It pays to educate users

Since early this year, my daily email always seems to contain at least one message from my antivirus software provider. These messages contain alerts about new viruses and include Web links to files I can download to protect my network from those viruses. The majority of these alerts and updates are about some form of macro virus that primarily targets Microsoft Word or Excel. Like any responsible network administrator, I download the updates and apply them to both my server- and client-side antivirus applications. I don't tell my users that I've done this update—I just do it. I'm sure that most network administrators deal with virus updates in the same way. And therein lies the problem.

Information Is Key
Every time a new virus makes the rounds, I get messages from network administrators that say, "Don't open any attachments until we tell you it's OK," or "Don't open any messages with 'Free For Lunch?' in the subject line." A statement telling me that a new virus is going around might accompany the message. If the situation is bad enough, I'll get the "We've shut down our email link to the Net until we update our antivirus software" message, and I'll probably hear about the virus on the evening news. Something I've never gotten from my IT department is an explanation of how the latest generation of self-propagating viruses works and what strategies a user should employ to enjoy virus-safe computing.

When I told my kids not to click any attachments they received without checking with their mom or me, the first question out of my 9-year-old's mouth was, "Why?" So I sat her down and gave her a 10-minute explanation about why not opening attachments is important and what happens when you run a self-replicating, self-mailing executable file. I also gave her a brief explanation of dangerous file extensions (e.g., .exe, .vbs), and I told her which extensions are OK (e.g., .jpg, .gif). In the 6 months since we had our talk, she hasn't generated any virus mailings, even though she has received some (primarily from her friends through a consumer ISP that shall remain nameless). I wish I could say the same about the average network user. I've received various email viruses from average users, from public relations professionals who spend most of their lives in email, from people who have discussion lists I subscribe to in their address books, and even from IT departments.

I must admit one thing: With each successive virus scare, I receive fewer and fewer copies of the viruses. When the first (happy99.exe, a virus that displayed fireworks on your screen, then sent a copy of itself to anyone you sent a message to) of the recent crop of email viruses began transmitting, I received almost 200 copies. With the most recent virus attacks (the VBS.Loveletter and its permutations), I received fewer than a dozen copies, not counting the "sanitized" messages I received in which either the sender's mail gateway or mine eradicated the virus attachment and I received a blank message. I'd like to think that the reduction in infected email messages is the result of an ongoing user education campaign, but I'm more inclined to believe it's the result of more virus-scanning software on mail servers.

I've written before about the importance of IT departments maintaining effective communication with users. The problem of virus education is a sin of omission—IT staff members don't think they should spend time explaining viruses to users. After all, users know that they shouldn't open attachments they're unsure of, right?

If you have user-training programs in place, add the virus-protection lecture to your email security training. If you have email standards and policies, a written description that instructs users about how to handle attachments might be appropriate. I work in an environment that receives a huge amount of external email plus a lot of internal email that almost always has attachments (primarily Word documents—all of which my system scans for macro viruses in addition to me disabling macros in my Word configuration), which might be why I see so many copies of every virus that goes around. The same environment makes me susceptible to mail attachments that appear to come from coworkers.

Educate Your Users
Outlining some basic rules for your users about how to approach file attachments can be a simple matter. Here are a few ideas to get you started.

Remind users that 8.3 filenames are obsolete. Many folks remember the old MS-DOS restrictions on filename length. If an attachment's name is something like wordfile.doc, these users will presume the file is not an executable or a script file but rather a benign document file. The problem is that the complete filename might be wordfile.doc.exe. Many applications hide extensions, so users might open a file when they can't see the entire filename. Educate your users about file extensions, and if you can turn off options that hide file extensions, do so.

Worry about more than .exe files. As the most recent virus attacks have shown, scripts can cause quite a bit of damage. Now that Microsoft builds in Windows Script Host (WSH) and Microsoft Internet Explorer (IE) to every current copy of Windows, a fertile environment exists for attacks via VBScript, JavaScript, and any ActiveX-enabled scripting language.

Turn off auto-execution. When you're securing your systems or standardizing security policies, configure applications such as Microsoft Outlook, Word, Excel, and IE so that they don't automatically execute scripts and macros. Newer software versions default to either high or intermediate security levels, which don't allow auto-execution by default. Older versions of the same software might not have this protection, and when such protection does exist, users who fiddle with their systems can disable it.

Teach your users about scraps. I'm often amazed by the general lack of knowledge about the use of scraps in the Windows environment. I have an entire directory full of boilerplate scraps that I use in Word. These .shs files are text (in some cases text mixed with code) that I drag from documents to my boilerplate directory. Double-clicking the filename launches the appropriate application (i.e., from Microsoft Office).

In particular, remember to watch out for Registry scraps. A .reg file smaller than 1KB can wreak havoc with a system's Registry. You'll receive no confirmation when you double-click a .reg file; the system will automatically import the file into the system Registry.

You're probably already doing things that can help secure a system from a virus attack. For example, running a secure Windows 2000 or Windows NT client environment is a good idea, particularly if you use the control you have over what users and applications can access in the OS. In an NT environment with limited user access to system files and the Registry, many virus attacks can't cause much harm. System policies are also beneficial and are your only method of providing any lockdown of Windows 9x clients. A three-front campaign of user education, client control, and antivirus software can create a much more peaceful and productive business environment. Not to mention a couple of extra good nights' sleep for systems administrators.