Enterprise Gateway Virus Protection
Marshal provides Web and email gateway solutions for virus protection. The Marshal Content Security solution provides the ability to run a large number of virus-scanning products to provide the ultimate protection.
With Marshal, you can prevent virus entry or exit from your network via:
- email
- internet browsing
- web mail-based systems
Who's getting smarter virus writers or anti-virus scanners?
The creators of viruses are constantly evolving their methods to circumvent security and to fool unsuspecting users into accepting viruses.
Security researchers have recently warned that sudden impact viruses, such as the Slammer worm, are being superseded by slow-burning worms where their focus is on avoiding detection.
The writers take their creations to a new level that traditional anti-virus programs will have a difficult time detecting. Examples of this include:
- Virus writers putting more time into making their viruses stealthier in an attempt to sneak them past anti-virus software.
- Malware authors, many of whom now use viruses as a way of making money, are regularly testing their viruses against anti-virus packages, often through a vendor's trial software
- Writers submitting their virus' to some companies' live test sites to measure their effectiveness
Many new viruses attempt to install key loggers that can record passwords and personal details leading to identity theft and other related issues. Key loggers are more commonly classified as spyware; a category where anti-virus vendors are still divided on the best way to protect users.
Traditional pattern file-based solutions are the least effective in combating viruses since they rely on the vendor to detect and remove the pattern file. Solutions using heuristic testing technology have proven more effective, but they are still evolving.
One of the fastest spreading viruses seen so far, Slammer, infected 90 percent of vulnerable hosts within 10 minutes of being released. It raced around the Web, disrupting IT networks worldwide. But because the worm caused such damage was widely reported and defined quickly by the anti-virus vendors IT staffs were able to quickly limit additional harm.
Today, the line between viruses and spyware is becoming blurred. With the virus writers changing their approach and reasons for their activity, organizations should be very concerned.
When is a virus not a virus?
In late 2004, Microsoft announced a vulnerability, in which JPEG files that appeared harmless actually contain security attacks. Internet Explorer processes JPEGs before it caches them, so desktops became infected before the desktop anti-virus software had a chance to work leaving companies to rely on their Gateway-based solutions to stop the threat.
Anti-virus vendors debated whether it was inside their realm to be detecting such vulnerabilities, while the desktop application vendors frantically worked on security patches to plug the vulnerability in their applications. In the end, companies were left vulnerable for an extended period of time and then had to go through the pain of patching desktops.
The anti-virus software vendors looked as if they would struggle to protect corporate networks from this latest Windows vulnerability. Most anti-virus solutions strain to find JPEG malware because, by default, they only search for an executable and any sort of scripting file for hidden viruses. Asking the anti-virus scanner to look at more types consumes valuable processing power and adds to the number of file types the must support.
Marshal security experts quickly devised and released a means of detecting the JPEG exploit for use with MailMarshal. MailMarshal customers were well protected during the extended period that the AV vendors and desktop application vendors debated the issue.
Is your scanner looking at everything?
Most companies today take for granted that their gateway-based anti-virus scanning solutions are doing everything they promise. Security administrators worry less about traffic entering through these scanners, but rather spend their time tracking and eliminating any traffic that does not.
Imagine the alarm in March 2004 when a Bagle variant passed directly through many of these industry-leading solutions (Bagle.J,.H or .K, depending on the vendor). The culprit? A password-protected zip file that carried the worm used well-known techniques to spread via SMTP.
So hours after it was discovered, customers at many large enterprise sites began to notice Bagle-carrying zip files slipping through their gateway defenses. The anti-virus vendors were slow to react, which probably indicates they had a hard time in finding a flexible solution to incorporate into existing pattern files and scan engines. Several hours elapsed before patches were provided to detect the latest Bagle variant. In the meantime, the only sure bet was blocking all zip files coming in, a draconian policy many were reluctant to implement.
Again, MailMarshal customers were well protected. MailMarshal recursively unpacks archive files like zip to discover their true contents, including viruses. And in the case where the zip file is password protected and MailMarshal cannot open it, MailMarshal is flexible enough to be able to quarantine only the zip files it is unable to open. This allowed MailMarshal customers to continue about their business with minimal disruption.
Eventually, the solution from the AV vendors included scan engine updates and/or somewhat late pattern files. One vendor even went so far as to scan the email which has Bagle-like characteristics find the password and use it to extract the contents of the zip archive so that the archive gets scanned. Many other vendors relied on spam-detection technologies to find the problem email.
To an anti-virus scan engine, password protection is basically encryption. The purpose of encrypting is to avoid prying eyes, including those of people and technology. However, the anti-virus technology must have the key or password to decompress the zip archive and scan it. No password, no scanning simple as that.
So what did we learn?
