Virus Protection

As you can probably imagine, I get a fair number of calls regarding computer viruses, especially lately with the recent rash of new and widespread viruses. As with much of the advice I provide, my thoughts on virus protection are somewhat unorthodox, though grounded in fact and many years of experience.

A word on those that write viruses

The typical virus writer is to a skilled programmer what a graffiti vandal is to a fine artist. Most of the viruses out in the world are very poorly written -- many of the signs they give of their presence were not intended, but rather side effects of the bad programming. There is no magic to what they do, in fact, they are usually trivial to understand if one takes a few minutes, and we will get to that in a moment. Some of them use interesting stratigies to spread, but the basic ways they spread are pretty well established and understood -- they are not innovative. Considering the huge number of new viruses being written every week and the small number that actually have a significant impact on the world, I suspect one can look at a certain amount of Darwinian action here -- giving thousands of variations on a theme, SOME of them are likely to be good enough that they take hold in the world.

There are a few very good programmers who spend their time doing destructive work rather than constructive work, but these people are the definite minority, not the majority. Some graffiti is pretty impressive, too. However, singing the praises of these people as "brilliant programmers" in general is quite wrong and provides them exactly the attention they are after.

Further, many of these viruses are dependent upon the user doing silly and stupid things. Singing the praise of these virus writers is kinda like admiring the cunning of a burglar who only breaks in to houses that are unlocked and unoccupied.

What I do

In my line of work, as you can probably imagine, I have to create diskettes, CDs, and documents for clients. Infecting a client is absolutely unacceptable.

Let me tell you about the virus protection software I have loaded and running at all times on the computers I use:

Nothing. Nada. None. Zip,

Now that I have your attention, let me explain.

Detection

In the battle against computer viruses, you have two basic choices: Detect them or avoid them. Detection is based on checking files on your system against known indicators of viruses, called signatures, and sometimes watching for "Virus-Like" behavior of your system. This requires the monitoring of every file in your system as it is accessed as well as many aspects of the system operation.

This creates numerous problems. For one, it creates a HUGE impact on system performance. Many performance problems can be resolved on computers simply by disabling the virus scanner. I don't have any hard (and simple) numbers of what a virus scanner does to your system performance, but it is quite noticeable, and that usually requires more than a 30%-50% impact on your system. So, your 700MHz system with a virus scanner might not be as fast as my 400MHz system without one.

To do these "real-time" scans, the virus scanner has to imbed itself in your operating system. A basic rule of Windows is there is NOTHING you can add to the system to make it more stable, and there is much you can do to make it less stable (i.e., more likely to crash). Adding a virus scanner has proven a very effective way to destabilize Windows -- many problems with system crashes can be solved just by disabling and removing a virus scanner.

Virus scanners must also be continually updated. A one month old virus scanner isn't providing you good protection, a one day old one may let a fast moving virus, such as Nimda, through. Trying to keep your virus scanner up to date is a loosing battle -- since virtually all the major virus scanner manufacturers make "free" versions available for downloading, it is trivial for a virus writer to write to evade all the major name scanners, and the virus scanner publishers can't even start to work on detecting a new virus until a copy has been "captured", analyzed, incorporated and distributed, you can expect this would take a minimum of 24 hours after release. This is, by definition, a loosing battle -- you absolutely can not stay ahead in this game.

Avoidance

Considering all the problems with virus scanners, why not just not GET viruses in the first place? It isn't hard.

(IMPORTANT NOTE: What follows is relevant only to PC-based computers, unless explicitly indicated otherwise. Macintosh systems have other issues regarding viruses that are quite different than PCs, and really warrant an article of their own)

First, we have to understand the types of viruses that actually exist in the PC world. Note that virus experts discriminate between "viruses" and "worms", however, for this discussion, I will lump them under the one category of virus.

Boot Sector viruses:

How they work:
These viruses live on the boot sector of disks -- both hard disks and floppies. As the name implies, the boot sector is used to start the boot process of your computer.

