A virus is a piece of self-replicating code; in other words, it is software which is designed to copy itself.
Boot sector viruses infect the boot sector of floppy disks and the partition sector [or, in some cases, the boot sector] of hard disks, when the PC is booted from an infected floppy disk. Executable file viruses infect program files, on local drives or network drives. Macro viruses infect the macros within document and spreadsheet files.
In addition to the code necessary for the virus to copy itself, most successful 'in the wild' viruses try to conceal themselves, from users and from anti-virus programs [if a virus quickly draws attention to itself, it is unlikely to spread very far]. Some viruses contain a payload; this may be anything from a screen display, or message, or damage to data files. However, not all viruses contain a payload. If the virus does contain a payload, there must be a trigger which causes the virus to deliver its payload. The trigger may be a particular system date, the number of re-boots, the number of floppy disks infected or something else which software can be designed to do.
It is worth noting that virus authors, unlike commercial software vendors, do not have to make their software compatible with other programs; they do not have to beta test their software or provide technical support on their products; for this reason, viruses may produce unintended consequences [they may make the system unstable, or prevent other software from working properly].
Before implementing an anti-virus strategy, it is essential to identify the sources of any possible virus infection. The following provides an overview of the ways in which organisations can become infected by a virus.
So, what can be done to prevent a virus infection? Having identified the potential sources of infection within an organisation, it is essential to use effective anti-virus tools to ensure that (1) the risk of a virus entering the organisation is minimised; (2) if a virus does enter the organisation it is detected as soon as possible; (3) it can be removed easily. Dr Solomon's provides a range of tools designed to detect and remove viruses; and to prevent infection.
However, it is not possible simply to build a single defensive dyke around the organisation, in the hope that no virus will be able to breach the 'perimeter defences'. Often there is no 'perimeter', as such. The potential sources of infection [as outlined above] exist at different levels within the organisation. What is needed, therefore, is an anti-virus strategy which includes anti-virus protection at different levels within the organisation [a layered approach, so that a virus which is not detected at one level will be detected at another level]. Dr Solomon's offers anti-virus tools which are appropriate for different layers within an organisation [these anti-virus tools are outlined in later sections within the Reference Notes].
There is no universal model for deploying anti-virus tools; what is right for one organisation may not be right for another. However, the information below identifies the 'layers' of protection which are appropriate for most organisations. In addition, a few examples are given of how organisations of different sizes might use Dr Solomon's.
Example 1 [single-user, home PC]
The home user is at threat from viruses from two sources. The first is floppy disks and CDs used to install software or to exchange data with others. The second is programs and documents downloaded from the Internet [this includes the World Wide Web, on-line services like CompuServe and America Online and any BBS accessed]. The home user should install Dr Solomon's Anti-Virus Toolkit for the operating system he or she uses. FindVirus should be used to scan incoming floppy disks and CDs [including heuristic analysis and checking of compressed files]; FindVirus should also be used to check files downloaded from the Internet. WinGuard should be loaded to provide background protection; it will check disks and files accessed in the PC. This will include files downloaded from the Internet, if the 'Scan on writes' option is selected. The 'Scan all OLE' option enables checking of OLE objects [including documents with extensions other than DOC and DOT]. The 'Auto-Disinfect' option enables automatic cleaning of infected disks and files.
Example 2 [small organisation]
The small [or medium-sized] organisation faces the same threat as the single-user. However, the threat is greater, for several reasons. (1) The threat is multiplied by the number of PCs involved. (2) The organisation is likely to have one, or more, networks; if one user becomes infected, the virus can spread across the network. (3) The organisation may have an e-mail system and may be connected to the Internet [or individual users may have a direct link to the Internet]; infected programs and documents may be downloaded and can spread throughout the organisation. FindVirus should be used to check all incoming floppy disks and CDs [preferably on a stand-alone 'sheep-dip' PC]. WinGuard should be installed on all PCs within the organisation, to check all disks and files used [the 'Scan on writes' option should be enabled for any user able to download files from the Internet; the 'Scan all OLE' option should be enabled if the organisation receives documents with extensions other than DOC and DOT; if the 'Auto-Disinfect' option is used, the 'Log' option should be enabled, so that all virus incidents are logged]. If the organisation uses NetWare or Windows NT, the server should be protected by installing Dr Solomon's Anti-Virus Toolkit for NetWare or Dr Solomon's Anti-Virus Toolkit for Windows NT. If this is not possible, the network supervisor, system administrator [or manager] should install Dr Solomon's Anti-Virus Toolkit for the operating system he or she uses; and set up a regular scheduled scan of network drives.
