Back to Secure your PC

PC anti-virus info

If you use a PC and exchange floppies or memory sticks with others, or download programs from the Net (or just browse the Web), or receive Word documents or executable attachments via email, then you may want to ensure the integrity of your PC by checking any such new files for viruses before using them, in particular you must have AutoRun or AutoPlay disabled.

Keeping your computer free of viruses is not the end-all of security. In particular note that Web browsers (Internet Explorer, Netscape and even Mozilla) have bugs which allow malicious code to be executed when visiting hostile Web pages: please consider turning Java and Javascript off.

Virus checking is great, but has only slight security implications. It is fun to put a name to the attack; it gives a warm and fuzzy feeling to be protected from well-known (old) attacks. It will not protect from the latest attack that is not yet in the virus database, nor will it protect from attacks specially directed at you. Virus checks do not increase your security.

In the early 90's viruses propagated mostly via shared floppies. From the turn of the century the most common propagation is via email or via Web browsing. The easiest protection then is to use a mail reader that will not blindly execute attachments (often without the need to click even!): stay away from Internet Explorer and Outlook. - Some viruses propagate via USB memory sticks: disable AutoRun to protect. - Some are embedded in hardware...

While viruses are a real threat, at times it is warnings about them that reproduce and swamp email systems. Avoid propagating hoaxes: see the CIAC, F-secure, Symantec, Vmyths and nonprofit hoax pages.

Cute (but useless for the prevention we seek here) viral and security references are:


Email should just be a message to show on screen, without any side effects. Due to bugs in common mail readers some messages may do much more than that.

It should be easy to ban Outlook and Internet Exploiter (and compel users to upgrade to Mozilla): on the mail server, bounce any outgoing messages with "Outlook" in the mail header; on the Web proxy server check HTTP_USER_AGENT and refuse service to IE clients. (Though Mozilla may also have bugs; even UNIX mail within an xterm is vulnerable to VT100 escape sequences.)

Check for viruses all incoming email on the mail server, and all Web pages on the proxy server. - Email checking should answer the question "will this do something", and more importantly "will it do so automatically without warning", and not worry about the "what will it do" question. Checkers should worry about the structure (e.g. IFRAMEs, executable attachments), not about the content: if it would auto-execute then it is bad, regardless of what exactly it would execute. (Checking executables on floppies or memory sticks or CDs is more difficult: it may not be possible to decide a priori what is malicious.) - Need protection from "recent" viruses, from the "next coming" one as well as from any personally directed attacks; protection from older viruses may not be needed (as they do not occur "in the wild" any more). Do not just look for "known bad" things as most virus checkers do, but for "suspicious" constructs and ban anything that is not verifiably "clean". Check for malicious programs, not for replicating or propagating ones: "virus checking" is a misnomer. - A virus checker is a front-end to the mail reader, to protect it from its own security bugs. Virus checkers should be tailored to the bugs in the mail reader, not to specific viruses. - Some email attachments may be executable, and the mail reader should put up fluorescent "click and be doomed" warnings. Otherwise it is buggy; if the user clicks anyway then he is.

Examples of constructs to detect and block, and pitfalls to avoid, may be found in http://www.gfi.com/emailsecuritytest/ http://www.security.nnov.ru/advisories/content.asp and http://www.securityfocus.com/archive/1/338440 http://www.securityfocus.com/archive/1/311333 http://www.securityfocus.com/archive/1/293340 http://www.securityfocus.com/archive/1/293698 http://www.securityfocus.com/archive/1/291514 http://www.securityfocus.com/archive/1/256893 http://www.securityfocus.com/archive/1/258166 http://www.corpit.ru/pipermail/avcheck/2001-August/000110.html http://www.securityfocus.com/archive/82/191718 http://www.securityfocus.com/archive/1/196445 http://www.securityfocus.com/archive/1/196965 .

Some free email virus checkers/scanners are:
   http://protector.sourceforge.net/ (or http://www.lowth.com/protector?)
   http://www.sng.ecs.soton.ac.uk/mailscanner/
   http://www.amavis.org/
   http://www.openantivirus.org/
   http://clamav.elektrapro.com/
   http://www.impsec.org/email-tools/procmail-security.html
I should check them out (but had no time yet).

I regularly check mail files on the (UNIX) server, to report suspicious constructs. I use my checkvirus Perl script, something like

  checkvirus /var/spool/mail/*
This checking should be done within the mail and Web proxy servers. Our Maths mail server already performs some simple checks (see description), and in fact those simple checks seem to stop all viruses. (Also note that you cannot have a set-and-forget solution for viruses: you need an intelligent human to maintain it.)


