180 Chapter 5 • Client-Side Anti-Virus Applications appear. In the Task bar, you’ll see the icon of the PC-cillin Real-time Scan (pcciomon.exe for Windows 9x and pntiomon.exe for Windows NT). PC-cillin 2000 performs a virus scan of memory, boot records, and system files at the startup of the PC. On the Windows 9x platforms, this is done by placing the following command line in the AUTOEXEC.BAT: C:\PROGRA~1\TRENDP~1\PCSCAN.EXE C:\ C:\WINDOWS\COMMAND\ /NS /WIN95 www.syngress.com False Positives I had already installed McAfee VirusScan 5 and Norton AntiVirus 2000 when I installed Trend Micro PC-cillin 2000. It broke off the instal- lation with the message that it had detected another anti-virus (AV) application. Running more than one AV application at the same time can cause unexpected behavior of the application. When you have installed an AV application that is running real-time (on-access) scanning, everything that you do is monitored for possible viruses. When two AV applications run at the same time, unjustified detection of viruses can occur. These false positives can result in a lot of unnecessary work and worries. Earlier versions of AV applications were renowned for giving false positives, especially when the technique of inoculation (fingerprinting) was used. The advice then was to disable the AV scanner before installing an application, and re-inoculate before enabling the scanner again. I can even remember occasions (luckily, not too many) when the only remedy in getting an application installed was to de-install the AV application. The latest versions of AV applications (like the ones described in this chapter) do not warn you about this problem when an application is installed. However, when you install a major upgrade or service pack of an operating system, you should disable your AV application to prevent false positives from occurring. For example, Norton AntiVirus recently gave me a false positive with the installation of the Windows 2000 Service Pack 1. If you ever upgrade your operating system and forget to turn off the AV application, ignore any virus warning—that is, if the AV applica- tion was configured to ask what to do. For IT Professionals 119_email_05 10/6/00 1:02 AM Page 180 Client-Side Anti-Virus Applications • Chapter 5 181 (C:\ and C:\WINDOWS\COMMAND\ are the directories to be scanned; /NS means No Subdirectries; /WIN95 indicates that the operating system is Windows 9x). Configuration of Trend Micro PC-cillin 2000 As mentioned earlier, PC-Cillin 2000 runs three processes in the back- ground of your system. These can easily be enabled/disabled via the window that appears upon double-clicking the PC-cillin Real-time Scan in the Task Tray (see Figure 5.13). From this window you can (de)activate the three main Internet Protection scanning functions (run by two processes), Enable Web Filter, Enable POP3 Scan, and Enable Web Security. From this window, you can also start the main/console program (Pccmain.exe; see Figure 5.14). The More Information button gives you access to version numbers and the pattern file number. Checking one of these functions activates it. The related processes are already in memory, but are informed to take action (or, in the case of unchecking the option, deactivate the action). In the case of Enable POP3 Scan, PC-cillin must also modify all the POP3 e-mail accounts. You should be aware that the e-mail client is not running at the moment you activate/ deactivate POP3 scanning—this prevents PC-cillin from modifying the server information of the accounts. When you start the PC-cillin 2000 main program, through the Main button in the Real-time Scan window (see Figure 5.13)—or the shortcut on the desktop, or the icon on the Quick Launch bar—a window is shown, similar to the one in Figure 5.14. The Properties frame is the largest, and the left-hand bar (similar to the Outlook bar) contains six main functions. www.syngress.com Figure 5.13 Controlling the PC-cillin 2000 Internet Protection. 119_email_05 10/6/00 1:02 AM Page 181 182 Chapter 5 • Client-Side Anti-Virus Applications However, no Mail Scan is present here. To access the Mail Scan properties (shown in Figure 5.14) you must use the menu bar (Options| Mail Scan). This properties sheet is divided into two parts: 1. Manual Scan for Outlook PC-cillin 2000 scans only local Outlook folders (i.e., not Outlook Express); on-demand scanning is provided for Outlook (95, 97, 98, and 2000), not real-time, so you need to use the Scan Wizard to do a manual scan. 2. Real-time Scan for POP3 The Real-time Scan scans for viruses/malicious code during the download of e-mails from a POP3 mail server. As you perform a manual scan on Outlook, the on-demand scanner program opens the Outlook folders, accesses all mails, and opens and decodes all attachments. The manual scan program does not scan for viruses and malicious code. This is done by the real-time scan process, which scans every file that gets accessed. So the manual scan program, in a way, breaks the Outlook up into a series of files that can be scanned separately. Remember that you cannot scan Outlook Express folders with the manual scan for Outlook function. If a virus or malicious code is found in an e-mail attachment, action is taken as specified in the properties sheet. You can choose from the following: ■ Clean This will try to remove the virus/malicious code from the attachment. www.syngress.com Figure 5.14 The Trend Micro PC-cillin 2000 main program. 