An Overview of Virus Prevention Strategies in a NetWare Environment Cort Ouderkirk Consultant Systems Engineering Division Drew F. Jackman Associate Consultant Systems Engineering Division Abstract: Computer viruses have been classified as the latest terrorist attack. Strategies such as the use of detection programs and corporate policies that deal with this threat are a must. In a NetWare environment; there are several inherent virus protection facilities, including significant password restrictions, directory rights, file attributes and supervisor restrictions. These facilities, combined with good security strategy and thorough implementation will greatly reduce the odds of a computer virus infection. Introduction With the recent conviction of Robert Morris (1988 Internet Worm), and the increased number of computer viral infections, network managers have been forced to confront greater network security issues. This AppNote addresses issues that relate to the NetWare operating system and virus infections. These issues include general infection prevention strategies, built-in NetWare protection, and detection and elimination strategies. Although much attention has been given to viruses, it is not the intent of this AppNote to give viruses any more attention than necessary, but we do want NetWare users to be aware of how they can protect themselves against undesired attacks. A virus is a computer program that attaches itself and becomes a parasite to a computer system. The virus causes the computer system to react in ways not originally intended. This can range from harmless but annoying messages displayed on the screen to very destructive programs that attack computer data. The most common type of virus attaches itself to .COM and .EXE files or the boot sector track of a bootable disk. The virus may also try to infect and invade other parts of the computer system, including other executable programs and bootable disks. Once a virus enters a system it can be difficult to determine what damage has been done and how many programs or data files may be infected. Although some viruses are difficult to detect, viruses that proceed undetected may exhibit one or more of the following symptoms. * The changing of a volume label, or file size and date * An unwarranted number of bad sectors on a disk. Some viruses hide themselves in fake bad sectors * A floppy disk drive light being on when the default directory is not on that drive * A major system slow down, but this could also be a hardware problem. * The changing of read-only flags to read-write, or printed copies with mysterious character changes. By the time these symptoms are noticed, the damage may already be done. The best way to deal with a computer virus is to avoid it completely. The best corrective medicine is prevention. The following sections outline the access points of possible network infection and the strategies network managers can use to secure their network against these new industrial terrorists in the workplace. Network access points Diskettes The first and most common access point is the floppy disk drive. This is where unsuspecting users can initiate the most harm. Floppy disk drives include the use of shrink-wrapped software, public domain or shareware packages, and personal diskettes (user diskettes from home). All of these diskettes should be checked for viruses before being used. Even with commercial packages care must be taken to avoid the spread of viruses. All software on a network should come from reliable dealers or a reliable source. All software packages should be in the original packaging. Many software manufacturers are concerned about viruses and are using the suggestions reproduced in this report. Public domain and shareware packages also concern network managers. There are two ways for a manager to confront this type of software. They could restrict it completely, making a policy that no public domain or shareware packages be used on the network. But this limits the use of many good programs. The second possibility is to establish a screening policy that checks all software coming into a company network. This policy could include virus protection programs or trying the software on an isolated machine or network for a period of time. Either of these policies require that an implementation plan be devised by the manager. These techniques are also recommended for shrink-wrapped software and personal diskettes. Always use working copies of the software. Never use the original diskettes unless an infection occurs. Keep the original diskettes in a secure place. Additionally, all originals and working copies (including boot diskettes) should always be write-protected. Modem connections Another access point to monitor is the modem connections on the LAN. Reliability is a key factor. A reliable bulletin board must be used and the down-loaded software must be inspected using the same procedure that is used when other public domain or shareware products come into a network. A reliable bulletin-board would be one that is concerned about the spreading of viruses, and has a system for checking the software placed on it. Hard disks When using a system with a hard disk always boot from the hard disk rather than from a floppy disk. This will help eliminate the chance of getting a boot sector virus on a workstation. When installing a new hard disk, always format it before using it. There have been cases where viruses were found on new hard disks. Prevention strategies LAN backups A reliable LAN backup strategy cannot be overlooked, virus or no virus. Sooner or later the hardware, software, users or virus infection will cause the LAN to fail. The robustness of the backup system will determine how quickly the LAN supervisor will be able to restore the LAN to its full operation. If the backup storage rotation can be easily followed back beyond the time of failure, and the restoration procedure is thorough, a minimal amount of data will be lost. For more information on the specifics of LAN backup procedures see Network Backup by Paul Turner and Bob Jones, available through the normal Novell distribution