Editor's Note: This article complements the Compaq ActiveAnswers white paper "AntiVirus Solutions for Microsoft Exchange Server" (http://vcmproapp02.compaq.com/activeanswers/ global/en/solutions.1128/offline.8349/default.asp) but avoids duplicate information. The white paper compares product features and functionality and presents an example deployment scenario in a six-phase implementation methodology. This article offers a checklist of steps to ensure that your installation can survive a viral outbreak.
You survived Y2K. Now, you're reading that experts predict that 2000 will be the "year of the worm." Chances are good that an email computer virus will hit your organization this year. New viruses appear at an alarming rate, and email makes propagation easy.
How can you protect yourself against the damage and losses associated with the initial outbreak of a new virus? By following the steps I outline here, you can improve your odds of surviving an initial outbreak and preventing future reoccurrences. If you already have virus protection in place, you can use this article as a checklist to help you plug any holes you might have overlooked.
What's at Risk?
Before you implement a solution, you must first become aware of the problem and understand the nature and scope of the risk to your organization. In the past, viruses typically entered an organization on a disk and damaged isolated PCs. Today, viruses enter systems through automated email mechanisms, replicate across the network, and destroy valuable or irreplaceable information.
As more businesses become enabled for e-commerce and depend on its benefits, the risk of losing networked systems elevates losses to business disruption and potential bankruptcy. To keep your organization safe, you can take the precautions I outline here.
You must keep up-to-date with the latest developments in virus prevention. Reading this article is a good first step. You must also subscribe to security newsletters and alert lists, such as those offered at http://www.ntsecurity.net. To subscribe to these publications, send an email message to email@example.com with the words subscribe securityupdate anonymous in the body of the message.
You can set recurring reminders to check Web sites such as http://www.cert.org, http://www.sarc.com, or http://www.antivirus.com for viral information updates. Your antivirus software vendor might publish a newsletter such as the Trend Micro Virus Report available at http://www.antivirus.com/subscriptions/default.asp. For an example of how to test and select antivirus software, check out my white paper "AntiVirus Solutions for Microsoft Exchange Server" at the address in the Editor's Note.
Develop and Test a Disaster Recovery Plan
Viruses can motivate you to practice procedures that you know you need to follow. By anticipating the worst, you can minimize viruses' effects. The best method for learning about a disaster-recovery plan's shortcomings is to practice live drills, including validation of the data you're restoring. The key benefit of a disaster-recovery plan is to know your procedures and minimize the chance of errors during the crucial recovery phase. The alternative is to find out the value of your data the hard way—after a viral attack has irreversibly altered it.
Establish an Organizational Policy
Although an organizational policy will do little to keep inbound email viruses out, it can help to prevent viruses from being activated or brought in through other vectors such as removable drives, disks, and downloads. The IT department can help the human resources department establish an organizational policy that includes
- Pointers to educational information (e.g., Web sites, white papers).
- A list of resources the organization provides to prevent viruses, distribution points for antivirus software and scanning definition updates, and who to contact about suspicious files.
- Consequences of employees' not following proper procedures.
Educate Your End Users
The organizational policy tells end users where to find information about viruses and the risks that they pose to an organization. Your responsibility is to make this information available and stress its importance. Many viruses (e.g., a Trojan Horse attack) rely on tricking the end user into launching the process. Increase your company's protection by discouraging end users from executing code from strangers. Create an environment of suspicion about files containing macros and executables that arrive with email. Encourage users to forward any suspicious files to an administrator who can test the file in isolation.
The Worm.ExploreZip virus outbreak could have been prevented if the initial recipients had been cautious and skeptical. For example, in my organization, a user received an email message that contained an active script. His security configuration settings caused a warning to appear that let him decide whether to open a potentially unsafe attachment. Because he had received proper education, he chose not to run the script and the virus stopped there.
Secure the Desktop OSs
Viruses receive their destructive power from the logon context, or administrative rights, of the user currently logged on. By limiting the rights or power of the current user logon, you also limit viruses' destructive potential. Administrators, too, must learn to work in a restricted environment. For example, Windows 2000 (Win2K) lets you use Run as to elevate user privilege as needed. By pressing Shift while you right-click a trusted executable file, you can enter information in the Run the program as the following user: dialog box, which Screen 1 shows, to temporarily change the logon context required to run that application.
