<- HomeHome

-> SitemapSitemap

-> Contact UsContact Us

Solutions

Product Information:

Marshal Solutions:
Anti-Virus

Marshal Information:
Marshal Datasheets & White Papers


 

Marshal - Content Security Issues

Virus Protection

Virus infection was one of the first focus areas for gateway content security solutions. The threats to organizations from virus infection are well understood, and they are severe:

  • Workstations and servers can be inoperative for hours, either due to the virus activity, or because they are off line waiting to be cleaned.
  • Data can be permanently lost or corrupted.
  • Network traffic related to viruses can cause productivity loss, even for users not affected by the virus on their own workstations.

Who's Getting Smarter, Virus Writers or Anti-Virus Scanners?

Even though the threat from viruses is not new, it is always changing.

The creators of viruses are constantly evolving their methods to circumvent security and to fool unsuspecting users into accepting viruses.

Security researchers have recently warned that sudden impact viruses, such as the Slammer worm, are being superseded by slow-burning worms that focus on avoiding detection.

The writers take their creations to a new level in an attempt to bypass traditional anti-virus software:

  • Virus writers are putting more time into making their viruses stealthier in an attempt to sneak them past anti-virus software.
  • Malware authors, many of whom now use viruses as a way of making money, are regularly testing their viruses against anti-virus packages, often through a vendor's trial software.
  • Writers are submitting their viruses to some companies' live test sites to measure their effectiveness.

Many new viruses attempt to install key loggers that can record passwords and personal details leading to identity theft and other related issues. Key loggers are more commonly classified as spyware. Anti-virus vendors are still divided on the best way to protect users from these threats.

Traditional pattern file-based solutions are the least effective in combating viruses since they rely on the vendor to update the pattern file. Solutions using heuristic testing technology have proven more effective, but they are still evolving.

  
One of the fastest spreading viruses seen so far, Slammer, infected 90 percent of vulnerable hosts within 10 minutes of being released. It raced around the Web, disrupting IT networks worldwide. But because the worm caused such damage it was widely reported and defined quickly by the anti-virus vendors. IT staffs were able to quickly limit additional harm.

Today, the line between viruses and spyware is becoming blurred. With the virus writers changing their approach and reasons for their activity, organizations should be very concerned.

When is a Virus Not a Virus?

In late 2004, Microsoft announced a vulnerability, affecting JPEG files, one of the most common image formats. Image files that appeared harmless actually contained security attacks. Internet Explorer processes JPEGs before writing them to disk cache, so desktops became infected before the desktop anti-virus software had a chance to work. Organizations could only rely on their gateway-based solutions to stop the threat.

Anti-virus vendors debated whether it was inside their realm to be detecting such vulnerabilities, while the desktop application vendors frantically worked on security patches to plug the vulnerability in their applications. In the end, companies were left vulnerable for an extended period of time and then had to go through the pain of updating all workstations.
  
MailMarshal customers were well protected from the JPEG exploit threat. Marshal security experts quickly released a means of detecting the JPEG exploit for use with MailMarshal, that did not depend on anti-virus updating

Most anti-virus solutions are not tuned to detect JPEG malware because, by default, they only search executable and scripting files. If the desktop anti-virus scanner needs to look at more types, it consumes valuable processing power.

Is Your Scanner Looking at Everything?

Most companies today take for granted that their gateway-based anti-virus scanning solutions are doing everything they promise. Security administrators worry less about traffic entering through these scanners, but rather spend their time tracking and eliminating any traffic that does not.

The Bagle Incident

Imagine the alarm in March 2004 when a Bagle variant (Bagle.J, .H or .K, depending on the vendor) passed directly through many of these industry-leading solutions. The culprit? A password-protected zip file that carried the worm used well-known techniques to spread via SMTP.

Hours after it was discovered, customers at many large enterprise sites began to notice Bagle-carrying zip files slipping through their gateway defenses. Several hours elapsed before anti-virus updates were provided to detect the latest Bagle variant.

In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.

Eventually, the solution from anti-virus vendors included scan engine updates and/or pattern files. One vendor even went so far as to scan the email which has Bagle-like characteristics, find the password, and use it to extract the contents of the zip archive. Other vendors relied on spam-detection technologies to find the problem email.

 
MailMarshal includes its own support for archive unpacking. When MailMarshal cannot open a file (due to passwords or intentional mal-formation), the file can be quarantined. This feature allowed MailMarshal customers to continue about their business with minimal disruption.

To an anti-virus scan engine, password protection is basically encryption. The purpose of encrypting is to avoid prying eyes, including those of people and technology. However, the anti-virus technology must have the key or password to decompress the zip archive and scan it. No password, no scanning - it's as simple as that.

What Are The Lessons of Bagle?

It is important to stress that the problem with infected password-protected zip files is only manifested with gateway scanners. On client computers with up-to-date anti-virus protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file. Bagle provided a graphic demonstration of the critical need to implement an anti-virus defense on multiple layers of the IT infrastructure.

Gateway anti-virus solutions should provide for scanning exceptions, for instance when a password-protected file cannot be scanned.

Lastly, this incident has once again demonstrated the lengths users will go to in attempting to open an infected email attachment. If anyone thought a password-protected zip would thwart the distribution potential of malware, this Bagle variant proved the opposite.