119_email_05 10/6/00 1:02 AM Page 182 Client-Side Anti-Virus Applications • Chapter 5 183 ■ Delete This will delete the entire attachment. ■ Pass A notice is given, and the scanning continues. Because you are given only these options, “Clean” is the most appro- priate one. PC-cillin 2000 will give a virus notice, so you are aware that it detected something. It will also inform you if the virus/malicious code has beeen cleared. The second action you can select determines what to do if a virus/ malicious code cannot be removed from the attachment. You are advised to use the “Pass” option, but notice what the exact attachment is. As soon as the scanning is over, you should quarantine the infected file. Use “Delete” only if no other option is available to get rid of the virus. NOTE If you ever encounter a file that contains an unknown virus, or one you cannot remove, quarantine it right away and send it to the maker of your anti-virus application. McAfee, Norton, and Trend Micro have spe- cial teams that investigate files and come up with a way of recognizing or removing the virus/malicious code. They also incorporate this informa- tion in the next update of their virus definition files, so not only you but also every other user of the application benefits. You can scan Outlook folders by selecting the Scan function in the left bar of the main program and then select Scan Wizard (or, using the main menu, File | Scan | Scan Wizard). Now choose the last option of the list, “What do you want to scan,” and PC-cillin will take care of the rest. In the lower part of the Mail Scan properties window (Figure 5.14), you can select the action to be taken if a virus/malicious is detected during the download of an e-mail attachment from a POP2 mail server. This is the same process as with the scanning of Outlook folders. You see the check- box options “Splash” and “Start POP3 Scan” in the frame, “Action when virus is found.” These are not related to the “Action when virus is found” option and it would have made more sense if they were placed in a sepa- rate frame. The functions of these two options are as follows: ■ Splash If checked, a PC-cillin logo is shown for a few seconds every time the real-time POP3 scan starts, indicating that it is doing its job. www.syngress.com 119_email_05 10/6/00 1:02 AM Page 183 184 Chapter 5 • Client-Side Anti-Virus Applications ■ Start POP3 scan This option is exactly the same as checking the “Enable POP3 scan” option in the Real-time Scan window (see Figure 5.12). In fact, these are linked. As you see, there is not a lot to configure to let PC-cillin do its work. Personally, I think it’s unfortunate that a few options are not included in this program: an Action option of “Quarantine” would be appropriate, and extended Alert and Security options. This shows that PC-cillin 2000 is meant to be a single-user PC AV application. If you want these options for a networked environment, you should consider a corporate solution of Trend Micro. A corporate solution (like Trend Micro OfficeScan Corporate Edition with Trend Virus Control System) or enterprise solution (like Norton AntiVirus Enterprise Solution 4.0) enables you to battle viruses effectively in large networks. Even with a small number of PCs to manage, a corpo- rate anti-virus solution has a number of advantages. However, if you have to manage over 100 PCs, it’s vital that you have a corporate/enterprise solution, if only to prevent you from spending all day keeping PCs virus- free. The first important benefit is the single point of administration. From a single workstation you can monitor and manage the anti-virus applica- tion on all systems, using an anti-virus management console application. From within a Windows NT or Netware domain all client PCs can be accessed. To communicate between the management workstation and a client PC, the PCs must run a special communication agent. Through this agent, the management console can not only query the anti-virus status of the PC, but also update/upgrade the anti-virus application and virus defi- nition files. From the server from which the updates/upgrades take place, a central quarantine can be set up, along with other centralized functions, accessible to all