Example 3 [large organisation]
The large organisation faces the same threat as the small, or medium-sized, business; but the threat is greater because of the increased size of the organisation. (1) The organisation has many more users, PCs, networks, etc.. (2) The organisation may be divided into several [or many] geographical locations. (3) There is a much greater logistical problem involved in installing, distributing and updating anti-virus programs; in responding to virus incidents; in making sure that users are aware of the threat posed by viruses; and in ensuring that nothing 'slips through the net'. Each site, building or department should be equipped with a 'sheep-dip' PC, so that all incoming floppy disks and CDs are scanned with FindVirus. WinGuard should be installed on all PCs within the organisation, to check all disks and files used [the 'Scan on writes' option should be enabled for any user able to download files from the Internet; the 'Scan all OLE' option should be enabled if the organisation receives documents with extensions other than DOC and DOT; if the 'Auto-Disinfect' option is used, the 'Log' option should be enabled, so that all virus incidents are logged]. If the organisation uses NetWare or Windows NT, the servers should be protected by installing Dr Solomon's Anti-Virus Toolkit for NetWare or Dr Solomon's Anti-Virus Toolkit for Windows NT. If the organisation has an SMTP gateway for sending and receiving Internet e-mail, MailGuard should be installed to filter incoming and outgoing mail [see the section SCANNING E-MAIL]. If the organisation uses Lotus Notes, e-mail and databases should be checked using Dr Solomon's Anti-Virus for Lotus Domino [see the section SCANNING E-MAIL]. If the organisation's PCs are networked using Windows NT, Dr Solomon's Anti-Virus Toolkit for Windows NT Server [Management Edition] should be used to make anti-virus management easier [see the section NETWORK PROTECTION].
Dr Solomon's Anti-Virus Toolkit is a collection of programs designed to detect and remove viruses. It also contains a range of utilities designed to enable PC Support professionals to maintain and upgrade DSAV programs easily across networks. The different versions of DSAV [DOS, Windows 3.x, Windows 95, Windows NT, NetWare, OS/2, SCO UNIX and Macintosh] are designed to provide these functions for each specific operating system. In particular, each version of DSAV uses the same virus database [apart from the Macintosh version . . . there are Macintosh-specific viruses; and PC viruses [boot sector viruses and executable file viruses] do NOT infect the Macintosh]; for this reason, each version of DSAV will detect the same viruses, whether they are DOS, Windows, OS/2, etc.
Below is a list of the main DSAV programs. [NOTE: not every version of DSAV contains all of these programs; a list of programs for each specific operating system may be found in the section WHAT'S IN EACH VERSION OF DR SOLOMON'S ANTI-VIRUS TOOLKIT].
MAGIC BULLET Magic Bullet [supplied with every version of DSAV] is a clean boot disk, containing FindVirus. Magic Bullet is different to a standard DOS system disk . . . it does not contain the MS-DOS operating system files, or provide the user with an A:\> prompt. When a PC is booted with Magic Bullet, the user is provided with a simple user-interface, enabling them to detect and remove viruses. Magic Bullet scans and cleans files on any disks formatted under the FAT [File Allocation Table] system. This includes MS-DOS and Windows 95, including Windows 95 B [which uses a 32-bit FAT system]. Magic Bullet is unable to scan files in a non-FAT partition [for example, Windows NT's NTFS file system]; but it will scan the partition sector on a disk formatted under NTFS.]
USER-INTERFACE Each version of DSAV includes a user-interface, or menu, from which the other DSAV programs may be launched. The user-interface is used mainly by end-users, or anti-virus reviewers. Most corporate customers license individual DSAV programs [VirusGuard, WinGuard and FindVirus]
FINDVIRUS FindVirus is an on-demand scanner [it scans a disk only when the user chooses to run it, or may be scheduled to run at pre-defined times]. FindVirus is able to identify and remove viruses from partition sectors, boot sectors, executable files, documents and spreadsheets. FindVirus includes the Generic Decryption Engine [GDE], for detection and removal of polymorphic viruses. FindVirus may be configured to use Advanced Heuristic Analysis [AHA] to scan executable files for virus-like code, providing detection of unknown viruses [from version 7.74, FindVirus will be able to scan documents and spreadsheets for unknown macro viruses]. FindVirus is able to check within compressed files.