A new development in viral technology is that the payload targets network shares or drives and replicates its damage to the entire network instead of just to standalone PCs. This capability is especially important when the current user has domain-level administrative rights. Therefore, don't perform daily work such as reading email or browsing the Web while logged on with domain-level administrative rights because you might inadvertently expose the network to viral attacks. For years, trainers and consultants have recommended that administrators use the administrative logon only when necessary, and modern viruses now make that advice worth heeding.
Secure the Servers
Chances are good that you've already secured your servers, but you also need to enable security auditing in your Windows NT environment. The audit policy in User Manager for Domains lets you monitor suspicious activity (e.g., failed attempts to log on with administrative credentials or access network resources) as you regularly check your server event logs or review systems management application reports. To get the most out of logon and activity auditing, be sure that administrators are using their assigned account and not the Administrator or Exchange Service account for everyday work. Limiting access to network information and systems is a good idea in general; this policy can keep you from introducing viruses by installing untested code on Exchange servers.
Filter at the Gateways
Mail gateways or SMTP servers are usually viruses' primary entry point into an organization. Gateways are the first line of defense and the place that most organizations place virus-scanning or content-filtering software. Virus scanners look for recognizable patterns in files that might match a database of known viral signatures. Content-filtering software keeps out unwanted content: viruses, unsolicited commercial email (UCE), and restricted attachment types such as large video clips. By placing the burden of scanning or content filtering on the gateways, you can keep Exchange Server mailbox servers more responsive to users' needs, such as sending and receiving email, browsing public folders, and sharing calendar information.
Screen 2 shows a list of file extensions selected for scanning in an SMTP gateway product (i.e., Trend Micro's InterScan VirusWall). Screen 3 shows the configuration to scan outbound SMTP mail for viruses.
In addition to reducing the effects of UCE and viruses, content-filtering software (e.g., Content Technologies' MIMEsweeper) offers other benefits, such as reducing the legal liability associated with employees' derogatory remarks and offensive sexual, racial, or other discriminatory phrases. However, filtering at the SMTP gateways doesn't address viruses within internal company email, a problem I address in the next section. Filtering can generate false positives—accidentally capturing email that isn't UCE or a virus—so have a plan for restoring or releasing that email.
SMTP scanning and filtering doesn't require much server horsepower. However, the queues can build during peak periods and affect delivery times. Ensure that adequate RAID-protected disk storage is available for the mail queues.
Virus-scanning software is effective against only the viruses it knows about. By scheduling frequent (e.g., nightly), automatic updates of virus information, you increase your odds of knowing about the latest outbreak. If the antivirus software you're using doesn't provide updating ability, you must write scripts to download and distribute signature database files. Screen 4 shows the InterScan VirusWall dialog box for updating virus patterns.
If possible, apply the updated files to nonproduction servers (or at least less crucial servers) and monitor their status and event log before applying them to the most crucial servers. Vendors test these updates before releasing them, but in some cases, customers have run an untested configuration or servers have crashed after a customer applied an update.
Scan at the Mailbox Servers
A virus posted to a public folder can jeopardize the entire organization. For this reason, run an antivirus program directly on the Exchange servers if you haven't protected all points of entry (e.g., connections to the Internet, mail connectors to legacy mail systems such as Lotus cc:Mail or Microsoft Mail, other X.400 Message Transfer Agents—MTAs). You can also scan for viruses by placing content-filtering software directly on the Exchange servers.
Virus scanners add to your duties and require that you learn to configure and use the software. To ease learning a new interface, some products integrate directly into the Microsoft Exchange Administrator console. Screen 5 shows the Network Associates GroupShield setup dialog box within Exchange Administrator.
The method that virus-scanning software uses to look for viruses in incoming mail can greatly affect the scanner's performance and scalability. Until recently, all scanning software used the Messaging API (MAPI). When you push MAPI-based scanning to the limit, viruses can sneak into the system. Think of a MAPI mail scanner as a mail user reading everybody's mail as it comes in—it has to work fast to keep up (and most scanners can), but you can't tell Exchange to wait until the scanner catches up under a heavy load. My ActiveAnswers white paper provides examples of how to perform load testing on your system.
