S 2.157 Selection of a suitable virus protection program

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT

Various requirements must be considered when selecting a virus protection program. The following text uses the term "virus protection program", but the term applies to a program used to find any kind of malware.

Technical requirements

The protection program selected should offer basic protection against malware (computer viruses, worms, backdoors, Trojan horses, spyware, and other malware). The most commonly used virus protection programs detect more than 95% of all viruses currently in circulation. Corresponding articles in technical magazines can also help in the selection of an appropriate protection program. Such articles often contain descriptions of other properties of the programs (the speed and ease-of-use, for example).

The program must be able to scan the file systems used in the organisation as well as external data media and other mobile terminal devices, i.e. it should offer the most comprehensive interoperability possible.

The security concept against malware specifies which IT systems need to be equipped with a virus protection program. The product selected must be suitable for use on these IT systems.

The program should have a user interface in the working language of the organisation, at least for the clients.

Depending on the organisation's system landscape, it may not be possible under some circumstances to reach these goals by selecting a single virus protection program, making it necessary to purchase and use several different products.

It does not make sense to operate several virus protection programs from different providers on the same IT system at the same time since they usually hinder each other. This can lead to undesirable side-effects.

Operating modes

The virus protection programs for the clients must have both a resident operating mode (on-access) as well as an operating mode permitting scanning to be run manually (on-demand). Manual scans can be used to check individual data media and currently unused files for malware.

File formats to be scanned

All file types used must be scanned. A program that can only scan executable file formats is inadequate.

Integrity test

Virus protection programs for clients should contain an integrity mechanism that can be used to monitor the critical processes and analyse their operations. Examples of critical processes include system processes or programs that establish connections to the Internet. It should also be checked which sub-processes are started by these processes.

Self-test

The virus protection program must be able to monitor its integrity during installation, start-up and the subsequent operation of the program. The program must check its own integrity before executing any scanning functions. In order to overcome the camouflage mechanisms used by malware, the virus scanner program must also check the system memory for known resident malware before it starts scanning any files.

Signature detection

Virus protection programs use various methods for detecting malware. The most well-known and most important method is called "signature detection", which detects typical code sequences (signatures) of known malware. The manufacturers monitor the current malware situation and generate signatures from typical lines of code as quickly as possible when new malware is in circulation.

A disadvantage of the signature detection method is that it is impossible to detect a new malicious software program once it appears until an appropriate signature is made available. For this reason, any malware that manages to remain unknown will never be discovered using the signature detection method.

In spite of this inherent weakness, the signature detection method should be supported by every virus protection program selected.

Heuristic scans

To cover the time until the corresponding signatures are available for a new piece of malware, the virus scanning programs should also provide additional mechanisms for detecting unknown malware. Some virus scanners can detect new, previously unknown malware when operated in the "heuristic scan" operating mode. In a heuristic scan, the files scanned are checked for suspicious sequences of commands, for example a group of commands that redirect interrupts, write directly to sector 1 of a data medium (the boot sector), and other such commands.

With the help of heuristic scans, it is even possible for the virus scanner to detect customised malware with a certain level of probability. This virus scanner operating mode requires the user to be more knowledgeable, though, because they need to interpret the messages output correctly, which means false alarms are possible.

Detecting malware in compressed files

The virus protection program should also be able to find malware in compressed files, and all common compression methods and archive formats should be supported by the program. Malware in nested archive files should also be detected by the program.

Removal of malware

It is desirable for the program to offer functionality that allows all malware detected to be removed without causing any further damage to the programs or data. Whether or not this is possible, though, depends on the particular type of malware found. For example, it is possible that user data has already been destroyed or that the malware program runs in a secure area that cannot be accessed by the virus protection program.

Monitoring active content

If the execution of active content (e.g. VBScript, JavaScript, ActiveX Controls, or Java Applets) is permitted on the systems used, then the virus protection program must also be able to scan such content for malware.

Interface to the e-mail client

The virus protection programs used on the clients should provide an interface for the e-mail client software used so that the e-mail client can integrate the protection program and call it to check for malware in e-mails.

Additional information

The virus protection program should display administrators and security specialists a link to a web site containing additional information (e.g. to the web site of the manufacturer) for each piece of malicious software found. Ideally, it will be possible to call up this information using a management system. The following information on the corresponding malicious program should be available at a minimum on the web site: the name of the piece of malware, a description of its operating principle, its methods of distribution, possible immediate measures in case of infection, and measures for removal of the malicious program.

Updating the virus protection program

The manufacturer of the virus protection program must offer regular updates of the malware signatures as well as a scanning engine on the Internet. It should be possible to configure the interval between updates, and this interval should be set as short as possible. The signatures must be updated to the newest versions available at least once per day.

If outdated signatures (more than 1 day old) are used or the virus protection program has not been updated recently, then the program must issue a corresponding warning.

If there is a concrete threat, then it must be possible to initiate an immediate update to obtain the latest signatures and patches available.

If signatures are distributed over connections whose transmission capacities are limited, then it is important to be able to update the signatures incrementally. Operations should not be impaired any more than necessary by the signature distribution process.

The product must provide functions for examining the integrity and authenticity of the updates and malware signatures downloaded for the virus protection program. State-of-the-art mechanisms must be available to prevent corrupted or manipulated data from being installed in the virus protection program.

Operation in networks

When used in computer networks, the virus protection program should allow central administration and updating of the program (including central updating of the malware signatures).

If there is no general software deployment solution available, then a product offering automatic updates of the base program (the engine) should be selected.

The virus protection program should have a central management interface that can be used to determine the current status of the existing IT systems. In this way, it must be possible to detect defective installations, outdated engines, outdated signatures, and IT systems infected with malware on the central management interface. It should be possible to access infected files on the IT systems from a central location.

The program must have an option that prohibits users from specifying custom client configurations.

Reporting system

Any malware found must be displayed on the system together with the name of the piece of malware and a specification of the full path to the corresponding file.

A particularly desirable feature when operated over a network is an option for configuring an automatic e-mail message that will be sent whenever any malware is found.

Logging function

The virus protection program should have a logging function that records the following data at a minimum:

Formal requirements

Formal requirements also play a role in addition to the technical and functional requirements. To ensure reliable planning, the contract made with the manufacturer of the software should be closely examined to determine for how long program updates and malware signature updates will be supplied. The availability of support is also important. If a support contract is signed, then it must be clarified who can be contacted, when these people can be contacted, how to contact them, if the organisation will be charged for this support, and if so, at what cost.

Review questions:

© Federal Office for Information Security. All rights reserved.