These viruses imbed themselves into your computer's operating system at boot time, and will then infect (or attempt to infect) every diskette inserted into your computer from that point onward. They spread to other computers when a diskette is carried to another computer and left in the drive and the system is rebooted! This is a critical point in understanding these -- a boot sector virus is not loaded into the computer until the computer is booted! The floppy can sit there in the computer as long as desired, and will have no affect on the host computer UNLESS the diskette is left in the drive and the system attempts to boot from the floppy. That message saying "Non-system disk" can be an indicator your machine might have been just infected by a boot sector virus.

Avoiding Boot Sector Viruses:

Most modern computers have a BIOS option to not boot from the floppy by default -- this basically eliminates boot sector virus problems. You can have a diskette that is infected, you can use it, but unless you change your BIOS to boot from floppy, your machine will never be infected! Also convenient is the fact that floppies are almost useless to boot from anymore with modern Windows operating systems.

Boot sector viruses are thus easy to avoid, and in fact, disabling the floppy boot will often make a user's life easier (i.e., for those that turn on their computer, walk off to get coffee, and come back to find the "Non-system disk" message)

"Program" viruses:

How They Work:
These viruses attach themselves to executable programs, and spread when the program is copied from one computer to another. The program itself is innocent -- it is just "infected" with a program you (and the program author!) were not expecting.

An example: The virus may change the first couple instructions in the program to jump to the physical end of the program -- which is where the virus is now attached. The virus does whatever it is going to do (such as, copy itself to another program), then runs those instructions that it changed, and jumps back to the entry point of the program you intended to run.

These viruses catch people doing things they shouldn't -- namely, copying software from one computer to another. To a degree, they have not been much of an issue of late, as most Windows-based programs CAN'T be copied directly from one computer to another, but rather have to be installed off master media. Now, they can still be spread by various illegitimate means, but if you are careful to only install software from original sources, whether that be legitimate CD-ROMs or downloaded directly from the distributor, this won't be a problem.

Avoiding Program Viruses:

Don't copy programs from one computer to another.
Don't download from "illegitimate" sources ("Warez" boards).
Do download from official sources.

Again, this really shouldn't cause any major problems for legitimate users.

Macro Viruses:

How they work:
Starting with Microsoft Office 95, Microsoft included a powerful macro programming language in their Office applications. This has proven to be of little use to the vast majority of Microsoft Office users, but has been a boon to virus writers. Up to this point, we were very safe in saying "On the PC, viruses can ONLY be carried in program files, not data files". Well, now Word and Excel documents ARE program files, too. Worse, these programs can actually modify the host application (Word, Excel) so they can be copied to every document that you open from that point on.

When a program with a macro virus is loaded, the virus copies itself into a common file called "NORMAL.DOT" which holds common macros for all documents you work with. Any document you open from that point onwards is copied back from NORMAL.DOT to your new document.

This is really a problem, unfortunately, as macro viruses catch users doing exactly what they should be doing with their documents -- sharing them among each other.

Fortunately, starting with Office 97, Microsoft offered a simple but potentially effective way to avoid the problems with macro viruses. Under Tools/Options and the General tab, you should find an option "Macro Virus Protection". If this option is checked (and it is shipped that way on Office 97 and later), before you open any document that contains a macro, benign or a virus, it will display a box warning you of the macro in the document. You then have the option of either opening it with Macros enabled or disabled.

The magic to avoiding macro viruses is either
* Don't use Microsoft Office (my preferred solution)
* NEVER, EVER enable macros.

Here's the rub... If you EVER enable macros, you may let a virus in. Further, many if not most of the current strains of macro viruses make a beeline to the "Macro Virus Protection" option and disable it, and often HIDE it from you so you don't even notice it changed -- it is just MISSING. The only safe solution is to always say "No" any time the Enable Macros" message comes up. Even if the person who gives you a document says "there are useful and important macros in it", you still can't be sure there are not ALSO destructive macros as well!

Worse, even after the macro viruses are removed, the changes they made to Word and Excel are NOT typically undone. The "Macro Virus Protection" option will still be off, and maybe hidden, so your system is completely vulnerable to reinfection without notification.

