Virus Checkers - Configuration and Testing

Home

Pauline's Pages

Howto Articles

Uniquely NZ

Small Firms

Virus Checkers

Configuration and Testing

Introduction

This article is not about the requirement for Virus checking, which everyone now excepts, but about the need for updating, configuring and testing them to ensure that they are actually providing the protection one needs. Most virus checkers have a number of modes of operation all of which can be enabled and configured and the defaults often provide less protection than one expects. They will also have very out of date virus data files when initially installed and I do not know of any manufacturer who takes the trouble to update them if they installed them.

It is imperative that you update the virus definition files when you install a virus checker or take delivery of a machine with one preinstalled.

The main way virus checkers operate involves checking against data for all known viruses, currently over 55,000. Many new viruses are detected every week and the main damage is often done within days by the more virulent viruses which propagate through email. You are only protected against those viruses known at your last update so:

You must update the virus checker at least monthly - we update weekly.

You should update immediately if you hear of any high risk virus in the press etc.

It is worth periodically checking one of the web sites which carries a list of alerts - they are often linked to a virus checker and will give access to any immediate updates required. The McAfee AVERT site is at http://www.avertlabs.com

The update method varies from virus checker to virus checker and many will prompt one to update on a regular basis. Many also have built in commands which will connect to the Internet and lead you through the update proceedure. The downloads can be quite large if the program needs updating to handle new viruses (4.5 Mbytes), data file updates are smaller (1.5 Mbytes) but still take a significant download time so it is best to do it in an evening. I prefer to go direct to the manufacturers site and download the updates as executable files so I can update all my machines and put it on a CD to pass them round the other machines I look after. The sizes and site addresses above refer to McAfee versions 4.0.3 and 5.21 where data and the virus detection engine updates are currently free. McAfee 5 series virus checkers also include an incremental update which reduces the size considerably. In the case of the Norton Virus Checkers you are virtually forced to use their built in procedures called LiveUpdate on-line separately on every machine and are required to pay for an annual licence for each machine after a free period typically varying from 3 months for preinstalled versions to a year for packaged versions. LiveUpdate can however be set to run in the background gradually gathering updates all the time you are on-line which is very convenient.

Configuration

Having the latest virus data is essential but is only part of the story as you also have to make sure the virus checker is actually checking what you require. Virus checkers have a number of different modes of operation such as:

Boot Scan - checks for boot sector viruses when the machine is turned on.
On-Demand Scan - check selected files, directories or drives.
On-Access Scan (Auto Protect)- checks a file when it is accessed for execution, copying or renaming.
Email Scan - checks email and attachments when they are received.
Download Scan- checks files when they are downloaded over the Internet.
Floppy Scan - scans floppy disks automatically when they are mounted (inserted) or ejected for boot sector viruses.
Heuristic Scan Option - Analyse files for potential virus like behaviour in addition to checking against data files. Can generate false alarms but worth it if it is available for Email and Download scans.

The time taken for an On-Demand Scan of every file on a machine can very long, possibly several hours, so checks are by default often limited to "program files" which cover all forms of executable files including document files capable of running macros. The files are selected on the basis of their extension (letters after the . in the filename) and the list has to be periodically updated as virus writer find more weaknesses to exploit. Most virus checkers allow you to select which checks to run in each mode so you do not slow up the performance unacceptably. Some even give the ability to check within compressed files and zip archives. McAfee has a shortfall in early versions and only checks three letter extensions so full checks are required for absolute security until a patch has been applied. My suggestions for configuration and checking are:

A full check of all files which are downloaded or arrive as email attachments is prudent and will have a negligible overhead even with Heuristic Scanning enabled.
A routine (weekly) full check of the machine including compressed files should be carried out - perhaps overnight after a virus file update or shecduled for a quiet time of morning.
Floppies should always be checked when you first load them unless you have configured an automatic check.
CDs should ideally also be checked fully before you first use them.
If all the above is followed then On-Access checks can then be limited to "program files" which will avoid a big speed overhead whilst still providing valuable extra protection against anything than slips past the boundary checks.

It is unlikely that the default configuration of you virus checker will match the suggestions above. In many cases the defaults will not include the very important checking of email and downloaded files, the major risk areas. In some cases the necessary program modules may not even be installed and a new custom installation may be required. This requirement for a custom installation applies to my retail licence McAfee version 4.0.3. Norton will check emails but only the email accounts already present when it is installed ie none if preinstalled! It also failed to find my Outlook 98 email accounts. After an email account has been added or changed you have to configure Norton so it is in the list being checked. As an aside Norton checks email by intercepting the calls to the POP mailbox by changing the details visible in the account so do not be surprised to find the details have been changed - if you change them back to what you think they ought to be the checking will stop.

This all means a lot of time spent reading the help files for the particular version you have installed and configuring it - allow several hours especially if you have to uninstall it and do a new custom installation. In the case of McAfee 4.0.3 you need to make sure WebscanX is installed to enable download and email scanning. If your Virus checker has come preinstalled on a new machine it may be worth contacting their help line especially if the original CDs have not been supplied. The next section on testing will give you evidence if it is not doing what you expect or need.

