Beating Viruses the Smart Way

Email. Love it or loathe it email is now synonymous with doing business and most people would feel hopelessly lost without it.

Unfortunately we all know the downside of email as aside from irritating and sometimes offensive spam messages it can act as a conduit for malware.

The term malware encompasses a host of rotten software designed to undermine your system at best or steal personal and financial data at worst.

It’s quite a broad term that covers a variety of malicious code.

1. Viruses are probably the best known form of malware. A virus is a self replicating piece of code that can spread from one computer to another but in fact there are different types of viruses that can infect a machine;

2. Worms take advantage of security flaws in software such as Internet browsers or spreadsheets. They are self replicating and will search for machines that have the appropriate security flaw before replicating.

3. Email viruses come in different varieties and will use an email address book to send infected messages to other machines, often fooling a user into opening a message as it seems to have originated from a friend or colleague.

4. Trojans are not really a virus in the accepted term of the word as they cannot replicate automatically. Instead a Trojan is carried inside another file or piece of software.

For example you may download some software designed to improve your Internet connection speed without realising that it contains keystroke logging software, so each time you tap a key the details are recorded.

This data is then used by hackers who will search it looking for strings of letters that could be passwords.

Email can be used to spread Trojan files, and these need to be detected by your antivirus software provider.

In 2005, the Crime and Security Survey conducted by CSI/FBI reported that 84% of organisations get infected by a computer virus at least once a year, with associated financial losses being between $200,000 and $525,000 per annum.

In addition to destructive viruses there are many thousands of virus hoaxes each year, all of which need to be assessed and dealt with appropriately.

Defending yourself against malware

This has historically been fairly straightforward. Organisations or individuals take out a subscription to an antivirus product delivered by one of the major industry players and then sit back in the belief that the problem has now gone away and they will never be affected by malware again.

Unfortunately there is a slight flaw in this solution, which is due to the architecture of antivirus software.

When antivirus software is first purchased you install the product across your IT estate.

This provides a set of antivirus tools and utilities that allows you to scan incoming messages and files for any malware.

In addition to these tools there are signature files that are tailored to defeat individual viruses and pieces of malware.

A signature file is a bit like a set of instructions that tells the antivirus tool what to look for when searching for a specific virus and then how to deal with it once it has been found.

The problem with this approach is that these signature files that you have just installed are out of date the minute you download them from the vendor’s web site, due to the large number of hackers producing viruses and malware on an almost hourly basis.

PC SecurityShield, an antivirus and firewall software manufacturer, estimates 40 new viruses are found each day.

Not every one of these 40 viruses will necessarily pose a huge risk to your IT infrastructure as many of these hackers are inexperienced “script kiddies” producing poor code that falls at the first hurdle.

What you do need to worry about is the top 10% of this malware that has been written by competent coders able to disrupt the inner workings of your IT systems.

Novel new ways to fend off malware attacks

To maintain the protection of your IT systems each antivirus vendor will offer regular updates to their virus signature files.

These files, issued on a regular basis contain details of the latest threats discovered across the Internet and how an individual threat can be defeated.

By downloading these signature files and maintaining an up to date virus dictionary you essentially boost your immunisation against the latest viruses running wild on the Web.

But what if a virus is so new there is no signature file?

To cope with threats that are still emerging many antivirus engines will use techniques that do not rely on a signature file.

Heuristics is an approach used by a number of antivirus vendors.

This technique looks at the nature of a file and sees if it resembles a typical well formed file of that type or maybe has some odd features that appear to be suspicious.

It will also look at the way the file behaves. For example if a program file attempts to write data to another executable file the heuristics engine should catch this behaviour and flag it as possible malware activity.

Sandboxing is a technique used mainly during a scheduled scan of a PC, due to its fairly resource intensive methodology.

The antivirus software runs the executable files under test in a protected virtual machine sandbox and any suspicious activities are then flagged as possible viruses or malware.

Protecting your system by using the Onion technique

So how can you improve the malware protection on your systems?

If you remember back to your school history lessons and possible field trips to medieval castles a few things probably spring to mind, apart from the soggy sandwiches.

First, castles were normally built high on a hill with commanding views across the countryside.

This enabled an early view of any attacking army and forced any belligerents to attack you by running up hill, a difficult and tiring process.

Second, the chances are you had a water filled moat with the only access to the castle via a drawbridge, defended on the castle side by a vertical portcullis gate.

The castle had thick walls and inside the castle was the inner keep, itself being a miniature castle in its own right.

Only by penetrating all these defensive layers could you take hold of the castle and capture the crown jewels.

This technique is called "defence in depth".

By applying the same approach to defence against malware we realise that whilst a specific vendor’s antivirus solution may be an excellent outer moat, we have no defences once that has been penetrated.

The key to the solution is to layer in extra defences, like layers of an onion.

With the volume of new viruses only ever going up it makes sense to consider the use of multiple virus engines working together in an orchestrated fashion.

If we recall the use of virus signature files the flaw in this approach is fairly obvious.

If you subscribe to a single vendor solution what happens if that vendor is tardy in releasing an updated signature file to a specific threat?

That is not as far fetched as it may seem as the spread of signature file release times from major vendors can go from hours to days.

Naturally, it is in the antivirus vendors interest to get new signature files out quickly but for a variety of reasons they may be delayed in responding to specific threats.

There does not appear to be a pattern to the timeliness of the signature file release and one day one vendor may be first and the next day another vendor may be first.

If you happen to be subscribing to the service from the slower vendor then your threat window remains open longer and you are vulnerable from malware attacks.

A Jack of All Trades defence

It is now possible to layer in malware defences and draw together multiple antivirus engines in one solution, giving you the castle moat, drawbridge, walls and inner keep in one go.

GFI MailSecurity for Exchange/SMTP is a product that uses multiple industry leading virus scanners to orchestrate a thorough antivirus, exploit detection and threat analysis defence.

It uses antivirus engines to scan all incoming email from Norman and BitDefender. To bolster defences even further, you can add additional virus scanning technology from Kaspersky, McAfee and AVG Anti-Virus.

Having access to 4 or 5 antivirus engines will not deliver 4 or 5 times more security, but what it will do is massively improve your chances of avoiding an email born virus as you will automatically close your threat window as soon as the first vendor has released the virus signature file.

In addition you will make use of multiple vendor’s heuristics based antivirus technologies ensuring that you are as ahead of the game as you are ever likely to be.

In this day and age it is critical that we all have as many defensive advantages as possible. Multiple antivirus engines delivers this advantage, so why not consider it for your systems?