S 2.157 Selection of a suitable computer virus scanning program

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section

German federal authorities obtain current virus protection programs from the BSI. Users in other areas must select computer virus protection programs suitable for their purposes from among the large number of programs available on the market.

A functionality class for anti-virus products (F-AVIR) has been developed for ITSEC, the Criteria for the Evaluation of the Security of IT systems. This can be used as an aid when selecting a suitable virus scanning program.

The F-AVIR functionality class describes security functions and requirements for a secure working environment for anti-virus products which should be used as criteria for the selection of a suitable computer virus scanning program.

Volume 2 of the BSI series of publications on IT security, "Informationen zu Computer-Viren", includes the text of this functionality class. To help, the corresponding extract from the CD-ROM has been enclosed with the IT Baseline Protection Manual.

Essentially, the computer virus scanning program to be selected should satisfy the following conditions:

• The range of computer viruses detected should be as large as possible and correspond to the currently known inventory; in particular, all highly widespread computer viruses must be detected.

• Constant updating with reference to new computer viruses must be ensured by the vendor.

• The program should also find computer viruses even when they are in compressed form; commonly used compression functions such as PKZIP should be supported.

• When computer viruses are found, the full path must be displayed.

• The program must first establish that it is itself free of viruses before the scanning function is executed.

• If possible, the product must allow constant computer virus checking by running as a resident program.

• It makes sense to use a functionality which enables detected computer viruses to be removed without causing further damage to programs or data.

• The program should have a logging function which records the following data:

• Program version number

• Date and time of the scan

• Specification of all parameters used

• Scan result with indication of the scope of the scan

• Number and identification of files and objects which could not be checked

• The program should issue a warning when it establishes that it has obviously not been updated (if the gap between the last updating of the program and the system date is greater than 6 months).

• The program should contain a list of detectable computer viruses and their descriptions. In addition, descriptions must be provided of immediate measures to be taken and measures to remove the computer virus