The EICAR Test Virus

It is very important and reassuring to run some tests so you know that the system is correctly installed and configured to actually detect viruses. It is clearly not sensible to use a real virus but their is a test virus called EICAR which all virus checkers should detect. It is totally benign and just consists of a short string of ASCII characters which is placed by itself in a file extra spaces or returns prevent it working - the resulting test file should be only 68 characters long. You can use any filename or extension which enables one to see if a particular extension is being checked as a "program file". It is also sensible if you have an zipping tool such as Winzip to zip it into a file to check if the tests on compressed files are working. You will obviously have to find out how to temporarily disable your virus checker whilst creating the test Program Files and zipping them! In the case of McAfee a right click on the icon in the toolbar enables on to Exit the virus checker until the next reboot.

I am now up to six versions to cover most tests - eicar.txt, eicar.doc and eicar.zip, which is a Winzip archive containing eicar.doc and the challenging test is eicarzip.zip which is a zipped eicar.zip. The last two are eicar.htm and eicar.html. Files ending in .doc are document files but should always be counted as program files for virus checking as Microsoft Word document files have a powerful executable macro language and can support viruses, Word Macro Viruses are some of the most common.

Creating a file containing the EICAR test Virus

To make the test virus copy the following string via the clipboard (without any extra returns or spaces) into Notepad and save it as eicar.txt

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can highlight the text and and copy directly in most Browsers but take care as copying via the browser screen can give extra spaces or a return at the end which should not be present and need deleting. If you are impatient try saving it from notepad with a .doc extension before you disable the virus checking - it should be immediately detected.

If it does not seem to work it is worth looking at properties for the file you have created (via a right click) and making sure it is only 68 bytes long - any more and you have an extra space or return. You can then make a copy and rename it to eicar.doc and then zip eicar.doc with Winzip to create eicar.zip (zip this to get eicarzip.zip). One virus can also be transmitted from a web site as a .html file so you should also create eicar.htm and eicar .html to see if you handle 4 letter extensions correctly. You can now reboot the machine to reactivate the virus checking and start to run your tests.

The On-Access section of the Virus Checker should not allow the eicar.doc file to be moved, renamed or opened by double click and Word should not be able to open it from the file menu.
The On-Demand scan should find all the versions of the virus in the compressed and uncompressed forms when run with All Files and Compressed Files enabled.
The Email Scan should detect all the files when sent as attachments. One needs to disable the virus checker when attaching them and sending the emails.
The Download Scan should detect the eicar virus at www.pcurtis.com/eicar.txt, www.pcurtis.com/eicar.zip and www.pcurtis.com/eicarzip.zip

How to reduce your vulnerability to a brand new virus

Even when you have taken every precaution to update and configure your virus checker there is still a chance that you will be sent a new virus which your virus checker will not intercept. In almost every case though you will be safe provided you do not open the email attachment. You must be very cautious as most infected emails will come from an address you recognise because they have been infected and have your address somewhere in their address books or email. They may well have a plausible, but generic, title and text such as "Have a look at the attached file which summarises our last discussion - I will ring you shortly" or may exploit curiosity with what seems to be a picture to look at.

Even if the suspect email attachment is not a virus it may be a spam which takes you on-line to a pornographic site and worse still change your your defaults so every time you start the browser you go back there. I have had to sort that out for a small firm where it was causing considerable embarrassment to staff and customer relations. You will greatly reduce your vulnerability to a new virus if you:

Never Never open unexpected attachments. If in any doubt ring or email the sender to check.

Update Windows and your Browser to remove bugs which Viruses exploit - http://windowsupdate.microsoft.com and click Update Products.

Turn off unused facilities in Windows which increase your vulnerability, in particular, the Windows Scripting Host

Enable Heuristic Scanning (Bloodhound in Norton)if available for Email and Downloads. It can be carried out on demand on suspicious email in McAfee.

Check all files rather than just Program Files if your machine is fast enough.

You can turn off the Windows Scripting Host by Start -> Settings -> Control Panel -> Add/Remove Programs -> Windows Setup -> Accessories -> Details and uncheck the Windows Scripting Host Box then OK -> OK at which point you may be asked for the Windows CD.

Most versions of Windows have built in facilities for updating via a link on the start menu and/or on the the Internet Explorer Links Bar which will take you online and to a clever site which will check your update status and tell you what is needed - the downloads can be quite big so do it in an evening. The updates will patch some of the bugs in the Microsoft software which viruses exploit. If you do not have an update link go to http://windowsupdate.microsoft.com and click Update Products (It is faster from the body of the text rather than the link for some reason). The downloads on a typical machine are 9.5 Mbytes but half this can be saved if you install Internet Explorer Service Pack 2 from a reputable magazine cover CD (.NET always has the latest versions of all browsers) even so virus check the CD. You need to do a custom install and check the script (Java) update option which will save 4.5 Mbytes of download.

Is it all Worthwhile?

The answer is definitely yes. Our Virus Checker (McAfee Version 4.0.3) has intercepted at least half a dozen of the nastier versions of viruses in the last year. The numbers seem to be increasing and several of the viruses we received can not only delete the contents of the hard drive, after they have sent copies to everyone in the address books or in recipient and cc lists in your emails, but in some cases also erase try to erase the CMOS memory used to boot the machine rendering it junk. Only one of these would have been intercepted with the virus files initially installed and one needed virus definition files less than a fortnight old. All of the firms I help have intercepted viruses which would have infected their machines and damaged their business credibility if they had not updated to more recent virus data files than provided with their machines.