channels. Diskless workstations Most viruses enter a computer system through the use of diskettes. One method of stopping this invasion is to install diskless workstations on the LAN. Virus detection programs There are numerous utilities available for detecting and eliminating viruses. Some of these programs are terminate and stay resident (TSR) programs that check all incoming executable programs and stop infected programs from executing on the local machine. Network versions are available which are capable of searching a network's virtual drives. Some of the virus-detection programs also include utilities to disinfect an infected system. Users of virus detection programs should know that viruses are extremely hard to detect, and there is no general virus detection program. All detection programs only check for known viruses (Burger 1988). This is a very effective method since most new viruses are just revisions of an old, previously written virus. However, the probability still exists that a new virus will not be detected by these programs. Virus detection programs may slow down the boot-up process and execution times and may also use some of the system interrupts. The following is a list of virus products, though it is not exhaustive. Software package Company Phone Quarantine OnDisk Software (212) 254-3557 Anti-Virus Kit 1stAid Software (617) 783-7118 SiteLock Brightwork Dev. Inc.(201) 544-9258 Viruscan, Scanres, Netscan McAfee and Assoc. (408) 988-3832 Virus-Pro Intl. Security Tech.(212) 288-3101 Certus Foundation Ware (216) 752-8181 User education One of the most important strategies of network management is to educate all the network users about known symptoms and harmful effects of viruses. Even with all of the above precautionary steps in place, there is no guarantee that a virus will not infect your network. Viruses will not go away. But, if users are conscientious about using the access points, the chances of avoiding a virus infection will increase. NetWare security facilities NetWare includes a robust set of security facilities that can prevent viruses from infecting the network when implemented properly. NetWare enforces network security, but the system supervisor is responsible for setting up and maintaining proper security procedures. An example of this is illustrated by an article written by Barry Gerber, director of Social Science Computing at the University of California at Los Angeles. One of the NetWare networks in his computer lab contracted a virus and he said, -we soon realized that most of the damage had been done by our staff when they logged in with supervisors' rights from lab machines in which COMMAND.COM had become infected by students who brought in their own infected programs." (PC Week April 1990). The following information will help to avoid problems like this and will strengthen a NetWare LAN's line of defense. Password protection A first line of defense against virus infection of a network is to ensure that everyone has account restrictions and uses a password. Using a password prevents unscrupulous users from getting access to the network, reducing the likelihood of network infection. When users do not have passwords or enforced account restrictions additional access points are created for network virus infiltration. The following are other password precautions: 1) Require each user to have a unique password. 2) Require users to change the password periodically. 3) Make passwords conform to a minimum length standard. 4) Lock the account if the user fails to log in correctly within a maximum number of tries. These precautions will make a network more secure. If users are required to change their passwords often and make each new password different from previous passwords, it will be more difficult for an intruder to break into the network. Adding an additional character to a password increases the possible combinations exponentially. Make sure users have passwords that conform to a minimum length. Locking an account keeps password breaking programs from repeatedly trying to break in. Users should also be restricted from including any portion of their account name or full name in their password. This means that user names should not be used in any form, either spelled backwards, doubled or run together. Users should not be allowed to use other personal information for passwords, such as job title, wife's name, children's names, street address or other information which may be easily found or guessed. Disk format NetWare has added extended security features to the DOS directory structure and file attributes. Because of these features, the format of the data that is laid down on the boot track of the NetWare disk is different from that on DOS disks. With this difference, viruses that infect the boot track on a DOS machine will not affect a NetWare disk. Since NetWare is a server operating system and is remote from the workstations it is harder for boot sector viruses to infect the server. The virus would have to do its damage before the file server is booted. As long as the disks used to configure a file server do not become contaminated, a boot sector virus would not be able to penetrate the file server boot area. File attributes NetWare has added security extensions to file and directory attributes which make its disk format incompatible with the DOS format. These security extensions are a part of NetWare which not only help protect the server from being corrupted, but also protect executable files and data files from becoming infected by a virus. Security rights control which directories, subdirectories and files a user can access and what the user is allowed to do with those directories, subdirectories and files. File attributes, or flags as they are frequently called, give additional information about a file other than its name. For example, a file can be given the attribute of read-only so you cannot accidentally copy over the file, modify it or delete it. The flags common to both 286-based NetWare and NetWare 386 that aid in stopping a virus from infecting a file are: Read-Only Prevents a file from being written