How to protect your office/home station against viruses, trojan horses, etc.

Manfred Kuechler
Hunter College

First posted and announced on hunter-l: Sep 30, 1999
Last update: January 28, 2002

How to protect your office/home station against viruses, trojan horses, etc.

Preface:
Some changes have occurred under the new ICIT director (Anand Padmanabhan), who came aboard in mid-June 2000. There is software web page at ICIT from which anti-virus updates can be downloaded locally, and in October 2001, ICIT started server-side anti-virus scanning -- though the initial configuration turned out to be seriously lacking. While server-side scanning adds another line of defense (when properly configured), it is not wise to rely on it alone.
So, in some ways, faculty and staff are still pretty much on their own. There are even (credible) reports that ICIT staff still does not necessarily install the anti-virus software properly (omitting crucial defense against viruses arriving via e-mail attachments) and I have seen an ICIT computer with an inadequate installation as recently as September 2001.
This document describes what every individual faculty should do to protect his/her station from viruses and other potentially dangerous intruders (like "Back Orifice" -- a trojan horse by which an outsider can take full control of your computer, steal files, destroy files, or just play some harmless tricks).

The following applies to stations running under Win95, Win98, or Win Me (sorry, me dear Mac colleagues, I just don't know enough about Macs to cover them as well)

Two software versions: corporate vs. retail

As Hunter has a corporate site license, the corporate version of the software should be installed on your office station. However, this may not be the case. For some strange reason, OICIT User Services opted to install the retail version on at least a portion (but maybe all) of the new stations rolled out over the summer of 1999. By and large, the two versions offer the same kind of protection and the core program is the same. However, the corporate version makes it very easy to have your anti-virus software updated automatically -- so you don't have to think about it.

Check what is installed on your station

If the software is installed on your station, you should see two related icons in your tray on the task bar (usually in the lower right corner of your screen): a blue shield with a superimposed "V" and what looks like a magnifying glass with a small red-framed clock on top of it. If you move your mouse over these icons, you should see a little box with a yellow background popping up displaying "McAfee VShield" and "McAfee Virus Scan Scheduler" (in the version 4.5.1 now called the "VirusScan Console"). If you right-click on the latter (the scheduler/console) and select "restore", you will either see a number of entries. If you two entries referring to "updating" (the dat files) and "upgrading" (the scan engine), you have the corporate version. If these two item are missing, you have the retail version.

Still, in the scheduler window, click on "help"/"about". This will tell you what version of the software you have. As of January 2002, you should have "McAfee VirusScan 4.5.1 SP1" (and scan engine 4.1.60). Due a glitch in the software the scan engine version may be shown as "4.1.40" even if you have "4.1.60". The virus definitions (also referred to as .dat files) change weekly, as of today (January 28), the current version is 4.0.4183 (released 1/24/2002).

If you have someone else updating your station (like someone from ICIT user services), make sure to check what they have installed when they are finished:

the scan engine should be 4.1.60 (4.1.70 will be released shortly)
the creation date for the virus definitions file (.dat file) should not be more than one week in the past, but in case of current virus attacks labeled as "high risk" (by a consortium of virus software vendors and other parties) additional dat files may have been released
all relevant modules are installed and active (details below)

To check whether you have all modules installed, right-click on the VShield icon and select "(quick) enable". Then check whether you see 4 entries with the names of these modules and check marks at least next to "system scan" and either "download scan" (Eudora/Netscape users) or "E-mail scan" (MS Outlook users).

In version 4.5.1, using the "typical" installation all important modules (E-Mail/Download Scan, and Internet Filter) get installed. The Download scan also covers the download of e-mail attachments (e.g., via Eudora or Netscape Messenger) -- an absolutely crucial area. In the past, you had to do a "custom installation" and explicitly select these modules. Luckily, the default/typical settings are now much more appropriate.

