Choosing the Best Location
Like any question about a wide-spectrum problem, no one answer is right for every environment. If you have the budget to buy software for only one location, purchase desktop scanners and become an expert at automating updates. The desktop is a good location because all malicious content must be executed on a desktop to spread. No matter how rogue code enters a networked environment, the code must eventually be activated on a PC (this will change as mobile devices become more prevalent).
Just as an infected email message can't spread on an email server until someone opens the message on a PC, an infected file lying in wait on a file server can't harm anything until someone executes the file, and someone must download a malicious Java applet to the local PC before the applet can execute. Also, placing an antivirus defense anywhere other than on PCs will eventually let something slip by. Malicious mobile code can gain access to a PC too many ways, as Figure 1 shows. If properly configured and kept up-to-date, antivirus software on the desktop can effectively prevent malicious code from spreading in a networked environment. Default scanner settings work for most end users. You should apply a more aggressive scanning policy to workstations that seem to get more than their fair share of infections.
Putting antivirus software on an Internet border device, whether the device is an email server or firewall, is the next best option. In today's world of email worms, Trojan horses, and infected Web pages, placing virus-scanning protection at the border offers excellent benefits for the cost. Shutting down malicious Internet code before the code spreads is important to keep your networked systems running smoothly. In most environments, I recommend placing scanners on Internet edge devices and on desktops.
File-server protection can be costly. You'll find implementing scanning software on every new server added to the network expensive. And because most workstations connect to multiple servers, you can't avoid a certain amount of redundancy. However, if you don't want to worry about distributing antivirus updates, you should consider placing your virus protection on a file server, gateway, or router.
Deploying Virus Scanning
Before you deploy virus scanning software, you need to consider some additional concerns. For example, whether you place scanning software on a file server or desktop, you must still decide when and under what circumstances to scan files. Unsurprisingly, when and why you scan often has performance implications. Possible scanning approaches include
- realtime scans for any file touched for any reason
- scheduled scans
- on-demand scans
- new-file scans
Realtime scans. Most scanners let you scan files touched for any reason, including new incoming files, outgoing files, and all files that have been copied, opened, or moved. Although this option is the safest, scanning all such files can cause significant performance degradation. I've seen workstations operate three times as slowly when users enable this level of virus-scanning functionality. Scanning the same application programming files every time a program runs gives little benefit and significantly decreases performance.
Scheduled scans. Because of decreased performance, some administrators choose to schedule full file scans at preset intervals (e.g., every Monday morning). Such a schedule can work if your end users don't mind. However, many users resent having to wait 30 minutes while their PCs are scanned before they can access their computers. If you're going to schedule full file scans, run the scans at other than peak-use times. (If your PCs are left on at all times as a matter of policy, schedule scanning for a low-use time, such as 3:00 a.m.)
On-demand scans. Other administrators go in the opposite direction and disable all scanning, letting users determine when scans should be initiated, an approach that's called on-demand scanning. Workstations with on-demand scanning are scanned rarely, which offers little to no protection at all. Relying on either scheduled scanning or on-demand scanning clearly lets new infections take place between scans; neither approach is an optimal solution.
New-file scans. In my experience, scanning incoming files with predefined file extensions or all incoming files offers the best benefit for the cost. If your system was clean before you installed the virus scanner, you need to scan only new files anyway.
Many organizations use a hybrid approach. Email servers are set to scan all emails, coming or going. Likewise, scanning firewalls are set to scan any packets headed into or out of the network. File servers are set to scan all incoming files with predefined extensions and to run prescheduled full file scans during off-peak hours. User workstations are set with realtime protection for predefined file types. The hybrid approach falters when an attacker introduces a new file type (e.g., .shs files). When a new file type appears, you need to be able to add new file extensions to default scans. Nevertheless, the hybrid approach offers the best overall antivirus coverage with the least performance impact on the network.
Virus Scanning: One Tool
No successful malicious code defense plan relies on antivirus software alone. Scanners don't catch everything, and eventually a virus will get by. Make sure you use adjunct tools such as firewalls, Intrusion Detection Systems (IDSs), and mandated security policies. In addition, have a good recovery plan ready for when you face a successful attack. (For information about recovering from an email intrusion, see "Putting Down an Email Attack," February 2002, InstantDoc ID 23656.)
End of Article
Prev. page
1
2
[3]
next page -->