Objections:
"You can do such useful things with macros!". Tough. They are so dangerous to use in open environment (one where files can be exchanged with outside users), they have to be considered broke.

"We REQUIRE macros to integrate Word/Excel with the rest of our application!" Tough. If that is the way your application is written, it has to be considered broke and too dangerous to use in an open environment.

Avoiding Macro Viruses:

Don't use Microsoft Word or Microsoft Excel. Alternatives exist, they are very good, too. My personal preference is the Lotus SmartSuite, but Corel Office and StarOffice are also very capable programs.
If you must use Word and Excel,

Ensure that "Macro Virus Protection" stays on.
NEVER enable macros on a document with them.
No exceptions. Ever.

E-Mail viruses

How they work:
Technically, these are typically "worms", not viruses, as they arrange their own transportation from machine to machine. There are a few variations on this form of virus, but there are some common elements.

Typically, they take the form of an E-mail message with an attachment from someone you have corresponded with in the past, which has a brief "introduction" and encourages you to click on the attachment. You do so, and the virus is activated. It will then send a copy of itself to everyone in your Outlook address book, and then may do something locally and potentially destructively on your computer (it may also do nothing directly destructive at all). Due to the fact that the average person may have between 10 and 1000 people in their address book, e-mail traffic can grow exponentially, and these viruses can quickly overwhelm many properly sized mail servers, and in the case of some of these programs, have quickly swamped the entire internet with garbage traffic.

Virtually all of these programs are dependent upon Microsoft Outlook as the source of the e-mail addresses used for replication. There is no reason they can't pull addresses from any other e-mail program, it is just that Outlook is so popular, it is the favorite tool of choice, and is more likely to permit a virus to propagate. Outlook also provides a rich environment to write a E-mail virus in, with its Visual Basic scripting language, it does not require any sophisticated programming skills to develop such an application, and existing viruses can be examined, modified, and re-released easily.

Why Not Outlook?
As you can probably guess by this point, part of how I avoid E-mail viruses is I don't use Microsoft Outlook or Outlook Express. Nice and simple, eh?

I wish to make it very clear -- the (local computer) damaging parts of these programs are typically indifferent to the mail program the user has. Outlook is often only the transport mechanism. The IT director of a client of mine introduced the "ILUVYOU" virus (one that propagates through Outlook) into his company through his Yahoo! Web Mail account. He clicked on the attachment, and ended up doing a restore from tape to repair the dammage done to his network servers.

I consider Outlook an unacceptable product for a number of reasons:

It is the "Virus Runtime Environment" of choice for virtually all E-mail viruses.
It has facilities which permit E-mails to be structured so Outlook will actually RUN an attachment without clicking on anything.
It defaults to hiding extensions of files from the user, so they can think they are clicking on "SMILE.JPG" (a graphic image) when in reality, they are clicking on "SMILE.JPG.vbs" (a program with a strange file name). Even with this "feature" disabled, unless updated, it still hides certain extensions such as .SHS that can also be used to hide a program.
Through Visual Basic Script and JavaScript, it can make an E-mail message directly executable. This is unacceptable behavior.
A demonstration "virus" has been shown which is activated simply by rolling the mouse over the subject line in Outlook, clicking on nothing! This means it is basically impossible to even delete this message without activating the virus. When this was announced, I went from disliking Outlook to actively recommending against it. This was only a demonstration, put on by skilled programmers showing what can be done, but it is probably just a matter of time until it figured out by a virus writer.
Nothing to do with viruses, but the program is very difficult to backup properly, and very difficult to move data from one computer to another. This makes it dangerous for any kind of business operations.

People, Outlook is a very dangerous program.

Objections:
"Outlook is a WONDERFUL program!" Yeah, until it bites you in the butt.

"Show me another program with all the features Outlook has!" No, that is not the point. If there is one, I'm sure I'll add it to my list of "Don't use this!" applications. The features are the very thing that gets people in trouble with Outlook. The point isn't the power of Outlook, the point is the danger.

