Virus infection was one of the first focus areas for gateway content security solutions. The threats to organizations from virus infection are well understood and are severe.
Who's Getting Smarter: Virus Writers or Anti-Virus Scanners?
The threat from viruses is not new but is always changing. Security researchers have warned that sudden impact viruses, such as the Slammer worm, are being superseded by slow-burning worms that focus on avoiding detection and bypassing traditional anti-virus software.
Malware authors, many of whom use viruses as a way of making money, are regularly testing their viruses against anti-virus packages, often through a vendor's trial software.
Writers also submit their viruses to some companies' live test sites to measure their effectiveness.
One of the fastest spreading viruses seen so far, Slammer, infected 90 percent of vulnerable hosts within 10 minutes of being released. It raced around the Web, disrupting IT networks worldwide. But because the worm caused such damage it was widely reported and defined quickly by the anti-virus vendors. IT staff were able to quickly prevent further harm.
Many new viruses attempt to install key loggers that can record passwords and personal details leading to identity theft and other related issues. Key loggers are more commonly classified as spyware, but the line between viruses and spyware is becoming increasingly blurred.
With the virus writers changing their approach and their reasons for their activity, organizations should be very concerned.
When is a Virus Not a Virus?
In late 2004, Microsoft announced a vulnerability affecting JPEG files, one of the most common image formats. Image files that appeared harmless actually contained security attacks. Internet Explorer processes JPEGs before writing them to disk cache, so desktops became infected before the desktop anti-virus software had a chance to work. Organizations could only rely on their gateway-based solutions to stop the threat.
“MailMarshal customers were well protected from the JPEG exploit threat. Marshal security experts quickly released a means of detecting the JPEG exploit without depending on anti-virus updating.”
Anti-virus vendors debated whether it was their responsibility to be detecting such vulnerabilities, while the desktop application vendors frantically worked on security patches to plug the vulnerability in their applications. In the end, companies were left vulnerable for an extended period of time and then had to go through the pain of updating all workstations.
Most anti-virus solutions are not tuned to detect JPEG malware because, by default, they only search executable and scripting files. And if the desktop anti-virus scanner needs to look at more types, it consumes valuable processing power.
Is Your Scanner Looking at Everything?
Most companies today take for granted that their gateway-based anti-virus scanning solutions are doing everything they promise. Security administrators worry less about traffic entering through these scanners, but rather spend their time tracking and eliminating any traffic that does not.
The Bagle Incident
Imagine the alarm in March 2004 when a Bagle variant (Bagle.J, .H or .K, depending on the vendor) passed directly through many of these industry-leading solutions. The culprit? A password-protected zip file carrying the worm that used well-known techniques to spread via SMTP.
Several hours elapsed before anti-virus updates were provided to detect the latest Bagle variant. In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.
“MailMarshal includes its own support for archive unpacking. When MailMarshal cannot open a file (due to passwords or intentional mal-formation), the file can be quarantined. This feature allowed MailMarshal customers to continue about their business with minimal disruption. “
The eventual solution from anti-virus vendors included scan engine updates and/or pattern files. To an anti-virus scan engine, password protection is basically encryption. The purpose of encrypting is to avoid prying eyes, including those of people and technology. However, the anti-virus technology must have the key or password to decompress the zip archive and scan it. No password, no scanning - it's as simple as that.
What Are The Lessons of Bagle?
The problem with infected password-protected zip files is only manifested with gateway scanners. On client computers with up-to-date anti-virus protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. Bagle provided a graphic demonstration of the critical need to implement an anti-virus defense on multiple layers of the IT infrastructure.
Gateway anti-virus solutions should provide for scanning exceptions, for instance when a password-protected file cannot be scanned.
The Bagle incident once again demonstrated the lengths users will go to in attempting to open an infected email attachment. If anyone thought a password-protected zip would thwart the distribution potential of malware, this Bagle variant proved the opposite.