What to do if the (engine) software is installed incompletely or the version is obsolete

Download the installation zip files from the ICIT download site and reinstall the software. The actual download links are ftp-URLs, they work only from within Hunter (using an IP address starting with 146.95.x.x); the Hunter proxy server won't help either (as it does not cover ftp URLs, only http URLs). The Hunter site license does not include your home station, therefore access to these files from home is more difficult (but not impossible). Currently, you want to install the following:

McAfee 4.5.1 (PC),
McAfee 4.5.1 -- service pack 1 (released 11/26/2001)
the current sdat41xx.exe file

These need to be installed in succession. When downloading, you get two zip files. So, you need some unzipping software to proceed (like WinZip). Extract the zip files (one at a time) into an empty folder and open the "readme.txt" file for further instructions. It may not be necessary to uninstall any previous version yourself, depending on how old your current version is, this will be done automatically. If you choose, any previous settings will be saved and reapplied. However, one advantage of installing the complete recent version (4.5.1 SP1) -- rather than just upgrading the "engine" and updating the "dat" files -- is that there new default settings available which you may want to use. Configuring anti-virus software always involves making a compromise between security and performance. Version 4.5.1 now offers an option to scan "default files" (rather than "all" which can affect performance or a selected set of "user-defined" file types which may compromise security); the definition of "default" is dynamic and included in the weekly dat file. So, selecting "default" means to have a flexible configuration which may change over time and which represents the best current judgment of the anti-virus experts.

The third step is to install the current update file. In order to avoid the glitch (that the engine version is not displayed correctly), use the current "superdat" rather than the regular "dat" file and install it from a command line with the /f option. E.g., go to "Start"/"Run" and enter the full path for the location of the downloaded superdat file like:
c:\downloads\sdat4183.exe /f

If you don't want to install the complete version 4.5.1, you can upgrade to the recent "engine" version by downloading and installing just the current "superdat" file. These files combine the latest dat file with the latest engine file and are available at the McAfee ftp download site. Look for a file named "sdat41xx.zip"; "xx" should correspond to the latest dat file (as of 1/28/2001, this would be "sdat4183.exe"). Updating the "engine" from time to time is important as well. Otherwise certain types of files, like files in "compressed" formats or .pdf files with "embedded objects" can not be scanned properly.

Note that the retail version is numbered differently. The current retail version is 5.2.1. So don't get confused, if you read reviews in computer magazines or on computer related websites like CNET.

How to keep the anti-virus installation current

Fortunately, engines do not change that frequently. So, after you have installed the current version you may be done for a year or so -- though some minor upgrades may become available. However, as mentioned before, as new viruses, etc. emerge every day, the virus definition files need to be updated diligently. Not long ago, there was a new set of .dat files very month, now it is every week plus ad hoc patches in emergencies like the "I Love You" attack in early May 2000, or more recently "Melissa" or "Nimda". In general, note that there is typically a time lag of about 1-2 weeks before defenses about newly discovered viruses, worms, etc. are incorporated into the ".dat files". In general, however, it will be sufficient to make sure that you get these weekly updates installed. Still, quite a nuisance to keep it current -- unless you have the corporate version installed.

If you have the corporate version, you can simply program the scheduler (now: console) to check for an update every week. If you have version 4.5 installed, you have two options:

Download from a local ICIT site. ICIT has made a nice set of instructions (as ICIT tends to change URLs without warning, be prepared to play with the just modified URL, if they do this again) including screen shots available to help you with this task. The scheduler will download and install a new set of .dat files. All you have to do, is to restart Windows so that the update can take full effect.
Download from a McAfee site. For this you only need to follow the part of the ICIT instructions describing how to select the day and time for the update and leave the rest of the configuration unchanged. Version 4.5.x will only download "incremental" dat files (which reflect the changes from week to the next), so download time is not the big issue it used to be any more.

After an update, you may or may not have to reboot your station. The update program will tell whether a reboot is necessary. But always check your "task bar tray" for the VShield icon and right-click on (selecting "about") to see whether the new version is listed. If not, a reboot is necessary. Also, double check your anti-virus setup by performing the check described above. At times, an update via scheduler/console may fail. Typically, this happens when your computer has been running for a long time. In this case, reboot your computer and do the upgrade as the first thing after connecting to the Internet. You can update at any time by right-clicking on the "Update" entry in the scheduler/console and selecting "Start".

