Time to Reconsider Antivirus

Security specialists have always known that antivirus software has significant limitations, but many general IT practitioners have regarded antivirus as a pretty much failsafe solution.  However, recent published research will require even the most diehard antivirus fans to reconsider their malware strategy.

According to AusCERT (the Australian Computer Emergency Response Team), only 20% of new malware is caught by the most popular antivirus applications. Malicious code is increasing in quality and sophistication.

AusCERT report that the bad guys now test their code against the major antivirus products in order to increase the odds of getting through these defences.  Consequently, some of the lesser-known antivirus products have a better success rate than the big players.

Some organisations use more than one antivirus product to increase coverage, and given these statistics this looks like a very good move.  However, this new situation highlights the need for a “defence in depth” approach to preventing malware.  Antivirus products need to be viewed as just one element of a multi-layered strategy that should also include

•    Web Content Filtering: a lot of malware enters organisations from types of sites (e.g. gambling), web mail, or web services (e.g. Instant Messaging) that should be denied using a content filtering system

•    User Education: users can play a crucial role as a last line of defence against malware that has slipped past the antivirus defences.  Users need to be educated in the importance of not opening attachments from unknown / untrusted sources, deleting Spam without opening it, etc.  Its basic, but it can make all the difference.

•    Separate Admin Accounts: viruses/worms run (and hence spread) in accordance with the level of privilege of the infected user.  If a virus runs with standard user privileges, the impact is likely to be minimal compared with the consequences of the same virus running with Admin user privileges.  People with Admin privileges should therefore only use their Admin account when strictly necessary, and should use a standard user account at all other times.

•    Disable File & Printer Sharing: the default setting for file & printer sharing is “on”.  This means that if a user does become infected, the virus/worm will attack all of the servers around the network which that user is authorised to access.  Disabling file & printer sharing on servers (other than file servers) significantly reduces the potential impact of a virus/worm.  (There are easy alternative ways of carrying out all of the tasks that file & printer sharing is normally used for – but if this is regarded as too great a hardship, only enable file & printer sharing for a limited time to perform the task in hand, and then disable it again).

•    “Principle of Least Privilege”: if all levels of user only have the minimum access privileges that are strictly necessary to enable them to do their job, the risk of a virus/worm spreading around a network is significantly reduced.