"Outlook is also a group scheduler and we run our business off it!" Oops. Your mistake. You have been warned. There are alternatives which have much lower cost of ownership and operation. Note you can still separate your business's E-mail from the scheduling features of outlook, so that no external E-mail ever comes through your Outlook/Exchange mail system.

I can assure you, I read and write more E-mail than most people do, and I get by VERY well with the very basic Netscape E-mail program. You will have great difficulty convincing me you have an application which mandates the use of a different program.

Let me expose the ugly little secret to light: The biggest reason people like Outlook is it lets them have multiple E-mail accounts active at once. Biggest reason why someone would want to do that is so they can handle both personal and business e-mail interchangeably and invisibly. I fail to see how this is a benefit to the COMPANIES which choose this application.

Avoiding E-Mail viruses:

Don't use any form of Microsoft Outlook for external E-mail
Don't run ANY executable attachment. Ever.
Don't make the assumption that "it came from a friend, it must be safe!" (they ALL come from friends)
Don't click on any attachments sent to you by anyone unless you are expecting them from other channels (i.e., a phone call, "I'm E-mailing you the next week's schedule, it is a Word 2000 document". This is good for other reasons: You can say "Save that as Word 97, I don't have Word 2000").

Virus Hoaxes

How they work:
The message prompts the user to forward the hoax onto other people, thinking they are warning them of a imminent virus attack. I find this a particularly obnoxious form of virus -- and yes, even though it is a hoax, it is a form of virus. Here is a sample, sent to me recently:

Subject: VIRUS
Attention all Internet Users,
This looks like a bad one that's coming. Forward
this to others.
Please read and forward to everyone you know......
DO NOT OPEN "NEW PICTURES OF FAMILY" It is a
virus that will erase your whole "C" drive.
It will come to you in the form of an E-mail from
a familiar person. I repeat a friend sent it to
me, but called & warned me before I opened it.
He was not so lucky and now he can't even start his
computer!
Forward this to everyone in your address book. I
would rather receive this 25 times than not at all.
Also: Intel announced that a new and very destructive
virus was discovered recently. If you receive an
email called "FAMILY PICTURES," do not open it.
Delete it right away!
This virus removes all dynamic link libraries (.dll
files) from your computer. Your computer will not
be able to boot up.

This is amazingly typical of the hoax virus.

No date, but a sense of immediacy ("bad one coming"). I've seen some of these "virus alerts" come back around YEARS after the first time I have seen 'em, still with the same sense of urgency.
Scary impact. ("Erase your whole C drive")
"Forward this to everyone in your address book" The wording here is amazingly consistant.
Claim to authority ("Intel announced..." -- hey, Intel isn't in the business of announcing viruses! Other common ones are AOL, IBM and Microsoft, which also don't announce viruses.)
Pseudo technical explanation ("Removes all DLL files"), which often doesn't stand up to examination (why would you delete just the DLL files? Why not delete the entire contents of C:\WINDOWS? Faster, easier, same result)
A signature (deleted from the sample) of a real-sounding person at a real-sounding place.

This one has the curious addition of "I would rather receive this 25 times than not at all", nice touch, makes you feel better about mass mailing people, I guess. Haven't seen that before, I'm sure we'll see it in the future.

A virus or worm reproduces and moves from computer to computer. In this case, the reproduction and movement is provided by willing users, simply following directions. Hey, if I just told you to send me $25, would you? So why would someone forward on this message, just because someone told 'em to? I saw a spoof on this style "virus", an e-mail message which said "This is an honor system virus. Please forward to all people in your address book, then delete your hard disk. Thank you!"

The impact of these messages, while hardly as serious as the more traditional viruses, is not zero. They DO provide a non-trivial impact on mail servers all over the world. They waste time of users. They waste time of people like me (and the poor person who's name was on the bottom of that bogus message) who run around explaining "This is just a hoax". They may also serve as a way to "harvest" E-mail addresses for spammers.

