VIRUS CONTROL PROCEDURES
1. PURPOSE: The following components provide prevention,
detection, identification and recovery from computer viruses. This
handbook contains mandatory Information Resource procedures for:
a. Reducing SAO vulnerability of SAO servers, personal computers,
local/wide area networks (LAN/WAN) from the threat of computer viruses and
other forms of malicious code.
b. Ensuring timely detection of computer virus infections.
c. Providing a reliable means for containing and eliminating infections
when they do occur.
2. BACKGROUND. The following includes basic background information
necessary for a basic understanding of the computer virus threat:
a. What is a computer virus? A computer virus is a malicious software
program with the ability to replicate itself, thereby spreading from
computer to computer. The result of this infestation may simply be
annoying, such as a display of messages or minor degradation of system
performance. Viruses can also have catastrophic consequences, such as the
complete destruction of all programs and data stored on a system's hard
disks. Damages may not be limited to individual computers as accessible
network disk drives may be infected and become a standing source of
infection for other connected computers. Viruses may modify or destroy
data rendering systems and possibly entire networks unusable. For the sake
of simplicity in this document, any type of malicious program code will be
referred to as a virus.
b. There are four types of viruses: The boot sector infector, the file
infector, the companion virus and the Macro virus. Some viruses fit into
more than one category because they infect boot sectors and files and so
are called multipartite viruses. Some of these viruses may try to hide
themselves by taking control of the operating system; these viruses are
called stealth viruses. Some viruses encrypt themselves so every infection
appears to be different; these are called encrypted viruses.
-
(1) The Boot Virus. The boot sector virus writes itself
into the DOS system area on the floppy disks and hard disks it
infects. This type of virus accounts for over 70% of all reported
virus infections. It can only be passed to your computer when you
inadvertently attempt to boot from a floppy disk left in the disk
drive (generally people boot their computers from the hard drive).
Once the computer's hard disk has become infected, the computer
becomes a source for spreading the virus. The virus becomes active
each time the system boots up and writes itself out to every floppy
that passes through your computer. The boot virus cannot infect a
network and cannot be passed throughout the organization through the
LAN.
-
(2) The File Virus. The file virus or program virus, as it
is often called, infects program files by attaching themselves to them
or overwriting a portion of the program with the virus code. These
viruses are easily passed over LAN/WANs or any other network,
including Internet. They can be sent as attachments to e-mail or
placed on electronic bulletin boards for the unsuspecting to download.
They become active when the program they are attached to is executed.
-
(3) The Companion Virus. The companion virus may exist as a
duplicate file but have the COM extension instead of the EXE
extension. The COM companion virus executes first and after becoming
active, it passes control back to the EXE which executes normally.
There is also a type of companion virus that modifies the pointers in
the directory to point to a virus instead of the intended program.
When a user attempts to execute a program, the virus executes and
after becoming active, it executes the program that the computer user
actually was trying to execute.
-
(4) The Macro Virus. Many software products include macro
programming languages or tools allowing users the ability to automate
tasks that were once repetitive. Due to the continual enhancements
developers have made to these macro languages many are now
sophisticated enough to create malicious programs which technically
are computer viruses. Macro viruses can replicate and spread from
computer to computer so they technically fall into the realm of the
computer virus.
c. There are three main components to the logic code of a virus: the
replication logic, trigger logic, and the attack or bomb logic. The
replication logic is the portion of code that allows the virus to
replicate itself; the trigger logic decides whether to attack or go
dormant (replicate but not attack); and the attack logic destroys data or
could be a relatively benign taunting message.
d. Other Forms of Malicious Programs. Though not covered specifically,
many of the procedures described within this Chapter are equally
applicable to other forms of malicious program code.
3. RESPONSIBILITIES
a. The Chief Information Officer will:
(1) Manage the SAO Computer Virus Protection Program. Collect AIS
security violation and incidents information consistent with SAO AIS
Security Incident Reporting policy (Chapter 3, SAO Handbook 6210).
Maintain reports of incidents and share information on detection and
removal of acute infections.
(2) Establish and disseminate virus protection procedures and
guidelines to SAO organizations on the prevention, detection, and removal
of computer viruses.
(3) Serve as the Office point-of-contact for virus-related issues,
including information on reputable anti-virus software and the identity of
local SAO office AIS security representatives.
(4) Provide Office-wide technical assistance in response to virus
incidents, by recommending anti-virus software or other methods of
detection and removal.
(5) Consult with automation personnel and SAO network administrators
(those having the responsibility of managing or maintaining a PC-based
network) regarding virus prevention, detection and identification, and
recovery procedures.
(6) Conduct reviews as necessary to ensure compliance with the
mandatory security program requirements.