VIRUSGUARD VirusGuard is an on-access scanner [it runs in the background and scans disks and files automatically when they are used]. VirusGuard is a TSR program, providing background protection in DOS. VirusGuard does not have the same detection capability as FindVirus and WinGuard: (1) it does not detect macro viruses [the user must be in Windows in order to access an infected document or spreadhseet]; (2) it detects programs infected with polymorphic viruses only after the virus has loaded into memory, not before the program is executed.
WINGUARD WinGuard is an on-access scanner [it runs in the background and scans disks and files automatically when they are used]. There are different versions of WinGuard for Windows 3.x [VxD], Windows 95 [VxD] and Windows NT [kernel mode device driver]. WinGuard has the same detection capability as FindVirus [from version 7.74, WinGuard will be able to scan documents and spreadsheets for unknown macro viruses].
VIVERIFY ViVerify is a checksummer, which checks for changes in partition sectors, boot sectors and executable files. It does this by creating 'fingerprints' for files on a clean hard disk and checking subsequently to see if these fingerprints change.
SCHEDULER The Scheduler allows users to run DSAV programs automatically at specified times.
VIRUS ENCYCLOPEDIA This provides basic information on the viruses detected by each version of DSAV. This supplements the more detailed information in the printed Virus Encyclopedia [which is printed twice-yearly]. [The on-line Virus Encyclopedia is being re-designed, to include all the information provided in the printed version.]
TKUTIL TKUTIL contains a wide range of utilities designed to enable IT professionals to update and support DSAV programs within a corporate environment [updating WinGuard and FindVirus across a network, configuring PCs to run WinGuard and FindVirus, etc.]
[DSAV also includes a range of additional anti-virus utilities, designed to be used by advanced users, or by members of Technical Support. These includes Inspect Disk, which allows disks to be examined at low-level.]
This section is designed to provide a quick check of the main programs included in each version of Dr Solomon's Anti-Virus Toolkit.
Designed to run under DOS, programs may be run directly from the DOS command line or through the user-interface. The main programs in the DOS version of DSAV are:
The DOS version of DSAV is also supplied with the program VGPOPUP, which provides a Windows dialog when VirusGuard produces a virus alert under Windows [NOTE: VGPOPUP simply provides a Windows dialog for VirusGuard; it does not check files itself and should not be confused with WinGuard].
The DOS version of DSAV may be used to check any DOS-accessible drive: this means that any network [for example Banyan Vines or DEC Pathworks] which can be accessed from a workstation, using DOS drive letter(s), may be checked for viruses.
Designed to run under Windows 3.x, the programs are run by selecting the appropriate icon with the mouse. DSAV for Windows is also supplied with the DOS version, allowing programs to be run under DOS as well as Windows; and providing users with the advanced DOS utilities. The main programs in the Windows version of DSAV are:
VirusGuard is necessary to provide on-access scanning under DOS [WinGuard is able to provide protection ONLY when Windows is running].
Designed to run under Windows 95, the programs are run by selecting the appropriate icon with the mouse. The Windows 95 version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities. The main programs in the Windows 95 version of DSAV are:
VirusGuard is necessary to provide protection under DOS [WinGuard is able to provide protection ONLY when Windows 95 is running]. [NOTE: although the Windows 95 and Windows 3.x versions of DSAV include the same programs, the Windows 3.x version will NOT run under Windows 95, since the two operating systems are significantly different.]
Designed to run under Windows NT, programs are run by selecting the appropriate icon with the mouse. The Windows NT version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities. The main programs in the Windows NT version of DSAV are:
The Windows NT version of DSAV will provide full protection for Windows NT workstations AND servers [the Windows NT Server & Management Edition provides easy management of Windows networks, rather than additional protection for the server].
Designed to run under OS/2, the programs are run by selecting the appropriate icon with the mouse. The OS/2 version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities. The main programs in the OS/2 version of DSAV are:
Designed to run on any Macintosh System 7 [or later], including Power Macintosh. Programs are run by selecting the appropriate icon with the mouse. The Macintosh version detects Macintosh viruses, macro viruses and PC boot sector viruses [PC boot sector viruses will not infect the Macintosh; however, it is possible for PC floppy disks to be accessed in a Power Macintosh]. Dr Solomon's Anti-Virus Toolkit for Macintosh includes the following programs:
Designed to run under SCO UNIX, programs are run from the command line. The main programs in the SCO UNIX version of DSAV are:
The SCO UNIX version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities.