client PCs. The result of such a solution is that manage- ment efforts can be reduced significantly. There are additional functionali- ties that come with the corporate/enterprise anti-virus solution: ■ Automated deployment of version upgrade or replacement of a version ■ Unattended updates of virus definition files (for example, overnight) ■ Centralized alert and dispatch of virus detection ■ Centralized configuration of the anti-virus application, through one or more anti-virus policies (a PC is linked to a specific policy and every change to a policy can be distributed with a single mouse- click) www.syngress.com 119_email_05 10/6/00 1:02 AM Page 184 Client-Side Anti-Virus Applications • Chapter 5 185 ■ Centralized management console can manage different versions of the anti-virus application across different platforms (or operating systems) ■ Prevention of configuration changes by users ■ System-wide report of anti-virus statistics and analysis ■ Initializing a domain-wide virus scan ■ Easy deployment of the communication agent Although the benefits of a corporate/enterprise solution are already clear, its ultimate benefit becomes apparent when you must apply a fix for a high-risk virus (like the “Love Letter” or Melissa viruses). It would be a matter of hours to get all PCs updated, instead of days, and your daily operations that keep your network virus-free can be reduced to a matter of minutes. Trend PC-cillin 2000 Configuration Settings PC-cillin 2000 differs from the other two anti-virus applications in this chapter in the way it stores its configuration settings. The most significant difference is that PC-cillin 2000 for Windows 9x does not use the Registry to store any settings at all. Only the registration of PC-cillin 2000 as an installed application is recorded in the Registry. For the other settings, one configuration file (Pcc2k95.ini, for Windows 9x) is used, located in the C:\Windows directory. For PC-cillin 2000 for Windows NT the configuration settings file is called PCC2kNT.ini and is located in the C:\Winnt directory. However, all settings are also recorded in the Registry. There is no clear reason why the configuration settings file is located in the Windows directory. The practice of placing files in this location stems back to the Windows 3x operating system. However, most current applica- tions commonly place configuration files in the applications installation directory. The configuration files used by ActiveUpdate (Version.ini and Server.ini) are placed in the installation directory, so it is not clear why the Pcc2k95.ini is not here too. As a home user or system administrator you should be aware of the location of the configuration file. If you want to move it to another directory, be sure this directory is in the PATH variable, or else PC-cillin will be unable to locate the configuration file. Also, if you upgrade your system and place the new Windows version in another direc- tory, you should move the configuration file. PC-cillin 2000 does not provide any security feature that prohibits users from changing the options. By removing the Pccmain.exe from the system you only remove the user interface from the system. This does not prohibit the user from making changes to the configuration file. As you can www.syngress.com 119_email_05 10/6/00 1:02 AM Page 185 186 Chapter 5 • Client-Side Anti-Virus Applications see in the following excerpt of the Pcc2k95.ini file with the relevant e-mail scanning components, it can be easily interpreted. (edited) [AUTOUPDATE] (edited) AutoUpdate=1 LastPattern=2000/08/11 (edited) [IOScan] IOScan=1 InOut=2 Action=2 AllFile=0 ZipScan=1 Action2nd=3 CleanBackup=1 EXCEP00=c:\suhdlog.dat LastScanFileName=C:\WINDOWS\RUNDLL32.EXE LastFoundVirusName= LastFoundVirusFile= FileTypeList=.ARJ.BIN.CAB.CLA.CLASS.CO_.COM.DO_.DOC.DOT.EX_.EXE.LZH.OBD. OBT.OBZ.OCX.OVL.SYS.VBS.XL_.XLS.XLT.ZIP MoveDirectory=C:\PROGRAM FILES\TREND PC-CILLIN 2000\QUARANTINE MoveDirectory2nd=C:\PROGRAM FILES\TREND PC-CILLIN 2000\QUARANTINE (edited) [OUTLOOK] Action=2 Action2nd=0[POP3] Action=2 www.syngress.com 119_email_05 10/6/00 1:02 AM Page 186 Client-Side Anti-Virus Applications • Chapter 5 187 Action2nd=1 Splash=0 ONOFF=0 [RESUME] Version=756 [MacroTrap] Splash=1 Not only configuration settings are recorded, but also runtime (opera- tional) information, like LastScanFileName=C:\WINDOWS\RUNDLL32.EXE. The [RESUME] part is used by PC-Cillin to find the appropriate pattern file. Changing the value will result in the program not finding the pattern file or using a different one. Under [POP3] the keywords correspond to: Action=1 Action when virus found: clean Action2nd=1 Action on uncleanable files: delete Splash=0 Splash ONOFF=0 Start POP 3 Scan / enable POP3 Scan www.syngress.com Using Client-Side Anti-Virus Applications This chapter discusses client-side anti-virus (AV) applications without ever clearly recommending that every PC or workstation should be equipped with an AV application. I will leave this decision to you. There is no magic bullet protecting a PC from ever getting infected; however, an AV application can reduce the possibility significantly. It all has to do with risk management. Ask any system administrator how much time it takes to recover a PC from a serious virus attack. Then mul- tiply that by 50 percent of the number of PCs in your organization, and multiply that result with the average hourly wage. Now you know what a virus attack costs in salaries! And what about the cost of not being able to conduct business with your customers and your suppliers? In October 1999, a production plant of Dell Computers was plagued For Managers Continued 119_email_05 10/6/00 1:02 AM Page 187 188 Chapter 5 • Client-Side Anti-Virus Applications It’s nothing fancy, but it’s highly maintainable, even without the Pccmain.exe program. Remember that all PC-cillin 2000 programs/utilities use this configuration setting, so be careful when changing this file manu- ally, in case you have to remove the PC-cillin main program to prevent people from using it. Trend Micro PC-cillin 2000 Links Trend PC-cillin 2000 Virus Pattern file update: www.antivirus.com/pc-cillin/pattern.asp www.syngress.com with a virus attack. Although it was downplayed by Dell, production was halted for at least one day and it cost even more time to fully recover. Is $10 to $20 per PC per year worth the risk? If you choose to take the risk, and are subsequently confronted with a widespread virus (and spread they do!), reconsider your decision not to install an AV applica- tion on every PC—it’s far cheaper to pay for the installation than the repairs. However, just how do you get your point across so that manage- ment is willing to come up with the proper funding? First, make your- self aware of which arguments will resonate with the person to whom you are applying for the additional funds, such as preventing disruptions in production, lowering the level of computer problems for the employees, increasing the level of customer support. If all he or she understands about viruses is what they read in the newspapers, for example, about the Love Letter virus, cater to that information—remind them that a few companies brought their e-mail server down for two to four days to flush out that virus. Also, prepare to argue with accurate numbers: If you have encountered problems with viruses, how long did it take to solve them? How many e-mails does your company get on an average day, and if those represent orders, how much money is involved? How many PCs did you have to check for viruses manually and how much time did you need per system? Investigate implementation costs, such as licensing costs for company-wide anti-virus applications. When you have secured the funds, be sure to make it part of your annual funding. It is also a good idea to show management that the company should not rely on technology alone. Make the point that user habits are the greatest threat. Make a suggestion to start a program to raise the awareness of virus protection within your organization. 119_email_05 10/6/00 1:02 AM Page 188 Client-Side Anti-Virus Applications • Chapter 5 189 Trend PC-cillin 2000 support: www.antivirus.com/pc-cillin/support.htm Trend PC-cillin Virus Information Center: www.antivirus.com/pc-cillin/vinfo/ Trend PC-cillin 2000 (trial version): www.antivirus.com/pc-cillin/download/ Summary Because the e-mail client is so vulnerable to viruses and malicious code, the use of a client-side anti-virus application is absolutely crucial. In this chapter we discussed the three most popular anti-virus applications: McAfee VirusScan 5, Norton AntiVirus 2000, and Trend Micro PC-cillin 2000. One of the most important factors in choosing one of these applica- tions is how updates to the applications are provided. McAfee VirusScan 5 has the ability to scan for viruses in e-mails when using MAPI-based or POP3-based e-mail clients. It can scan for viruses while downloading files from the Internet, block malicious Java applets and ActiveX controls, as well as restricting access to specific Web sites. Trend Micro PC-cillin 2000 has these same functionalities, only it cannot real-time scan MAPI-based e-mail clients, and it uses a POP3 proxy to scan the e-mails. Norton AntiVirus 2000 uses the same technique to scan for viruses in e-mails, but lacks the functionality for explicitly scanning for malicious Java applets and ActiveX controls and blocking access to specific Web sites. On the whole, the three are highly comparable and are the top choices of all available anti-virus applications. They can all efficiently scan all POP3 traffic, guarding us from taking in viruses using the Internet’s most popular application. None of the three is preferable above the others—just try them and then make your own choice! www.syngress.com 119_email_05 10/6/00 1:02 AM Page 189 [...]