A newcomer to the market, Sybari's Antigen, rewrote the rules and hooks its product into the Extensible Storage Engine API (ESE API). Tony Redmond reviewed Antigen 5.5 in Windows NT Magazine (October 1999). Testing has found Antigen to be more effective under load, but the product will face competition as other companies write antivirus software to use a new API in Exchange 5.5 Service Pack 3 (SP3). Microsoft developed the new Antivirus API (AV API) to allow more control of the scanning process, but antivirus vendors have been slow to offer products that use the API. Exchange 2000 Server requires updated antivirus scanners that can take advantage of the event sinks that Exchange 2000 promises to offer.
Scanning mailbox and public folder servers affects servers' responsiveness to user requests, especially in feature-rich setups. For example, most products let you notify message senders, recipients, and systems administrators that the product has detected a virus and quarantined, cleaned, or deleted the affected message. Such features create a greater load on the system, so you need to balance feature sets with system overhead. To measure the impact of scanning, obtain baselines of the current workload, then test the antivirus product in your configuration of it.
In addition to affecting responsiveness, virus-scanning software might affect system resources. For example, Trend Micro's ScanMail for Exchange lets you save a backup copy of any cleaned file, which gives a measure of safety in the event of a false positive. You need to allocate disk space for this feature in addition to space for quarantining suspicious files.
Monitor the Servers and Services
Virus-scanning software has become an important part of message flow. To ensure that the software stays running, monitor these NT Performance Monitor objects:
- % Processor Time: Total
- % Processor Time: AV Processes
- Memory Used: AV Processes
- Message Delivery Times
- Logical Disk: % Free Space
- Physical Disk: % Disk Time
- Physical Disk: Avg. Disk Queue Length
Establish a baseline of normal and peak numbers for your mail system. The physical disk usage measures require that you run diskperf —y to enable the disk counters. However, you enable disk counters primarily for testing and not during regular production so that you don't reduce disk performance.
Some vendors, such as Trend Micro and Sybari, add Performance Monitor counters for their products to let you keep track of scanning and detection rates. Screen 6 shows ScanMail's counters.
In addition, you need to establish service state monitoring to be certain that the antivirus software is running and that the monitoring function will send you an alert if the antivirus software encounters a problem. You can add this monitoring function through the Exchange Administrator console or with a third-party monitoring solution. Screen 7 shows ScanMail installed as a service.
Scan at the Desktop
Viruses frequently enter organizations through PCs, or desktops. Long before email became the conduit for viral transmission, organizations were implementing scanning on client desktops. Desktop scanning uses realtime methods, running as a service or application that watches for file access and scans those files, or manual (scheduled) scans that run periodically against selected files, directories, or drives. InDefense (http://www.indefense.com) has pioneered development of antivirus software that doesn't use virus signature files; instead, it monitors the protected system for suspicious or viral activity. This technique eliminates the need for updating signature files and might help prevent the initial outbreak before antivirus vendors even know the signature.
Turn Automation Down a Notch
Flooding email viruses such as Melissa rely on the code's ability to scavenge address books and automate massive email transmission. The following methods can disable or limit the effectiveness of this type of attack:
- Work in offline mode. In unprotected environments (i.e., companies that haven't implemented scanning for known automated flooding viruses), users can work in offline mode and synchronize to send and receive mail. In case of an attack, you can delete outgoing messages from the Outbox queue before Exchange sends them.
- Restrict the number of recipients that a message can have. The Microsoft article "XADM: Limiting the Number of Recipients of a Message" (http://support.microsoft.com/support/kb/articles/q126/4/97.asp) explains how to set a new Registry value for the Information Store (IS) service that limits the number of recipients that a mail message can have. This method appears to be a valuable solution; however, automated flooding viruses can easily scavenge address books, sending to one entry at a time. This restriction solves a different problem by preventing anyone on that Exchange server from sending to a large number of recipients, such as a global distribution list (DL).
- Monitor and control client sending activity. Although not intuitive, this method deserves consideration. An email client generating 50 messages in less than 5 minutes might signal an automated flooding virus. Until a future Exchange Server version includes this feature, you must use a third-party product to monitor the volume of email that a sender can output. BMC Patrol for Microsoft Exchange Server can provide an alert based on output, and NetIQ might add this functionality to the AppManager Suite.
- Populate address books with an invalid address in the first x number of entries. Many organizations implemented this method to lessen the effect of known flooding viruses. The first 50 addresses, for example, point to empty DLs. Organizations that have populated their Global Address List (GAL) with DLs as the first alphabetical entries are most likely to benefit from this patch.