Home use, alternative software, and additional "safe computing practices"

As to your home computer, chances are that recently bought computers come with some anti-virus software already installed. If the pre-installed product is McAfee, just follow the update and maintenance suggestions above. If you have another product (e.g., Symantec's Norton, or Computer Associates' e-trust EZAntivirus) go to the vendor site and check out what you should do to keep this software current. The free product from Computer Associates (InoculateIT ) is no longer available, though CAI continues support for registered users.

In addition to keeping some anti-virus software up-to-date (and it really does not matter all that much whether you use McAfee, Norton, InoculateIT, or something else), there are several measures that you can take to block commonly used "attack paths" (even before a specific virus or worm variant emerges). These include a more cautious handling of certain file types (like ".vbs" and ".doc" files); some of these are mentioned on my e-mail advice page and some are described in postings to hunter-l. Visit the web archive for this list to locate previous and future messages dealing with anti-virus protection.

More advice on configuring your McAfee anti-virus software

It is possible to have your anti-virus software protect you from viruses and worms in e-mail attachments even if the additional modules (e-mail or download scan) are not activated. However, this requires that you use very conservative settings for the regular "system scan" (basically to screening all files on any action). This, in turn, will negatively affect the speed of performing any task on your computer (more noticeable on slower stations with less memory [e.g., P75 with 16MB] than on faster stations with plenty of memory [e.g., P400 with 96MB]), so I do not recommend this approach.
The difference between the two protection modes is that with "e-mail"/"download" scan attachments are screened as they are received (downloaded) and a warning is issued (via a pop-up screen) if an attachment contains a virus/worm. You can then delete such an attachment before the message even shows up in the inbox of your mail program. Otherwise the message including a link to the attachment is written to the inbox. When you open the message you see the link to the attachment (at least this is how it works in Eudora). If you click on the attachment (which may have a phony file extension) and you have very conservative system settings in place, the anti-virus software will issue a warning at this point. In other words: the alert is delayed from the point of accessing the mail via your POP client (mail program) to the point of where you open a specific message.
As a quick fix (if you do not have the time or inclination to reinstall the anti-virus software), you may want to switch to conservative settings for the regular system scan. Right-click on the V-shield icon (in system tray, lower right corner), "status", "system scan" tab, "properties" button. If you are using version 4.5.x you will see the following windows: version 4.5 on the left, version 4.5.1 on the right (may look slightly different in earlier versions):

Make sure that all boxes in the "scan files on .." section are checked. To be really conservative, select "all files" in the "what to scan" section. At least, make sure that "program files" list includes many files you would not ordinarily think of as "program files" -- including Powerpoint presentations, MS Word documents, files in rtf format, and many more. Click the "Extensions" button to check:

The default list that you get with a new installation of the anti-virus software is fairly extensive, but if you still run an older version of Viruscan (e.g., version 4.0.3) some important extensions may be missing. If you are unsure, simply select "all files" in the first place and don't worry about the list of "program file extensions". In version 4.5.1 you see the setting of "Default files" (discussed above). What used to be labeled "Program files only" is now -- much more appropriately -- called "User specified files".

As an extra precaution, you can also enable "heuristic scanning". To do so, click on the "Advanced" button in the "system scan properties" windows (shown above):

Heuristic scanning is an attempt to anticipate what the bad guys may come up with next. It does not scan for already known viruses and worms, rather it scans for suspicious indications -- a kind of "virus profiling" if you will. As with all profiling, you are likely to get quite a few false positives and scanning takes even more time and resources. Personally, I think this is a bit of overkill, but everyone needs to decide for him/herself how much risk he/she is willing to take.

Note for Eudora users

As many viruses/worms come in attachments to e-mail messages, it is a good idea to restrict the size of messages which get downloaded automatically. This adds extra protection against opening an attachment too quickly (and letting a virus slip in). This measure is particularly useful in view of newly discovered viruses/worms which are not detected by even current anti-virus software. The following screen shot shows you how to set this option in Eudora (after going to "Tools"/"Options"):

Any message over 40KB (including attachment) will stay on the server, only a small part is downloaded to your computer. You must then decide whether you want to download the whole message (including attachment) or delete the message right on the server by clicking one of two icons just above the message display, the trash can (above the number "207" in the message) or the one next to it on the right (above the number "221"). What exactly you see of such a message depends on a number of things. The example below looks innocent enough, but at least you have to go an extra step.