Layered Defense Is Critical
“Marshal solutions provide high-throughput integration with leading virus scanning software. “
A key goal of an anti-virus strategy is to stop viruses before they enter your network. Email is now the primary attack vector for virus writers and should be the primary focus of defense.
Although cost savings are achievable by using a single vendor for both the desktop/server and the email gateway; in this case, a new, undefined virus that passes through the email gateway will also not be detected at the server or workstation levels.
Security experts recommend using different anti-virus scanning engines at the email gateway, the server and the desktop, for extra protection. Anti-virus vendors react to new viruses at different rates, and scans typically miss viruses one to three percent of the time. Having different vendors’ protection at each tier means that if one product misses a virus or is slower in responding to a new threat, another may detect it.
Potential New Victims
Internet-based email (such as Yahoo and Hotmail) remains a significant backdoor for virus attacks. Fewer than one percent of sanctioned corporate email boxes are Internet-based accounts, but numerous companies tacitly allow Internet mail as a perk or a spam diverter. The Nimda virus, which exploited holes in Microsoft IIS servers to infect browsers, also illustrated the potential danger of Web activity. Anti-virus scan engines for Web gateways are one response to this threat.
IT departments are now enforcing strict anti-virus compliance by employees and business partners on all connecting nodes, including remote laptops and personal digital assistants (PDAs). But although most leading anti-virus vendors have clients that support different types of devices, none supports all variants (for instance, Palm, Pocket PC, RIM Blackberry and Symbian), and they also may not be tightly integrated into the desktop management solution.
Wireless Application Protocol (WAP) devices, unified messaging and Voice over Internet Protocol (VoIP) represent potential new victims for virus writers. The limited capabilities of these devices and services make them less interesting as targets, but they have potential as infiltration points into the network. Another potential attack vector is Instant Messaging (IM). The security industry has so far been relatively slow to address this space. Many companies have opted not to take advantage of the capabilities of IM but, instead, to disable it until they are able to protect it.
Traditional Scanners: Can I Afford To Wait For the Pattern File?
All too often a new virus spreads unchecked before anti-virus vendors can develop and distribute a new signature file to match the virus and kill it.
More information:
• Av-Test.Org
• Marshal Business Issues papers
Recent testing by AV-Test.org found that average response times for anti-virus vendors to respond to new threats varied from just under seven hours to more than 29 hours. No wonder Slammer did so much damage in the first ten minutes of its life.
A technology called sandboxing is increasingly being used alongside traditional pattern file checking to try to speed up responses to new viruses. Sandboxing involves detecting a new virus by observing what the suspect code does in a virtual test environment and predicting what it might do to a standard desktop PC.
An example of sandboxing technology is Norman's Sandbox feature, which has been shown in tests to recognize 100 percent of viruses. . Norman is one of several third-party anti-virus solutions that Marshal supports and can integrate with MailMarshal and WebMarshal.
Summary
Your company may not feel it has a virus problem. Some corporations think they can prevent viruses by stripping all attachments from incoming email, but this is disruptive to your company's day-to-day business.
If you do find yourself coping with new viruses too often, look at the response time of your anti-virus vendor.
How Marshal Solutions Protect Your Gateway
Marshal solutions deliver complete gateway content security for email and Web browsing. Marshal solutions provide high-throughput integration with leading virus scanning software, including Norman and McAfee solutions. For a full list of supported anti-virus software, please contact Marshal.
MailMarshal SMTP
MailMarshal delivers protection from viruses and other email content threats. In addition to virus scanner integration, the following MailMarshal features can help to limit virus threats.
- Archive file unpacking - ensures content is not smuggled in
- TextCensor - lexical analysis engine that identifies virus-related text in email
- SpamCensor - powerful anti-spam technology that identifies many email viruses
- SpamCensor Zero Day - provides quick response updates
WebMarshal
WebMarshal provides protection from web-based threats, including viruses, spyware, other malicious web content, and web-based email. In addition to virus scanner integration, the following WebMarshal features can help to limit virus threats.
- TextCensor - lexical analysis engine that identifies virus-related text in email
- URL Filtering List integration - prevents access to known suspect sites