Limit Receipt of Attachments
The most extreme measure you can take is to establish an organizational policy that prohibits receipt of email attachments. Although you might find this concept laughable, it has some benefits. Even companies that allow attachments have established policies to block all attachments during viral outbreaks. For example, malicious users had long regarded the Y2K transition period from December 31, 1999, to January 1, 2000, and several days beyond as an opportunity to wreak havoc on the networked world. Companies can block all attachments during an outbreak and send a message to the originator explaining why the intended recipient didn't receive the attachment. Alternatively, if your antivirus software permits, you can quarantine all attachments until you've updated the antivirus scanning engine with the latest virus definitions and then release the files through the scanning process. Sybari updated its Antigen 5.5 antivirus product with this feature in Service Release 1 (SR1). A similar, more permanent method quarantines every incoming attachment with active code and executes the attachments on an isolated sacrificial system to monitor for potentially destructive activity. Because users must claim the files from that centralized location, this method forces users to acknowledge the risk associated with receiving files that contain active code. In addition, quarantining files might reduce the traffic of those rather large, slightly naughty, and humorous video files.
Clean Up Later
If you've suffered a recent viral outbreak because you haven't enabled realtime scanning on your gateways or Exchange servers or scanning has been ineffective at catching a recent viral introduction, run isscan.exe nightly to remove unwanted files or messages. This Microsoft utility replaces the Microsoft Mailbox Sanitizer, which Microsoft designed to clean unwanted messages from ISs. The Mailbox Sanitizer removed files based on subject line, which isn't an effective technique for the recent virus W32.Mypics.Worm because that virus has a blank subject line.
You run isscan.exe with a criteria file (critfile); Table 1 shows an example criteria file. The criteria file has two entries—attachment criteria and message criteria—and can have multiple entries for each criteria type. Note the tab separators (\t signifies a tab) in both the attachment criteria and the message criteria.
Be sure to always specify the attachment filename in 8.3 (an 8-character filename and a 3-character extension) format even for long filenames. From the command line, enter
The Microsoft article "XADM: Using ISSCAN to Remove Messages or Attachments Affected by a Virus" (http://support.microsoft.com/support/kb/articles/q224/4/93.asp) explains each parameter and provides more information about isscan.exe. You can download isscan.exe for Exchange Server 5.5 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/eng/exchg5.5/isscan/ and for Exchange Server 5.0 from ftp://ftp.microsoft.com/bussys/exchange/ exchange-public/fixes/eng/exchg5.0/isscan/.
Because this method is somewhat intrusive and users might feel that you're invading their privacy, you might have to overcome some political hurdles if you want to use it. Before you run this utility, explain that you'll use isscan.exe only for specific files (i.e., viruses). Also, develop a contingency plan for restoring messages in case the utility accidentally removes valid information. As a best practice, make the criteria as specific as possible and run the utility against a staging server before you deploy it in production.
Let Someone Else Worry About It
If you pale at the thought of adding more work to your usual 10-hour workday, consider outsourcing your virus protection to an ISP or an application service provider (ASP). The provider handles all antivirus scanning, including antivirus software installation, administration, regular updating, and system management. You merely point your inbound and outbound mail through their servers. Before securing such a solution, talk to the provider about the following concerns:
- Detection techniques: What types of files or attachments does the vendor look for? Does the provider look at the file or document extension only, or does it peek into the file header to determine the type?
- Timeliness of research and development: How often does the vendor update its scanning definition files? What is the vendor's source for the scanning engine and definitions (i.e., how does the company research or find out about new viruses)?
- Detection-effectiveness guarantees: Can the vendor promise a certain freedom from viruses and back it up with a guarantee against financial losses?
- False positives and quarantines: If one of your boss' incoming email attachments coincidentally matches a viral signature and the virus scanner incorrectly identifies it as a virus, will the software quarantine the attachment or delete it? How do you get it back (before he or she finds out)? Is the quarantine directory secured against unwanted snooping?
You can obtain more information about outsourcing services from LanSoft (http://www.lansoft.com), Trend Micro (http://www.antivirus.com), or, perhaps, your ISP.
Tune In, Turn On, Watch Out!
Over the past few years, viral outbreaks have lagged far behind viral authoring capabilities. However, as malicious attacks increase in frequency and severity, you need to tighten your security defenses against active code or links to active code within the body of messages. As organizations add secure messaging (e.g., digital encryption, public key infrastructure), antivirus vendors must better integrate this enhancement into their products.