Layered Defense Is Critical

A key goal of an anti-virus strategy is to stop viruses before they enter your network. Email is now the primary attack vector for virus writers, and should be the primary focus of defense.

Although cost savings are achievable by using a single vendor for both the desktop/server and the email gateway, in this case a new undefined virus that passes the email gateway will not be detected at servers or workstations.

Security experts recommend using a different anti-virus scanning engine at the email gateway for extra protection. Anti-virus vendors react to new viruses at different rates, and scans typically miss viruses 1-3 percent of the time. Having protection at each tier provides a layered defense. If one product misses a virus or is slower in responding to a new threat, another may detect it.

Best practice is to configure desktop and server anti-virus software to scan on automatic mode and use different vendors. But be careful of the performance problems, particularly on servers.

 

  
Internet-based email (such as Yahoo and Hotmail) remains a significant backdoor for virus attacks. Fewer than 1 percent of sanctioned corporate email boxes are Internet-based accounts, but numerous companies tacitly allow Internet mail as a perk or a spam diverter. The Nimda virus, which exploited holes in Microsoft IIS servers to infect browsers, also illustrated the potential danger of Web activity. Anti-virus scan engines for Web gateways are one response to this threat.

Not all anti-virus vendors rely completely on pattern file updates. Several have developed heuristic-based detection engines. Local administrators can also help to protect their networks by researching the virus and using content filtering on keywords/subject lines and attachment filtering to quarantine a potential virus in the early stages of an outbreak, before a virus signature definition is available. This method does require significant additional effort.

Potential New Victims

Desktop/server anti-virus is now a relatively mature defense. Vendors are introducing more advanced policy enforcement and update management. Best-practice IT departments are now enforcing strict anti-virus compliance by employees and business partners on all connecting nodes, including remote laptops and personal digital assistants (PDAs). Tools that enforce up-to-date anti-virus compliance before enabling connections are commonplace. Most leading anti-virus vendors have clients that support different types of devices, but none support all variants (for instance, Palm, Pocket PC, RIM Blackberry and Symbian), and they may not be tightly integrated into desktop management.

Wireless Application Protocol (WAP) devices, unified messaging and Voice over Internet Protocol (VoIP) represent potential new victims for virus writers. The limited capabilities of these devices and services make them less interesting as targets, but they have potential as infiltration points into the network. Another potential attack vector is Instant Messaging (IM). The security industry has so far been relatively slow to address this space. Many companies have opted not to take advantage of the capabilities of IM, but instead to disable it until they are able to protect it.

Traditional Scanners: Can I Afford To Wait For the Pattern File?

Anti-virus vendors are forced into a scenario where they must invent new defenses every day. The software can predict and prevent some never-before-seen viruses. But all too often, a new virus spreads unchecked before vendors develop and distribute a new signature file that can match the virus and kill it.

Recent testing by AV-Test.org found that average response times for anti-virus vendors to respond to new threats varied from just under seven hours to more than 29 hours. No wonder Slammer did so much damage in the first 10 minutes of its life.

An exciting, emerging technology detects a new virus by observing what the suspect code does in a virtual test environment. It then performs a series of heuristic-based tests on the code to predict what it might do to a normal desktop machine. This new intelligent technology (known as “sandboxing”) is improving constantly, but is not yet a replacement for the traditional methods because of the additional processing power required to run these tests. What does work well is a combination of both technologies. First, perform the traditional pattern file check. If that is negative, run a customized test based on the type of file you need to check.

An example of sandboxing technology is Norman's Sandbox feature, which Virus Bulletin magazine tested in February 2005. In the experiment, Sandbox recognized 100 percent of viruses tested. Other leading anti-virus companies did not come close to those results. Norman is one of several third-party anti-virus solutions that Marshal supports and can integrate with.

Summary

Your company may not feel it has a virus problem. Some corporations think they can prevent viruses by stripping all attachments from incoming email, but this is disruptive to your company's day-to-day business.

If you do find yourself coping with new viruses too often, look at the response time of your anti-virus vendor.

Marshal's Gateway Anti-Virus Solutions

Marshal solutions deliver complete gateway content security for email and web browsing. Marshal solutions provide high-throughput integration with leading virus scanning software, including Norman and McAfee solutions. For a full list of supported anti-virus software, contact Virus Defence Bureau.

  • MailMarshal SMTP delivers protection from viruses and other email content threats. In addition to virus scanner integration, other MailMarshal features also help to limit virus threats. These other features include:
    • Archive file unpacking to ensure content is not smuggled in.
    • TextCensor, Marshal's lexical analysis engine, to identify virus-related text in email.
    • SpamCensor, Marshal's proprietary anti-spam technology. Many email viruses can be identified through this technology.
    • SpamCensor Zero Day, for quick response updates.

  • WebMarshal provides protection from web-based threats, including viruses, spyware, and other malicious web content, and web-based email. In addition to virus scanner integration, other WebMarshal features also help to limit virus threats. These other features include:
    • TextCensor, Marshal's lexical analysis engine, to identify virus-related text in email.
    • URL Filtering List integration, preventing access to known suspect sites.

Enquiry

 

 

Top of Page

 

 

| Home | Company Profile | News | Solutions | Support | Contact Us | Partners | ©2009 Virus Defence Bureau
6/34 Christensen Street, Cheltenham, VIC 3192 Australia Tel +61 03 9556 4900   Email:support@virusdefence.com.au