Keeping Viruses Off Net a Battle

By Bruce Schneier
MacWEEK
June 22, 1992

Macs sitting alone on desert islands don't catch viruses. Even Macs whose users frequently trade disks with each other can be protected easily. With Macs on large networks, however, virus prevention can be a lot more complicated.

"If you have a published volume on your hard disk, someone can drop a virus on your machine without your knowledge," said Jeffrey Shulman, author of Virus Detective and Virus Blockade and president of Shulman Software Co. of Morgentown, W.Va.

Many holes.

Shared disk space, on servers and local disks using System 7's file sharing, are an often unprotected means through which viruses can spread.

"If you have a shared partition where you allow someone else to run your applications, and someone with an infected Mac runs one of your applications on his machine, he may infect that application and your machine," Shulman said.

Said Greg German, senior research programmer in the Network Design Office at the University of Illinois at Urbana, "There is always the risk that an infected program on a file server will spread across campus."

Virus

Many companies have corporate policies regarding virus protection, but it is ultimately up to the individuals to protect themselves.

"Virus protection is a departmental responsibility, and each network administrator is responsible for dealing with that department's policies," German said.

Often, the network manager provides software and education to users but can't enforce anti-virus measures on a daily basis.

"We have corporate security standards for virus protection," said Karl Gamester, systems engineer at Electronic Data Systems of Troy, Mich. "It's up to the individual network administrators and the users to prevent viruses. They are supposed to scan all data files at the entry point into the Mac and to periodically scan their hard drives. Individual network administrators handle the servers."

Said Brian Shelden, network manager at software vendor DeltaPoint Inc. of Monterey, Calif.: "We don't have any coordinated virus protection strategy on our network. I'll send out E-mail to everyone reminding them to check their disks, and I'll run a virus scanner on the file servers. Other than that, it's up to the individual to keep viruses off their machines."

Other sites are more strict. "It's a requirement for any node on our peer-to-peer network to have security and virus protection, otherwise they don't get on the network. Servers are protected from viruses by the individual administrators," said Bill Mulvihill, network analyst for the Global Network Support Department at Motorola Corp.'s Semiconductor Products Center in Tempe, Ariz.

"All new machines have virus protection installed before people get them on their desks," said Bill Carr, manager of technical services at Southwestern Bell of St. Louis. "People have responsibility to scan their own machines. I scan the servers at least once a month or when a lot of new software is installed, and PowerBooks are scanned everytime they are brought back into the office. We've been lucky, but if one hits us it'll zip through this network pretty quick."

The Network Vector

Currently, all the major virus-protection programs are System 7-compatible and can scan shared disks across AppleTalk networks.

"AntiToxin will work across a network and can be used to disinfect any known viruses on any mounted volume. If a volume is published on another machine, for example a server, an administrator can disinfect that server from a remote location," said Bill MacLeod, AntiToxin product manager at Mainstay of Agoura Hills, Calif. Other programs boast similar capabilities.

Also, system extensions running constantly on local machines can use automatic scanning features to help prevent the spread of viruses, even across networks. "Virus-Blockade can be configured to scan files immediately after they are created or modified, so if someone drops a file on your hard disk, Virus-Blockade will automatically check it for viruses," Shulman said.

However, running virus-intercept programs on file servers themselves can create problems. For instance, copying an infected file onto a server could bring up a dialog box that cannot be cleared remotely, thus locking up the server until someone deals with it.

Some network managers think virus protection should be integrated into their network-management software.

"My network-supervisor package is already continuously monitoring the network and altering me if there are any problems," said DeltaPoint's Shelden. "It shouldn't be hard to add that capability to automatically scan for viruses, and then to alert my machine if there is a virus anywhere on the network."

One automated network-backup program, NetStream from Personal Computer Peripherals Corp. of Tampa, Fla., does include a simple check to determine if a file has been altered internally since the last backup. It should identify viruses as well as other non-threatening program behavior.

Success of Failure

Even without centralized network anti-virus strategies or tools, most companies have managed to avoid serious problems.

"Our system is not foolproof, but the occasional virus that gets through is caught pretty quickly," said Motorola's Mulvihill. Said EDS' Gamester, "In the few instances we've had problems, they've been eradicated immediately."

But user laxity is always a threat to software that's intended for individual use. "I almost wish we had a minor virus infection; people would be scared into taking it more seriously," said Mark McNew, senior computer scientist at Conoco of Houston.

In the end, increasing the awareness of users remains the best defense against infection, especially when networks create unprotected conduits for viruses.

"People think that if they scan their floppies they are automatically covered, but floppies aren't the only way corporations get software," Shulman said.

Said McNew: "We rely primarily on education; we tell our people that it's in their interest to protect themselves against viruses. The response has been good; most everyone cooperates willingly."

Said German: "People are already vulnerable before they connect to the AppleTalk network. Education is the only real defense against viruses."

earlier essay: QuickRing Architecture Could Revolutionize Data Transfer
later essay: Bedrock Has Developers Wary; MacApp Community Waits for Answers
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..