archive files;
· Recognition of behavior typical for computer viruses;
· Remote installation, configuration and administration of anti-virus programs from the system administrator console; alerting the system administrator about events related to virus attacks, e-mail, pager, etc.
· Forced checking of computers connected to the corporate network, initiated by the system administrator.
· Remote updating of anti-virus software and databases with information about viruses, including automatic updating of databases on viruses via the Internet;
· Filter Internet traffic for viruses in programs and documents transmitted via SMTP, FTP, HTTP protocols.
· Detection of potentially dangerous Java-applets and ActiveX modules.
· Functioning on various server and client platforms, as well as in heterogeneous corporate networks.
· Maintaining protocols that contain information about events related to anti-virus protection.
As it was said in the previous article, one of the main characteristics of modern virus attacks is their high propagation speed. In addition, we can note the high frequency of new attacks. Thus, at present, to modern anti-virus software, you can show a requirement for the frequency of product updates - the more frequently the product is updated, the higher its quality, because it takes into account all the current virus threats.
It should be noted that in our country the most popular anti-virus solution is the family of products of the Kaspersky Lab's anti-virus laboratory - AVP.
Among users there is an opinion that for successful protection against a virus threat it is enough to have an antivirus. However, as one author said, silver bullets do not exist. The availability of antivirus software is necessary, but not sufficient, to repel an anti-virus attack (except for the availability of a tool, it is necessary to think over the methods of using it). Thus, the protection against viruses in the organization should be regulated by some rules, in other words, be an element of the security policy that all users of the system should understand and observe (for the development of a security policy, it is necessary to assess the risks associated with infection with viruses and reasonable ways to minimize them) .
In order to formulate the basic principles of the anti-virus security policy, it is necessary to remember the following main points related to the virus attack.
1. The virus attack consists of two phases - the phase of infection and the phase of distribution (and, possibly, the execution of destructive actions).
2. Modern viruses are often distributed not only with the help of executable files, but also with the help of document files of popular programs.
3. Modern viruses during an attack often use the capabilities of the Internet.
Consider what you can recommend to a user in order to prevent infection by viruses (obviously, the best way to combat an attack is to prevent it). So, to prevent virus attacks, it is recommended to perform the following actions:
1. Correctly configure the anti-virus software. To do this, perform the following settings:
Ø Real-time scanning, in the background or similar mode, must be enabled;
Ø At system startup, memory, boot sector and system files should be scanned;
Ø timely update the virus databases
Ø It is desirable to scan all types of files or at least *. Com, * .exe files, as well as files of type * .vbs, * .shs, * .ocx;
Ø establish an audit of all actions of anti-virus programs.
2. Use only licensed software. Software obtained from an unknown source may be a Trojan or an infected virus.
3. Limit the set of programs that the user is able to install on the system (because extraneous programs can be infected with viruses or cause success of other attacks). Particular attention should be paid to various Internet services and, first of all, to messaging programs, such as IRC, ICQ, Microsoft Chat (data of the program can transfer files and serve as a source of infection of the system).
4. In addition, it is advisable to remove known vulnerabilities in the software (since their presence can be a reason for the success of virus attacks). Known vulnerabilities are usually published in the Internet distribution lists, as well as on special sites. As a source of vulnerability information, you can recommend a database on www.securityfocus.com.
5. Monitor the use of floppy disk drives and CDROM drives. Ideally, all information contained on floppy disks and CDROMs should be checked for viruses before it is accessed by users of the computer system.
6. Develop an e-mail processing policy (as an integral part of the security policy). As noted in the previous article, e-mail messages are one of the most popular and fastest ways to spread viruses. To protect against the penetration of viruses through e-mail messages, each user of the system must:
Ø never open a mail attachment immediately in the mail message that came to him;
Ø create a "quarantine" directory - save mail attachments in a specific "quarantine" directory;
Ø If the sender of the message is unknown, then the message with the attachment can even be deleted; if the sender of the message is known, then the message with the attachment may also contain a virus; the general rule can be formulated as follows: never open mail attachments that were not requested or about which there was no notification from the sender.
Ø always check the antivirus software before opening the attachment;
Ø If, after performing all these procedures, there are doubts about the absence of viruses in the mail attachment, you can contact the sender and find out from him information about the sent attachment;
Ø eliminate possible vulnerabilities in client mail software;
7. Develop an application security policy (especially when using the Microsoft Office product family in the organization) that process documents with interpreted languages (as an integral part of the security policy).
But, suppose that the infection has already occurred. Consider what the user should do in this case. First of all, do not panic in any way.
The first step that must be taken when an attack is detected on the system is its identification. To successfully identify an attack, it is often necessary to have a boot disk created during the system installation and to boot the system with it.
If the attack is identified by an antivirus, then everything is obvious. But, if you are dealing with some unknown virus, in many cases, the time for which the attack was identified is critical. In this regard, great importance is the ability of the user to quickly detect a virus attack (such as mass mailing, destruction of files, etc.). The complexity of identifying an attack often depends on the complexity of the attack itself. At this stage, it is desirable to establish at least the following signs: the very fact of the attack, the type of attack (network or local) and the origin of the attack.
Regardless of the OS type, you must pay attention to the following activity in the system:
· The integrity of the software used to detect the intruder;
· Integrity of programs and data critical for safety;
· Operations in the system and network traffic.
If you were able to determine the fact of a virus infection by an unknown virus (or you have such a reasonable suspicion), it is advisable to contact the manufacturer of the antivirus software you are using.
And, finally, it is necessary to analyze the consequences of a virus attack. If some valuable data was processed in your system, then, of course, you have a backup copy of it. To do this, the organization must have developed backup rules. Unfortunately, if the backup is not available, the data may be lost (it does not depend on you anymore, but on the attacker who wrote the virus that struck your system).
So, we can draw the following conclusion: the availability of adequate means of protection and discipline of their use allows, if not to avoid a virus attack, then at least minimize its consequences.