S 4.3 Periodic runs of a virus detection program

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, IT users

Different courses of action can be taken to afford protection against computer viruses. Programs which scan IT systems for known viruses have proven to be the most effective means of combating viruses. The advantage here is that newly-procured software and data media can be checked before they are used for the first time. Infection by known computer viruses can thus be prevented in principle. Another advantage of virus scanning programs is that they provide details on each virus detected. Known viruses have been analysed by specialists, who have ascertained whether these viruses have any damaging effects. Consequently, a good virus scanning program must not only be able to detect a large number of viruses, but also identify them as precisely as possible.

It must be noted that virus scanning programs become less and less effective in the course of time, as they are only able to detect viruses known up to the inception of the programs, and are usually not able to identify any viruses created subsequently. For this reason, it is necessary to update virus scanning programs on a regular basis, at least four times a year.

Virus scanning programs have various settings which, through parameterisation, allow users to specify which files should be tested and how thorough the test should be. It is the task of the IT security management to determine the suitable settings and inform the users of them or pass them on as pre-settings.

Like other programs, virus scanning programs can be invoked when required (transient) or run in the background (resident). The operating mode of the scanning program has a decisive influence on user acceptance and, thus, on the actual degree of protection achieved.

In transient operation, the user must start the virus scanning program and explicitly specify which data media are to be scanned. In this way, infections can only be identified afterwards. In principle, virus protection is possible, but its effectiveness depends on how careful the user is.

In the resident mode, the virus scanning program is loaded into the main memory when the computer is started, and remains active there until the computer is switched off again. It operates without requiring any intervention by users, who can continue to perform the activities assigned to them, such as writing texts. Of late, this operating mode has gained in importance as the use of Windows programs has spread. In the case of Windows, the memory management operates more efficiently than under MS-DOS, which was used mainly in the past. Rapid technical developments, accompanied by an expansion in the size of computer main memories have supported the trend toward memory-resident programs. Under MS-DOS, memory-resident virus scanning programs were often designed to have a lower performance than transient programs, in order to save memory space. The most important advantage of memory-resident operation is that the security measure (virus scanning) is implemented regardless of user action, thus increasing the level of security. This also results in greater acceptance by users, who do not need to attend actively to the responsibility of virus protection. The users do not even notice that the virus scanning program is operating in the background, as long as no virus is detected. On detection of a virus, access to the infected file is denied, i.e. this file cannot be used any more as long as the virus protection remains active. At present, the use of memory-resident virus scanning programs under Windows operating systems constitutes the best possibility of protection against viruses, because every file can be checked before usage (opening for the purpose of editing, copying, printing, unpacking etc.) and blocked if a virus is detected.

The use of checksum programs constitutes another preventive measure. In this case, checksums of the scanned files or system areas (e.g. the boot and partition sector) are computed at regular intervals to afford protection against changes. This not only allows the detection of unknown computer viruses, but also other unauthorised modifications to files.

Procedures required in case of virus contamination are described under S 6.23 Procedure in case of computer virus infection.

Additional controls:

• When was the last check made? Have the results been documented?
• Have computer viruses been detected? If so, this might point to illicit use of unauthorised software.
• When was the virus detection program in use last updated?