[For information on versions of Dr Solomon's designed to run on a network server, see the section NETWORK PROTECTION.]
It is possible to scan any DOS-compatible network drives from one of the workstations. If network drives can be seen from a workstation running DOS, Windows 95, Windows NT, etc., they can be scanned using the version of Dr Solomon's installed on the workstation. This should be done by a supervisor or system administrator, since they will have access to all network drives; and it should be a scheduled scan [to automate the scanning process]. This method should be used for scanning networks for which there is no specific server version of Dr Solomon's [for example, Banyan Vines, DEC Pathworks, LAN Server and LAN Manager].
However, versions of Dr Solomon's Anti-Virus Toolkit are available for Novell NetWare and Microsoft Windows NT. These are designed to run on the server itself. There are a number of advantages in running anti-virus programs directly from the server. In essence, server-based scanning provides centralised management. (1) The process is fully-automated. Scheduled scans of network drives can be set up, at specified times; this process requires no action from the supervisor or system administrator. An on-access scanner can be used to scan files before they are used, or before new files are written to the network. (2) All virus alerts [whether at the server or at one of the workstations] can be logged centrally; this allows the supervisor to track virus incidents. (3) If there is a virus alert, a message can be sent automatically to the supervisor. (4) Unprotected workstations can be denied access to the network.
The following is a list of the main programs in the server-based versions of Dr Solomon's Anti-Virus Toolkit.
The NetWare version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities.
The Windows NT version of DSAV is also supplied with the DOS version, to provide users with the advanced DOS utilities. The Windows NT version of DSAV will provide full protection for Windows NT workstations AND servers [the Windows NT Server & Management Edition provides easy management of Windows networks, rather than additional protection for the server].
Management Edition is designed to help system administrators manage anti-virus protection across Windows NT networks. (1) Management Edition provides centralised control, so that the entire network can be managed from a single location. (2) Management Edition allows simplified distribution of anti-virus programs [VirusGuard, WinGuard and FindVirus] to workstations running Windows NT, Windows 95 and Windows for Workgroups 3.11. The installation, configuration and updating of Dr Solomon's programs, on all PCs within the network, can be managed from a single location, using hierarchical domain management [on a Windows NT network, a domain is a group of PCs sharing the same security model; Management Edition allows the system administrator to manage anti-virus domains . . . a group of PCs sharing the same anti-virus policy]. (3) Management Edition's sophisticated alerting methods enable system administrators to keep track of all virus alerts across the network.
Management Edition is made up of a series of components, which are installed and configured via the Management Console [Management Edition's user-interface]. The Management Console is used to distribute anti-virus programs [and Management Edition components] to PCs within the specified anti-virus domain(s). Management Console also keeps track of which versions of Dr Solomon's are being used within the network.
There are five essential components within Management Edition.
Management Edition uses a Message Layer Interface [MLI] for internal communication between its components. The messaging and alerting is secured and authenticated. It runs transparently over IPX, TCP/IP and NETBIOS based networks; and interfaces directly with existing network management products such as OpenView, ManageWise and LanDesk by generating SNMP traps.
If WinGuard is installed on each PC within an organisation, users will be prevented from accessing infected documents and spreadsheets . . . from any source [including e-mail].
However, WinGuard is unable to clean infected mail attachments. Mail is likely to be stored on a mail-server, in a database format specific to each mail system [the formats used by Lotus cc:Mail, Lotus Notes, Microsoft Mail, Microsoft Exchange, etc. to store mail are all different]. This means that mail attachments can not be scanned using standard anti-virus tools; it is necessary to use a scanner which understands the specific format in which the mail is stored. In addition, it makes sense for larger organisations [with many users, many PCs, many sites, etc.] to scan mail attachments before they become items in a user's In-box. Dr Solomon's has a range of products designed to scan mail entering an organisation, providing an additional layer of anti-virus protection for large organisations.
There are a variety of different client mail systems available [Lotus cc:Mail, Lotus Notes, MS-mail, etc.]. SMTP [Simple Mail Transfer Protocol] is a standard protocol allowing mail to be delivered from one client mail system to another, across the Internet. Mail from a client mail system [including any attachments] must first be converted into ASCII; and it is UUEncode and MIME which provides the conversion of client mail into a format which can be delivered using SMTP. The SMTP gateway [which provides an interface with the Internet] handles the sending and receiving of all SMTP mail.