(7) Ensure that maintenance contracts with consultants, repair
technicians and troubleshooters contain security requirements for non-VA
employees to follow, and includes security measures, such as virus
scanning and prevention techniques.
b. All SAO Divisions and offices shall:
(1) Report any virus insident immediately to IR.
(2) Assist the IR in responding to virus incidents.
(3) Contribute to the free flow of information concerning viruses by
reporting incidents to IR or the CIO.
(4) Assist the division IO in compliance reviews of the virus program.
c. SAO Network System Administrators will:
(1) Where a network utility, facility, or mechanism exists, restrict
network users so they cannot write to program files on network drives.
Installed programs are never written to and so should be set as "read
only or execute only." When possible,access controls should be set to
prevent even network administrators from being able to write to program
files (though they should have "delete" privileges). Doing this
will prevent computer viruses from attaching to program files that are
shared by all.
(2) Follow virus protection, detection and identification, and recovery
policies and procedures. Maintain a current copy of licensed virus
protection software on bootable write-protected diskettes.
(3) Use system administrator privilege on a LAN or a WAN only when
doing administration or maintenance of the network requiring such higher
levels of privilege. When assisting customers, privileged users should not
log onto the network as system administrator from any machine that has not
first been determined to be virus-free. For routine work, such as e-mail,
word processing, etc., administrators shall use accounts with normal user
privileges.
(4) Keep write-protected copies of original software loaded to network
servers to perform a necessary restore to workstations and to do regular
back-ups of critical server data.
(5) Comply with directives provided by the CIO in response to specific
virus incidents, where applicable.
(6) Prepare additional local direction, such as operating memoranda,
policies and procedures, where applicable.
(7) Report all computer virus incidents to the CIO or designee and the
facility ISO, and notify all network users.
d. SAO computer users will:
(1) Employ physical access protection for all Department microcomputers
to restrict access by unauthorized persons. Unknown and potentially
unauthorized persons will be challenged in regard to their authorization
to use equipment.
(2) Ensure that software loaded or data disks used on their computer
are first scanned for possible viruses.
(3) Perform regular back-ups of computer data files. The frequency of
these back-ups should be commensurate with the nature and criticality of
the data stored.
(4) Use current anti-virus software on a daily basis for any
microcomputer used in processing sensitive or critical SAO information,
including:
- (a) portable microcomputers;
- (b) microcomputers used to process diskettes received from sources
outside SAO;
- (c) microcomputers returned from outside repair facilities;
- (d) microcomputers that have had diagnostic utilities or other
software run on them by repair technicians;
- (e) employee-owned microcomputers that are used to process SAO
information (whether at home or office); and
- (f) sales demonstration disks and beta test versions of software.
(5) Use anti-virus software to scan the entire hard disk after files
have been recovered from back-ups if the recovery was required due to a
virus-related incident.
(6) Use only software proven to be virus free after scan testing.
Refrain from using unsolicited software sent to you by mail or obtained
from external sources until tested.
(7) Obtain "shareware" software directly from official
sources such as the developers' electronic bulletin board systems (BBS).
(8) Use only one write-protected boot disk for each floppy-based
microcomputer and control access to this disk. On systems with hard disks,
ensure the system boots from the hard disk and no floppy has been
inadvertently left in the floppy drive (the computer may attempt to boot
from it). If possible, configure the computer to boot only from the hard
disk.
(9) Ensure original manufacturer software is securely stored in the
event that programs must be restored to disk. Data can be backed up and
software retained on original diskettes as back-ups.
10) Comply with additional direction by the Department IRSO and
organization AIS security representatives in response to specific virus
threats, where applicable.
(11) Report all computer virus incidents to the CIO.
e. Consultants, Repair Technicians and Troubleshooters will:
(1) Employ a reputable and current anti-virus product and scan all
operating PCs before beginning to work.
(2) Report all computer virus incidents to their organization ISO.
4. PROCEDURES.While current physical and logical access
controls provide protection against unauthorized system access on many
networked computers, an authorized user may unknowingly introduce
virus-infected software locally through floppy drives or remotely via a
modem. A single infected microcomputer on a network can rapidly infect
every workstation and server on that network. Implementation of the
measures prescribed in this chapter will provide reasonable protection of
SAO information resources against the threat of computer viruses.
a. Continuing Vigulance. The SAO must continue to develop an
environment that will minimize the risks and consequences of virus
infection to computers and LAN/WANs.
b. Physical Access Control. Physical access control will be
employed on all Department computers to restrict use to authorized
persons. This means that computers should be physically secured to prevent
access by an unauthorized person.
c. Key Locked. Every newer personal computer has a key lock
though it should be noted that this may only give an extremely low level
of security. If keys are used as a first line of defense, then the
supervisor or other individual should keep the backup key in the event
that the organization needs access to that computer.
d. CMOS Security. Many PCs have a CMOS setup routine that can
be accessed from DOS by hitting the correct key combination. Please do not
attempt to change any CMOS settings.
e. Backups. If anti-virus software efforts fail you will always
be able to resume business as usual if a reliable backup has been done.
