This blog is written for system administrators/managers and security controllers to help you decide the best configuration for the AV product(s) employed by the business. We hope that it will also be a useful guide for senior management to help them to understand the complexities of decisions that have to be made when it comes to anti-virus protection, balancing system performance against security.
Areas to consider when implementing Anti-Virus
Anti-Virus (AV) is your first line of defence against malware on your system but have you considered all the options? There are a number of areas that need to be considered when implementing AV on an IT system:
- Type of Scanning to be implemented
- Number of products
- Data Formats
- Embedded layers
There are basically two methods of scanning, On Access & Scheduled, each with its own benefits:
On Access â€” Every time a file is loaded into an application or retrieved from a database it is scanned by the AV product for malware. This provides the earliest warning to you of a possible malware infection once a signature for the malware has been updated into the AV product. However, this takes processing power and for some systems can seriously degrade the performance. It ONLY checks the files that are requested, if they are not used they are not swept and you have a potential unidentified malware infection waiting to happen.
Scheduled – In this case the AV product is tasked to scan a disk, database, system storage, etc. at a time determined best by the business, normally outside of peak working time to avoid unnecessary disruption to the business . However, this will only check the files as regularly as the schedule and therefore you could be moving a malware file around the business without knowing. It is important that this scan completes before the next scheduled scan is due otherwise you may miss a malware infected file.
Heuristic/Signature â€” Both the above support Heuristic and Signature based scanning and both scanning capabilities should be employed. Signature based capability will detect known viruses but the Heuristic capability has the capability to detect unknown or “stealthy” malicious code attacks or identify unusual code that could indicate malware.
Ascentor recommendation â€” Tailor your AV use both the above methods with Signature and Heuristic capabilities enabled to ensure comprehensive scanning of your data. For areas where files remain fairly static and do not move a lot then use SCHEDULED scanning. For areas where the files are always changing or moving then use ON ACCESS scanning but you may need to employ more processing power to alleviate performance issues.
2. Number of AV products
The recommendation within Good Practice Guide No.7 (GPG 7), available from CESG ( www.cesg.gov.uk ) or via a CLAS consultant, is that data should be scanned by at least TWO different AV products to be effective. The selection of products should be selected with the business function in mind as products tend to be better at scanning certain areas better than others i.e Email, Web traffic, databases, etc.
Ascentor recommendation – Understand your business data flows and systems and choose products which where possible cover all areas of your business. If this means more than TWO products and it isn’t detrimental to the business function, use them. An independent comparison site is http://www.av-comparatives.org/ .
3. Data Formats
Do you know all the data formats that your business uses? Are your AV products capable of scanning them all successfully? If they are not capable of scanning the data formats what action does the product take?
- Ignore them and pass the scan – You now have a file on you system that may be infected and you have no idea!
- Delete/Quarantines the file or Reports it as Corrupt – In this case if you do not know this is a response to a file format that the product can’t scan you may waste time and effort attempting to resolve the issue, especially if it is crucial to the business.
Ascentor recommendation â€” Know the formats that your AV products are capable of scanning and where a format is not capable of being scanned have a risk assessment conducted by a CLAS or certified Security consultant for business critical files of that type. This will enable the business to understand the risks of using that type of file format and the business impact should it contain malicious code.
4. Embedded Layers
Today large amounts of data are transferred or stored by individuals, systems and businesses. Various methods are used to reduce the size of the data such as ZIP, TAR, etc. However these embedded layers can be an issue for your AV products. If you receive data in these embedded formats you will need to know to how many layers the AV product can scan and what happens when this number of layers is exceeded:
- Ignore them and pass the scan – You now have a file(s) on your system that may be infected and you have no idea!
- Delete/Quarantines the file or Reports it as Corrupt – In this case if you do not know this is a response to the number of embedded layer format that the product can’t scan you may waste time and effort attempting to resolve the issue, especially if it is crucial to the business.
Ascentor recommendation – Know the number of embedded layers that you AV products are capable of scanning and if this is expected to be exceeded them the file(s) will need to be unpacked before scanning can take place successfully.
This is the most important part of your AV defence . In order for AV to be effective both the scan engine and the signatures must be as up to date as possible. Getting the updates onto your system as timely as possible is important but can you be assured that the updates have been installed SUCCESSFULLY on your system? It is paramount that ANY update failures are reported immediately to your IT department for rectification at the earliest time, this is usually via alert messages produced by the AV product itself. However, alternative methods of informing the IT departments should also be available i.e. incident reporting.
Ascentor recommendation â€” Scan engine and signature updates must be as timely as possible in accordance with a defined policy that has assessed the risks and the most cost effective solution that meets business requirements. More important is the need to have assurance that the updates have been installed correctly throughout the business.
AV is your first line of defence against malicious code. Correct configuration of the product(s) is essential to the protection of your business’s data. Correct configuration comes with knowing your data flows and understanding the risks of the most cost effective solution that meets business requirements.
Article by Nigel Griffiths, Information Assurance Consultantat Ascentor.