When data is sent via SMTP, it is converted into a format which can not be checked using normal anti-virus programs. And mail stored in a Post Office, within an organisation, is normally encrypted and / or compressed; again, making it impossible to scan the mail using standard anti-virus programs.
MailGuard is designed to allow the checking of all SMTP mail sent and received by an organisation. The PC running MailGuard [which must be running Windows NT] is 'plugged into' the link between the SMTP gateway and the client mail system's Post Office. In this way, all incoming and outgoing mail passes through MailGuard. MailGuard breaks the mail [including attachments] into its constituent parts, stripping away the encryption [UUEncode and MIME].
The files are then passed to FindVirus, which checks the files for viruses. If the files are clean, MailGuard re-assembles the mail message and forwards it to the Post Office. Infected files are quarantined, allowing the system administrator to deal with any infection [the system administrator is notified of the infected files; and the sender and receiver can also be sent an appropriate message].
Lotus Domino is a server-based application which allows client PCs running Lotus Notes to exchange mail, to access shared databases [stored on the server] and which provides a connection to other Lotus Domino servers.
Notes mail, like any other mail system, can be used to send files [including programs and documents] to any number of recipients. If any of these files are infected, the virus can spread rapidly.
Lotus Domino is designed to allow 'replication' of files and databases on other Lotus Domino servers. This provides a very effective mechanism for viruses to spread [copies of any infected files are sent automatically to every server within the system]. In addition, Lotus Domino is an ideal 'hiding-place' for viruses, since the files are stored in a database format which can not be scanned using standard anti-virus programs.
Dr Solomon's Anti-Virus for Lotus Domino provides the ability to scan Notes mail and Notes databases. DSAV for Lotus Domino scans every mail item as it is sent; and scans databases [since a Notes Post Office is a Notes database, it is possible to scan and clean the Post Office, to ensure that the entire domain is clean]. (1) Notes mail and databases are opened. (2) The attachments are removed and passed to FindVirus, for scanning. (3) Infected files are cleaned, or isolated. (4) Cleaned attachments are replaced in the mail or database.
Using DSAV for Lotus Domino, infected files can be cleaned or quarantined [so that they can be dealt with by the system administrator]. The system administrator [and users] can be informed using a comprehensive messaging system.
Messages [which are configurable by the system administrator] can be sent to (1) system administrators [or other groups], (2) the sender, (3) the addressees.
DSAV for Lotus Domino uses the messaging provided by Lotus Domino; messages can be sent via (1) pager, (2) e-mail, (3) fax, or (4) any other locally-implemented service.
DSAV for Lotus Domino runs on Windows NT 3.51 or 4.0; and Lotus Notes 4.0 [and above] and Lotus Domino 4.5 .
Microsoft Exchange is a client/server system which allows organisations to integrate e-mail, information sharing and the development of customised applications.
Microsoft Exchange allows information [contained in folders] to be copied automatically across an organisation [this is known as 'replication']. This provides a very effective mechanism for viruses to spread [copies of any infected files are sent automatically to every server within the system]. Since files are stored in a database format which can not be scanned using standard anti-virus programs, Microsoft Exchange's information stores form an ideal 'hiding-place' for viruses.
Dr Solomon's Anti-Virus for Microsoft Exchange [which operates transparently both on Exchange servers and client machines] is designed to ensure that Exchange's powerful features do not become the mechanism by which a virus is able to spread throughout an organisation.
Dr Solomon's Anti-Virus for Microsoft Exchange operates in the background, scanning new and existing files in Microsoft Exchange folders; files are scanned automatically when they are accessed, copied or replicated. In addition, Exchange administrators are able to schedule scans across the entire Microsoft Exchange information store.
E-mail messages [including attachments] are scanned automatically; and any infected files are immediately quarantined and disinfected. The Exchange administrator is notified automatically of any virus infection; and messages may be sent to the sender and receiver of the infected attachment. A central log file provides comprehensive event tracking.
Dr Solomon's Anti-Virus for Microsoft Exchange includes scanners for Microsoft Exchange, Microsoft Mail and Microsoft Outlook [the new Exchange client software].
[Back to index] [Comments (0)]