Why do people do this?
I can only guess, but here are some potential reasons:

Personal attack: In this case, I suspect it may have been a form of attack on the person who's name, address and telephone number was stuffed at the end of the message.
Spammer's E-mail address harvesting system: As it came to me, there were almost 100 names and E-mail addresses, including what appeared to be an entire directory of a small school district's staff. This could be a boon to spammers who sell e-mail addresses to companies of little ethics that fill our email boxes.
"Look what I did": There is something thrilling about demonstrating that people are easily manipulated, this is a high-tech version of the "Made ya look!" and other childish games. Every time it gets forwarded back to the originator, they know you have succeeded.

Fact, people: There are thousands of new viruses every year. Please don't send out an E-mail about each and every one. And there is no reason to forward such an e-mail. People shouldn't be blindly clicking on ANY attachment. Any powerful virus is going to rotate the name of the attachment, anyway. Don't play along with these idiots.

Side note. The person who passed this note on to everyone in her address book out of a sense of concern has been responsible for many of the viruses that have run through her office. Very misplaced concern.

Avoiding Hoax Viruses:

Don't forward supposedly informative things to everyone in your E-mail list without thinking and doing a little of your own research first. When I received the above message, the first thing I did was punch a few key words into my favorite search engine, and got page after page of hits saying "Hoax". I already knew it was a hoax, but by having it show up in the search engine, I was able to see that it had been around for quite some time -- a search engine won't pick something up until it has been up for (typically) several weeks.
Part of me says "Don't forward mass mailings". I don't. I will forward things to individual people that I have reason to believe will appreciate them, but I have NEVER sent out any kind of mailing to everyone in my address book, and to be honest, I can't think of many reasons why anyone ever should.

But, how can I make my people do this?

This is a common argument people make... "I can't get my people to do this!"

Think about this for a moment...

Let's say your company has a fleet of vehicles used by employees for some purpose, such as delivery. If you are having trouble with your drivers running into each other, other vehicles and pedestrians, what do you do? Install big, padded bumpers? Throttle limiters? Warning lights? "IDIOT DRIVER ON BOARD" warning signs? Not likely. You will make sure your drivers have proper driver training, you will monitor what they do via "How's my driving?" numbers, etc. The ones that can't manage to drive safely or repaint the company vehicle in their own favorite colors, or add custom wheels and the like will be terminated or reassigned. No one (hopefully) would ever think of trying to use technological solutions to what is basically a management problem when it comes to the company vehicles.

So, why are things different with computers? Train them NOT to run attachments. Train them to reject Macro viruses. Train them NOT to load unauthorized software. If they do, reprimand them. Dock their pay for the cost of repairs. If they continue to violate company policy, remove them from the 'net or fire 'em. Treat your computer systems like any other company asset -- why computers are treated differently with regard to abuse than any other company asset is beyond me. If they wish to play with computers, they should play with their home machines, not the machines of the office.

You have a choice. You can either educate and instruct your users, you can revoke their network access, or you can spend considerable time and resources trying to keep virus scanners up to date, and cleaning up what gets through anyway. The virus scanners are imperfect and require training to keep them up to date anyway, why not just avoid the problem in the first place?

Common Myths about Viruses

Viruses are not magic, they are not difficult to understand. They spread through known means, not mysterious voodoo that only some other voodoo (virus scanner program) will save you from.
Virus detectors are not perfect, they will not always save you, even if updated "regularly".
E-mail viruses do NOT come from strangers, they come from friends and coworkers.
Simply surfing the 'net doesn't expose you to risk of viruses.
Downloading stuff from the net isn't necessarily bad, though downloading from non-authoritiative sources certainly can be. Downloading from original publisher's sites can be considered safe.

Executive Summary on How To Avoid Viruses:

Ensure that computers are set to NOT boot from floppy disk.
Ensure that Word and Excel have "Macro Virus Protection" enabled.
Never enable Macros, should the message come up.
Do not use Microsoft Outlook or Outlook Express.
Do not click on unsolicited e-mail attachments.
Do not forward virus warning E-mail messages.
Use software only from legitimate and authoritative sources

Holland Consulting home page
Contact Holland Consulting

since September 29, 2001

(C)opyright 2001, Nick Holland, Holland Consulting
Portions of this were derived from Nick Holland's postings to Internet mail lists.