Goal: Define procedures used to guard against, detect, and report malicious software. The purpose of this policy is to prevent security violations created by malicious software.
The purpose of this policy is to prevent security violations created by malicious software.
Procedure: The Security Manager shall supervise efforts to provide employees and assigned personnel with resources that are free of malicious or destructive software and that are protected from intrusion by unauthorized entities.
-
- Personnel should report suspected virus activity and unusual or unexpected messages or displays in accordance with the Security Procedures stated in this Policy.
- A computer virus is a computer program that can infect other computer programs by modifying them in such a way as to include a copy of itself. Although a computer virus is the most widely recognized example of a class of computer programs written to cause some form of intentional damage to computer systems or networks, it does not have to perform outright damage (such as deleting or corrupting files) in order to be called a "virus." A computer virus performs two basic functions: it copies itself to other programs, thereby infecting them, and it executes the instructions the author has included in it. The Security Manager is responsible for the development and update of policies used by the workforce on how to handle and prevent malicious software. For the purposes of this policy malicious software refers to:
- Boot Viruses. These infect the boot sector on a floppy disk or hard drive. Typical examples are FORM, STONED and MICHAELANGELO. They usually replace the boot sector with all or part of a virus program that stashes itself in memory and moves the boot block on the disk to another location. Often the damage is done because the boot block is moved blindly to another disk location, over-writing whatever is resident there.
- File Viruses. These infect ordinary *.BAT, *.EXE, or *.COM files. Usually they just append the virus code to the file; but recent versions have gotten trickier, and hide their additions. An example is Friday the 13th which loads into memory on execution of the infected file, and if the date matches Friday the 13th, deletes the *.EXE files - often itself included!
- Multipartite Viruses. These infect both systemic areas such as boot blocks and executable files. These are opportunistic infectors, infecting the available files at random using a combination of different viruses. An example would be a combination of a Stealth, File, and Boot viruses.
- Systemic Viruses. These viruses focus on both system files necessary for DOS. These are files that control the allocation of system resources, such as directories, and files. In some cases a much more basic level of attack against CMOS structures is attempted. An example would be the Monkey Virus.
- Polymorphic Viruses. Polymorphic viruses, such as the Maltese Amoeba, combine a range of strategies to attack the integrity of the operating system. They modify their appearance each time they infect a host program, using variable encryption techniques to encrypt and decrypt itself.
- Stealth Viruses. These viruses try to conceal their presence. This may be as simple as modifying the file structure to conceal the additional code added to a file. It may go so far as making sure that when added to machine code in the *.COM file that the CRC is not changed (a technically very tricky bit of work). There are also Size Stealth viruses which can infect a program without changing the program's apparent size. A sample stealth virus is the Strange virus.
- Meta Viruses. These are viruses that execute their nasty work in the very helpful meta languages embedded in powerful modern programs such as MS Word. This includes the MS Word Macro Virus or Prank Macro.
- Trojan Horses. A Trojan Horse is a computer program with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. They are crude, front door attacks that rely on simple naiveté. The level of threat can be very potent, however, because they do not require any backdoor - you gave them the key! An example of a Trojan Horse would be Happy Days.
- The use of software not obtained or provided by us should be restricted without prior approval. This includes: public domain software, proprietary software, software downloaded from bulletin boards and personally owned copies of software.
- All employees are responsible for preventing the penetration of system by malicious software. As a minimum the following anti-virus practices and techniques described below are to be employed in order to ensure timely detection of viral infections, eliminate viral infections from the inventory of microcomputers, and to minimize the risk from malicious programs to larger or network systems.
- Scan new software. All new software shall be checked for infection before running it for the first time. Whenever possible the person performing the installation shall use two different anti-virus programs, since no single virus scanner is able to detect all viruses.
- Use only authorized software. Do not install any software on a PC unless the software has been authorized for use by the Security Manager and scanned for viruses. Public domain software, shareware, freeware, computer games, and software copied from a home system or another user's system are frequent sources of viruses and should not be installed on any system without authorization.
- Do not download software from public bulletin boards. It is recommended that users do not download software from public electronic bulletin boards. When necessary to download from an authorized source the user must download the software to a diskette and use virus scanning software to test for viruses before copying files to a hard disk. Never download software to a network server.
- Scan diskettes from home and external sources. Do not use diskettes from home systems or other external sources that have not been approved and scanned for viruses.
- Do not copy and share software. Do not copy copyrighted software or share software with other employees. Copying and sharing software are common ways of spreading computer viruses in a personal computer environment in addition to potentially violating copyright laws.
- Make backups of critical files. Protect system files, critical data files, and applications by making backup copies (backup copies of applications for archival purposes generally do not represent a copyright violation) and storing them on write-protected diskettes.
- The Security Manager should have a backup copy of every software program every time it is modified in accordance with established software development procedures and controls.
- Scan network servers. The Security Manager should ensure that all systems are periodically scanned for viruses.
- The Security Manager or designated representative shall also ensure that all antivirus and malware software is up to date and running as established on this procedure.
- All malware/antivirus software shall be on line scanning systems on an on-going basis. At the very least these systems shall be scanned for unauthorized access using malware/antivirus software on a weekly basis.
- The Security Manager or designated representative shall verify that:
- Software has been updated;
- Software has been running periodically;
- Findings.
Actions regarding verification of antivirus/malware software shall be documented on Antivirus Tracking Form.