Most references below are obsolete, gone. Try maybe:
http://itassist.usyd.edu.au/about/policies/index.shtml
http://policy.rms.usyd.edu.au/00000bs.pdf
http://fmweb01.ucc.usyd.edu.au/FMPro?-db=POL_CategoryLink.fp5&-format=/pol/pol_cat_result.html&-lay=www&SubCatID=90&POL_Main::zc_ShowOnWeb=Yes&-SortField=POL_Main::docName&-SortOrder=ascending&-find
http://sydney.edu.au/policy/ict/emailvirusscanningapril04.htm
http://sydney.edu.au/ict/BPO/EmailVirusScanningApril04.pdf
(The above are curiously mistaken about spam:
http://sydney.edu.au/ICTRPolicy/faqs.htm#Sixteen
http://itassist.usyd.edu.au/staff/support/setup/email/spam.shtml )
See also security policy announced in "staff news" on 19 Aug 2010:
http://fmweb01.ucc.usyd.edu.au/FMPro?-db=POL_Main.fp5&-lay=www&-format=/pol/pol_summary.html&DocID=5651&-find
http://itassist.usyd.edu.au/pdfs/Information-Security-Policy.pdf

Since April 2004 the University has an email scanning policy: see http://sydney.edu.au/su/itc/itc_policies_operatingprocedures/emailvirusscanningapril04.htm referenced in http://sydney.edu.au/su/itc/itc_policies_operatingprocedures/index_policy_documents.htm. Or see the earlier draft http://www.feditp.org.usyd.edu.au/Attachments/Central_Email_Scanning_Policy.html referenced in http://www.feditp.org.usyd.edu.au/feditp/anti_virus_and_host_security_working-party/index.htm; or see my original proposal including some implementation hints, and some even older blurb.

This seems to have been implemented on 14 Jan 2003 ...
An implementation change was announced on 4 Dec 2003: see http://sydney.edu.au/is/comms/emailav/; see also Rudolph's TechTalk presentation on 26 Feb 2004.
This new implementation is significantly better (it protects against several classes of "new" attacks: I believe it would trap all in-the-wild viruses, except maybe those in ZIPs...); it is not perfect (does not yet trap a few things, though not yet seen in live viruses, we know are "bad"); but is now under competent control and may be improved as required.
See also http://helpdesk.usyd.edu.au/faqs.html#emvs.


The ITC (Information Technology Committee of the University) endorses and has a site licence for Norton anti-virus, for University owned (but not home) PCs and Macintoshes; USyd users please see http://software.auth.usyd.edu.au/data/Anti-Virus/ for details; Maths users please see the local instructions.


One well-known PC virus checker is the F-Prot program; the DOS version is free for home use. (The free DOS version seems to work fine on Windows 2000 with NTFS filesystems. The Windows version is not free, but has a 30-day evaluation feature. There is also a free personal Linux version.)

You can download the F-Prot anti-virus program directly from the F-Prot web site. You will (once) need the program itself f-prot.zip, and will need to keep up with the latest virus definitions fp-def.zip and macrdef2.zip.


Points to note about virus checkers:

(1) You must (once) check all your disks, including your hard disk(s), CDs, floppies and memory sticks. - To check your hard disk, you must cold boot from a 'clean' CD (or floppy or USB stick) and run a 'clean' copy of F-Prot from there. You can only create a clean boot floppy, e.g. with command 'FORMAT /S A:', on a clean PC (or maybe you could use a boot CD or floppy that came with your computer); can only get a clean copy of F-Prot from a clean machine. (Then open the write-protect tab on the clean floppies.)

(2) Before you use a disk that has been used in another computer (including floppies and CDs included in shrink-wrapped software, and obviously when you use a floppy or memory stick to transfer software or data to/from another computer), you must check that disk. Make sure you do the check before you attempt to boot from the disk and before you execute or copy any files from it: must have AutoRun (AutoPlay) disabled, see http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html for details. (About the only safe thing is to list the directory.)

(3) Before you execute any program (.exe or .com or many other files), or load a Word (or RTF or Excel) document, you should check them. This is particularly important for email attachments: do not click on that file before checking it!

If you follow the above points, re-scanning your hard disk is probably a waste of time; and so is enabling "real-time protection".


Paul Szabo psz@maths.usyd.edu.au 17 Dec 10