S 4.3 Use of virus protection programs

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

Different principles of operation can be used to protect against malicious software. Programs that scan the IT systems for all known malicious software have proven in the past to be an effective tool for the prevention of malicious software. For this reason, virus protection programs meeting the requirements described in S 2.157 Selection of a suitable virus protection program should be used.

Protection from Internet services

A virus protection program must be used on the central e-mail gateway to scan all incoming and outgoing e-mails.

All other Internet services (HTTP, FTP, etc.) should be secured using specialised protective software. If this is impossible, for example due to performance problems, then it is necessary at a minimum to technically prevent the execution of active content on untrusted web sites.

Regular scans of all data

Even if a scan for malicious software is performed on every file access, it still makes sense to regularly scan all files on the clients and file servers. This makes it possible to find malicious software for which no detection signatures were available at the time the malicious software was introduced. In such cases, it must be examined if the malicious software found has already collected confidential data, deactivated any protective functions, or downloaded any code from the Internet before it was detected, for example.

For performance reasons, full scans of all data should be executed at times in which the load on the IT resources is low. Ideally, the software will monitor the current load on the computer and automatically perform the scans during "idle times". On workstation computers, the virus protection program could be triggered when the screen saver is started, for example.

Exchanging data and data transmissions

Data which will be sent out must be checked for malicious software immediately before sending. Similarly, any data received must be checked for malicious software immediately upon reception. These scans are necessary when exchanging data using data media as well as when transmitting data over communication connections. The scans should be automated to the greatest extent possible.

As an additional safeguard, scanning hosts can be set up to scan programs, files, and data media coming in from outside. The scanning hosts are isolated IT systems that are not integrated into the local network. Using a virus protection program, the incoming programs and files are tested and released centrally by the scanning hosts.

This procedure may be necessary, for example, when the security requirements are particularly high or when an especially dangerous piece of malicious software is in circulation.

Interaction with encryption techniques

When using encryption techniques, it is necessary to take its potential effect on malicious software protection into account. When data is encrypted, system components and applications will not be able to access this data unless they have the corresponding key. This implies that a virus protection program needs to be run in the context of the user or needs to be equipped with the corresponding cryptographic keys in order to scan an encrypted file for malicious software. However, if the user ID under which the virus protection program is executed is actually provided with the corresponding cryptographic keys, then new security risks are entailed that need to be avoided. For this reason, it is recommended to use a resident virus protection program which scans files in the user context for malicious software every time a file is accessed.

Protection against unauthorised deactivation or changes

The virus protection programs on the clients and terminal devices must be configured so that the user cannot make any security-related changes to the settings of the virus protection programs. In particular, it must be ensured that the users are not able to deactivate the virus protection programs.

Review questions:

• Are virus protection programs installed on all IT systems for which this is necessary according to the security concept?
• Is ensured that the scan program as well as the signatures are always up to date?
• Are the users familiar with the scan program, in particular with the option of an on-demand scan?
• Is the central e-mail gateway protected by a virus protection program?
• Is adequate protection against malicious software ensured for the Internet services used?
• Are full scans of all data for malicious software performed regularly?
• If malicious software is found: Is it examined whether the malicious software found has already collected confidential data, deactivated any protective functions, or downloaded any code from the Internet before it was detected?
• Is a scan for malicious software performed every time data is exchanged and data is transmitted?
• Is adequate protection against malicious software also guaranteed for encrypted data?
• Has it been ensured that users are not able to make any security-related changes to the settings of the virus protection programs?