... to take the safest course of action and deactivate Java completely In Netscape Messenger 4. 75, select Edit | Preferences from the menu bar, then select the Advanced category Locate the Enable Java check box and deselect it (see Figure 6.9) Figure 6.9 Preferences to disable Java under Netscape This will also disable Java for the Netscape browser With Java disabled, your Internet browsing experience will... www.syngress.com 119_email_06 200 10 /5/ 00 9:04 PM Page 200 Chapter 6 • Mobile Code Protection Sending an Entire Web Page There is an easy way to send an entire Web page to a user through e- mail In Internet Explorer you can select File | Send | Page by e- mail In Netscape Navigator you can select File | Send Page (see Figure 6.3) Figure 6.3 Sending an entire Web page to someone using Netscape When you... computer with the e- mail packet JavaScript and VBScript are always included in the body of e- mail, so we would say they are sent in the e- mail packet Java applets and ActiveX controls typically reside on another server somewhere on the Internet ActiveX code can be permanent once it is installed Java applets will be retrieved and executed only when the e- mail is opened, so no copy is stored permanently... the Registry (for example, within the McAfee Clinic service) Inexperienced users are urged not to get into the Registry to remove the keys manually One wrong delete can bring your system down Q: Am I safeguarded from ever having my PC infected with a virus when I use the latest anti -virus application? A: No guarantees are ever handed out, as we saw when the Love Letter Visual Basic script raged over... then select Settings | Control Panel and double-click on Internet Options Select the Security tab and you should see the screen shown in Figure 6.6 Make sure the Internet zone icon is highlighted; then click on the button Custom Level On the next screen, scroll down until you see Java Here you should see High Security selected, which is the default for Internet Explorer/Outlook Figure 6.6 Customize... this, the browser takes a snapshot of all the HTML code on the page Even if the page changes later that day, the person you send it to will see the Web page as it appeared when you sent it If you had to log in to the page, the HTML code will still be sent as it appeared to you Any graphics, Java applets, or ActiveX components on the page will be retrieved from the server when the user opens your e- mail. .. extension html (and not txt) Also, note the directory you are saving it in 4 Bring up your e- mail client If you are using Outlook Express, select Compose message 5 With a new blank message up, select Insert | Text from file (Outlook Express) 6 Change the file type to HTML; then find the HTML file you saved 7 Click OK Now your new message just needs the to and subject fields completed and the mail can be sent... capable of displaying HTML e- mail messages If you own the latest versions of Eudora, Netscape Messenger, Outlook, or Outlook Express, you will be able to compose and view e- mail in HTML These e- mail programs usually are set to send e- mail in HTML format by default However, there is no option to deny HTML e- mails you receive If someone sends HTML e- mail to you, your e- mail client will always display it... unfortunately it is not possible to search through the HTML tags with Outlook Express 1 In Netscape Messenger, select Edit | Message Filters from the toolbar 2 On the Message Filters screen, click on the New button 3 You should now see a window similar to Figure 6.10 4 For filter name, type in “Java Applet.” 5 Fill in the selections as seen in Figure 6.10 You will have to select New Folder to create the folder... trouble (see the Appendix for the Web link) This applet is similar to the working of viruses like Melissa, which send e- mail to everyone in your address book The main difference between a Java applet sending mail and Melissa is that Melissa is initiated by the user opening the attachment The Java applet will run automatically when you open your e- mail, but it doesn’t have the ability to do as much damage . (Pccmain.exe; see Figure 5. 14). The More Information button gives you access to version numbers and the pattern file number. Checking one of these functions activates it. The related processes are already. your system. There are special utilities that can clear unused keys out of the Registry (for example, within the McAfee Clinic service). Inexperienced users are urged not to get into the Registry. and view e- mail in HTML. These e- mail programs usually are set to send e- mail in HTML format by default. However, there is no option to deny HTML e- mails you receive. If someone sends HTML e- mail