S 2.159 Updating the virus protection programs and signatures

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT

On IT systems equipped with virus protection programs, it is necessary to regularly update the virus protection programs themselves (their engines) as well as the malware signatures in order to detect new malware as quickly and reliably as possible.

The interval between updates should be kept as short as possible. The frequency with which quality-assured signature updates are made available must conform to the current state of the art, and the signatures should be updated daily. When a specific threat is discovered (according to a corresponding virus warning from the BSI, for example), the update should be initiated immediately to install the most recent signatures and patches.

When updating the virus protection programs and signatures, it is especially important to ensure the computers that are not assigned to a single user or are not connected to a network are updated as well.

Virus protection programs must be tested and approved before they are used in actual operations for the first time (see also S 2.83 Testing standard software).

It is generally impossible to examine and test signature updates due to the frequency with which such updates are released. At most, it will only be possible to test the signature updates briefly for possible incompatibilities on an isolated IT system running a standard installation. In terms of the signature updates, the customer is therefore dependent for the most part on the quality assurances provided by the software manufacturer. It helps when the virus protection programs have built-in functions that allow you to roll back to a previous patch version of the program or to previous malware signatures.

The updates for the virus protection program itself (its engine) are also usually released so often that it not realistic to subject every single update to a detailed test. When installing program updates, though, it must be ensured that the existing configuration of the virus protection program is not changed detrimentally. For example, a given update could switch a previously enabled resident virus protection program into the offline mode.

The updating of the virus protection programs and malware signatures must be integrated into the existing patch and change management of the organisation. The updates to virus protection programs and malware signatures usually only contain standard changes that do not need to be subjected to the full patch and change management process (see S 3.66 Basic terminology of patch and change management).

Review questions:

• Are updates for the virus protection programs installed promptly?
• Is it checked at least once per day if there are updates available for the malware signatures, and if so, are these updates installed immediately?
• Has it been ensured that the updates for virus protection programs and for malware signatures are installed on every IT system on which the corresponding virus protection program is installed?
• Is the configuration of the virus protection program checked for changes after installing an update of the engine?
• Has the updating of virus protection programs and malware signatures been integrated into the existing patch and change management system?