This chapter is from the book
This chapter is from the book
This chapter is from the book
Detection
Because of the huge number of threat and security risk variations that exist, detection of new infections must be performed in many different ways. Table 2-3 lists a few of the most common methods of identification used by Symantec AntiVirus and Symantec Client Security.
Table 2-3 Detecting Security Risks and Threats
|
Method of Detection |
Detects This Type of Threat |
|
Auto-Protect |
Auto-Protect is your best defense against security risks and threats. Whenever you access, copy, save, move, or open a file, Auto-Protect scans the file to ensure that a virus has not attached itself. Auto-Protect includes SmartScan, which scans a group of file extensions that contain executable code and all .exe and .doc files. SmartScan can determine a file’s type even when a virus changes the file’s extension. For example, it scans .doc files even when a virus changes the file extension to one that is different from the file extensions that SmartScan has been configured to scan. |
|
Memory scan |
Viruses, worms, and Trojan horses copy themselves into a computer’s random-access memory (RAM), where they can reside and copy themselves onto other forms of storage media or across network file shares to other vulnerable computers. |
|
Boot sector scan |
Boot-sector viruses hide on a medium’s master boot record or within its partition tables. |
|
Floppy drive scan |
Removable media, such as floppy disks, CD-ROMs, and flash drives, can harbor viruses, worms, or Trojan horse programs. Before the computer is allowed to access files on removable media, the media is scanned for software threats. |
|
File scan |
Infected files can be identified by comparing each file present on a computer against a definitions file that contains the signatures of all known threats and security risks. |
|
Archive scan |
Viruses, worms, and Trojan horse programs can hide within compressed file stores such as .zip, .arj, .lzh, .rar, and .exe self-extracting archives. By scanning each compressed file within these archives, infected files can be identified in the same manner as other forms of file scanning. |
|
Heuristics |
Symantec’s Bloodhound engine provides a heuristic analysis to detect unknown threats by analyzing program structure, behavior, and other attributes. This allows newly emergent threats to be detected by observing their behavior where no signature exists. Heuristic analysis also protects against polymorphic threats, which can reconfigure the internal architecture between iterations. |
Virus definitions files should be updated regularly to enable identification of newly emergent threats and security risks.
Responding to Detected Threats
Symantec AntiVirus and Symantec Client Security perform various types of scanning to detect known patterns identifying security risks and threats in much the same way that biological infections are detected within the human body. To follow the biological analogy, antivirus programs act to provide a computer with a form of digital immune system, one that rapidly adapts to protect against new threats.
Symantec AntiVirus and Symantec Client Security respond to files that are infected by threats or security risks with a first action and a second action. By default, when a virus is detected by Auto-Protect or during a scan, an attempt is made to clean the virus from the infected file. If the file cannot be cleaned, the second action is to log the failed cleaning attempt and move the infected file to quarantine so that the virus cannot spread, which denies you further access to the file. When a security risk is detected by Auto-Protect or during a scan, the infected file is quarantined and attempts are made to remove or repair the changes that the security risk has made on the computer. Quarantining the security risk ensures that it is no longer active on your computer and also ensures that Symantec AntiVirus or Symantec Client Security can reverse the changes, if necessary. If the first action cannot be done, the second action is to log the risk and leave it alone.
Outbreak Response
Handling threat and security risk outbreaks within the network requires planning and preparation beforehand to minimize the impact on network operations. The key to an effective response is the outbreak plan. Table 2-4 details an example outbreak plan.
Table 2-4 Example Outbreak Plan
|
Task |
Description |
|
Maintain current definitions |
Ensure that antivirus definitions are regularly updated. |
|
Map network topology |
Prepare a network map to ease isolation and cleaning of infected computers. This map might include: |
|
|
Subnet boundaries and gateways |
|
|
Server names and IP addresses |
|
|
Client names and IP addresses |
|
|
Network protocols |
|
|
Key service details (such as WINS, DNS, DHCP, and catalog servers) |
|
|
Shared resources and network file shares |
|
Document security solutions |
Prepare a map of firewall, gateway, antivirus, and other security applications within the enterprise. This map might include: |
|
|
Server-protection applications |
|
|
Workstation-protection applications |
|
|
Security appliances |
|
|
Update mechanisms and schedules |
|
|
Alternate update options if normal update methods are unavailable |
|
|
Document logs available for outbreak tracking |
|
Perform backup and recovery |
Develop a backup plan and test-recovery practices regularly to ensure that backup and recovery operations function as expected, that backup media remains viable, and that staff responsible for recovery are experienced in the steps required for recovery. |
|
Isolate infected computers |
To protect the network from further compromise, it is important to have in place a policy for isolating infected computers from the enterprise network. |
|
Identify the threat |
Identification of the threat responsible for the infection is critical to removal and recovery procedures. Security and antivirus logs can provide details about the threats found. |
|
Respond to the threat |
-Removal and recovery procedures vary among different viruses, worms and Trojan horses. Details on known and newly emergent threats and security risks can be found at http://securityresponse.symantec.com/. |