It is important to stress that the problem with infected password-protected zip files is only manifested with gateway scanners. On client computers with up-to-date anti-virus protection, the worm is detected once the user provides the password and decompresses/decrypts the zip file a graphic example why implementing an in-depth defense on all layers of your IT infrastructure is critical.
In addition, a gateway anti-virus solution should allow scanning exceptions, such as when a password-protected file cannot be scanned (like MailMarshal).
Lastly, this incident has once again demonstrated at what lengths users will go to open an infected email attachment. If anyone thought a password-protected zip would thwart the distribution potential of malware, this Bagle variant proved the opposite.
Layered defense: Why it is so important
A key goal of anti-virus strategy is to stop viruses before they enter your network. Email is now the primary attack for virus writers and should be the primary focus of defense. Although cost savings are achievable by using a single vendor for both the desktop/server and the email gateway, a new undefined virus that gets past your mail gateway can also get through your servers and desktop protection layers.
Security experts recommend using a different anti-virus scanning engine at the email gateway for extra protection. Anti-virus vendors react to new viruses at different rates, and scans typically miss viruses 1-3 percent of the time. Having protection at each tier provides a layered defense. If the email vendor misses a virus or is slower in responding to a new threat, the desktop scan will catch it, or
vice versa.
Also, not all anti-virus vendors rely completely on pattern file updates. Several have developed heuristic-based detection engines. Alternately, you can protect yourself by researching the virus and using content filtering on keywords/subject lines and attachment filtering enabling you to quarantine a potential virus in the early stages of an outbreak, before a virus signature definition is available.
Internet-based email (such as Yahoo and Hotmail) remains a significant backdoor for virus attacks. Fewer than 1 percent of sanctioned corporate email boxes are Internet-based accounts, though numerous IT shops tacitly allow Internet mail as a perk or a spam diverter. The Nimda virus, which exploited holes in Microsoft IIS servers to infect browsers, also illustrated the potential danger of Web activity. Security vendors are now offering anti-virus scan engines for Internet gateways.
Potential new victims
Desktop/server anti-virus is the most mature defense. Vendors are introducing more advanced policy enforcement and update management. Best-practice IT shops are now enforcing strict anti-virus compliance by employees and business partners on all connecting nodes, including remote laptops and personal digital assistants (PDAs).
Tools that enforce up-to-date anti-virus compliance before enabling connections are commonplace. Most leading anti-virus vendors have clients who support different types of devices, but none support all variants (i.e., Palm, Pocket PC, RIM and Symbian) or are tightly integrated into desktop management. Wireless Application Protocol devices, unified messaging and Voice over IP represent potential new victims for virus writers. The limited capabilities of these devices/services make them less interesting as targets, but they have potential as infiltration points into the network. Another potential attack vector is Instant Messaging (IM). The security industry has so far been relatively slow to address this space. Many companies have opted not to take advantage of the capabilities of IM, but instead to disable it until they are able to protect it.
Best practice is to configure desktop and server anti-virus software to scan on automatic mode and use different vendors. But be careful of the performance problems, particularly on servers.
Traditional scanners: Can I afford to wait for the pattern file?
Anti-virus vendors are forced into a scenario where they must invent new defenses every day. The software can predict and prevent some never-before-seen viruses. But all too often, a new virus can spread unchecked before vendors develop and distribute a new signature file that can match the virus and kill it.
You only have to remember such viruses as Slammer, which spread at an alarming rate and did considerable damage.
Recent testing by AV-Test.org found that average response times for anti-virus vendors to respond to new threats varied from just under seven hours to more than 29 hours. No wonder Slammer did so much damage in the first 10 minutes of its life.
An exciting, emerging technology detects a new virus by observing what the suspect code does in a virtual test environment. It then performs a series of heuristic-based tests on the code to predict what it might do to a normal desktop machine. This new intelligent technology (known as “sand-boxing”) is obviously getting better all the time, but is not yet a replacement for the traditional methods because of the performance hit you take to run these tests. What does work well is a combination of both technologies. First, perform the traditional pattern file check. If that is negative, run a customized test based on the type of file you need to check.
An example of this technology is Norman 's Sandbox feature, which Virus Bulletin magazine tested in February 2005. In the experiment, Sandbox recognized 100 percent of viruses tested. Other leading anti-virus companies did not come close to those results. Norman is one of several third-party anti-virus solutions that Marshal supports and can integrate with.
Conclusion
Your company may not feel it has a virus problem. Some corporations think they can prevent viruses by stripping all attachments from incoming email, but this is disruptive to your company's day-to-day business.
If you do find yourself coping with new viruses too often, look at the response time of your anti-virus vendor.
Marshal's Content Security solutions deliver complete email and Web security protection. MailMarshal and WebMarshal both offer comprehensive anti-virus protection and support leading anti-virus solutions. Contact Marshal to see if MailMarshal and WebMarshal support your preferred anti-virus solution.