Regular and frequent back-ups of computer data files should be performed
to aid in the recovery from a virus or any data loss situation. Of course,
if the system has been unknowingly infected by a virus for sometime,
backups may be infected. When backups are infected, generally only the
program files will be infected - not the data. In order to restore the
program files to their original state, the user should be able to fall
back to the original manufacturer's software diskettes. These should have
been write-protected prior to installation (when possible) and stored
securely for use in restoring original program files. In some cases where
a mirror image of a complete disk is taken as a backup, a boot virus can
be transferred to the backup. Restoring from such an infected backup will
certainly restore the virus. For this reason, it is important to do
file-by-file type backups rather than the "mirror" image or
complete back-up.
f. Virus Scanning.
- (1) When personal computers are attached to a LAN, they should
contact the LAN System Administrator about having anti-virus software
installed to secure each workstation against computer viruses. The LAN
Administrator will monitor the LAN servers for virus activity through
the use of anti-virus software. Set up the anti-virus software so that
it scans the PC automatically when it is booted. Anti-virus software
will be used on all local area networks (LAN) and connected
workstations. Workstations to be connected should be determined to be
virus-free before connection. There are anti-virus products that will
check the boot area of the disk on boot up and may even restore the
correct boot area if a virus has infected it. There are resident
monitors that run continuously in the background. These should be used
whenever possible because they prevent the admittance of viruses during
the workday (after the initial scan has been done). However, in some
instances, shortages of system memory may preclude the use of a resident
scanner.
- (2) An office may be using a variety of anti-virus software, possibly
different products from what are used on the LAN or elsewhere. There is
strength in diversity. No single anti-virus product can detect every
virus, so the fact that you are using an additional product may help to
identify a virus that may otherwise go undetected. Special consideration
should be given to the purchase of products that do not rely strictly on
signature scanning as the primary method of detecting viruses. Signature
scanners must be continually updated with the signatures of new computer
viruses and may not be able to detect many encrypted viruses. Many
products now use signature scanning merely as a method of identifying a
computer virus once detected. It is highly recommended that a product be
chosen that uses one of the following methods of detection: Generic
Differential Detection, Holistic scanning, Heuristics or another
non-signature based method, as the primary detection method.
g. Scan Incoming Software. Software obtained from external
sources should be used only after it has been "scanned" by a
reputable and reasonably current anti-virus product. All PCs and servers
should undergo regularly scheduled scanning. Public domain "shareware,"
as well as commercial software, will be "scanned" for viruses
before use. Computers returned from outside repair facilities will be "scanned"
for viruses before being attached to a network or put into operation.
Software utilities used by repair technicians will also be "scanned"
before use. Repair/troubleshooting technicians should scan their software
before use and keep it write protected while in use.
h. SAO Developed Software. Software produced within the SAO
will be designed to prevent it from being an avenue for infection, where
possible. Developers may choose to write program routines that incorporate
integrity checking algorithms or encryption for the program itself. All
program disks should be "scanned" using a reputable and
reasonably current anti-virus product before distribution. Only
write-protected diskettes should be distributed.
i. Diskettes from Home. Diskettes taken home and used on home
computers or brought from any non-SAO location should be "scanned"
with a reputable and reasonably current anti-virus product before use on a
SAO computer. Many home PCs are infected due to downloading anonymous
software from electronic bulletin boards, trading games, etc. It is easy
for a PC to become infected with a virus under these circumstances. If
diskettes are taken home to do work, then they should use the same good
security practices at home as at work. However, scanning the disk for
viruses after returning to work is a good preventive measure. (Free
antivirus software is available to put on your home pc. Contact
Information Resources for details.)
j. Trophy Viruses. Unless you are a member of an AIS Security
staff and need to save computer viruses for study and distribution to
anti-virus community, do not attempt to save them. However, an infected
file or disk can be retained for the purpose of supplying the anti-virus
software developer with the virus for analysis. This diskette should be
clearly marked as infected and sealed in an envelope so that it is not
inadvertently used. Other than these exceptions, when a virus is detected,
it should be destroyed immediately.
REFERENCES:
b. National Institute of Standards and Technology (NIST)
Special Publication 500-166 Computer Viruses and Related Threats: A
Management Guide, by John P. Wack and Lisa J. Carnahan.
|