to or modified Execute-Only Prevents an executable file from being copied off the server NetWare 386 specific flags include: Copy Inhibit Prevents the file from being copied Delete Inhibit Prevents the file from being deleted. This flag and the rename inhibit flag are automatically set, when the read-only flag is set Rename Inhibit Prevents the file from being renamed The most widely used flag and the best one for preventing a virus from infecting an executable program is the read-only attribute. Since most viruses attack executable files, flagging .COM and .EXE files as read- only will prevent a virus from attaching itself to the file. This prevention occurs because a user running the program only has read rights. In order for a virus to attach itself to a program, the infected user account must have write capabilities. If users have the ability to write to a program, then the program is not safeguarded and has the potential to become infected. These file attributes can be assigned with the FLAG command. The syntax for using the FLAG command is: FLAG filename attributes For example, to give the login program the read-only attribute, the syntax would be: FLAG login.exe RO After the read-only attribute has been given, the login program can only be read and cannot be written to. Viruses that attach to executable programs cannot attach to programs that are flagged as read-only unless the user has the modify file attribute right. Typically, the flags on a system executable file, such as LOGIN.EXE, should only be modifiable by the system supervisor. Directory rights Effective rights are the rights a user can exercise in a given directory. These are assigned by the system supervisor in the form of trustee assignments which are given to specific users or groups of users. Trustee assignments control which directories, subdirectories and files a user or group can access, and what the user or group can do with them. There are several rights a supervisor can grant for a directory, including read, write, search and modify. Once the supervisor grants one or more of these rights, the user or group may exercise that right in that directory and its subdirectories. The directory right of most concern for virus control is the Modify right. This right allows the user or group to change the file attributes for files in that directory or its subdirectories. If a user has modify rights to a directory, a virus has the potential to change an executable program from read-only to read-write and infect the file. However, without the modify right in a directory, a virus cannot change a file's read-only flag in that directory. For example, if a user runs an infected program at a workstation. The user's workstation becomes infected. The virus will now try to infect every program the user runs. If one of those programs happens to be the LOGIN.EXE program on the file server, the virus will try to infect LOGIN.EXE even if it is flagged as read-only. If the user has modify rights to the LOGIN directory, the virus could change the read-only flag to read-write, and infect the LOGIN utility. If this occurs, everyone who logs in to the network will become infected. In this way the infection can spread very rapidly. Once the supervisor becomes infected, nothing on the network is safe, and every program that is run can become infected. Therefore, it is vital that only the supervisor have the modify right to system files. It is also vital that the supervisor take care not to become infected. Since the login program can cause many users to become infected quickly, the supervisor may consider taking the command off the network and putting it on each user's workstation. By doing this, the spread of the virus would be slowed considerably. However, if the LOGIN utility is flagged as read-only with only the supervisor having modify rights, keeping the LOGIN utility on the network should be safe. Supervisor account restrictions On a NetWare server the supervisor has ultimate authority and can access any program or database on the server. Because of this, the damage that an infected supervisor account can do to the network is significant. To safeguard against infection, the supervisor account should only be used when necessary. No user should use the supervisor account as a general working account but should only use the supervisor account when doing system work. To further protect the system, care should be given as to which and how many users are given the supervisor account password and supervisor equivalence. Supervisor equivalence can be as dangerous as the supervisor account itself. The number of people who have the supervisor account password or supervisor equivalence increases the entry points a virus has to the network. Users should not be limited in the work they do, but most do not need supervisor authority. Another precaution is to limit the workstations the supervisor account can log in from. By doing this, the supervisor account cannot be logged into inadvertently on an infected station. This could happen if a user brings in an infected program to run on a workstation. After a while the user notices that the system isn't working correctly and calls the network supervisor. The supervisor then logs in using the supervisor account. When this happens the supervisor becomes infected and will infect everything accessed. Every program the supervisor runs can become infected and possibly data files will become contaminated. However, if the number of workstations the supervisor can log in to is limited, this mistake will not be made. We suggested that the supervisor account be active for at least two workstations. This will allow the supervisor to access the network if one of those workstations fail. Another way to enhance system security and minimize the entry points a virus has to the network is to limit the number of simultaneous connections a supervisor account may have. Restrict this to one, so the supervisor may only log in to one workstation at a time. Elimination If a virus infects a network, the manager's actions in treating the virus are critical. This section suggests some ways to eliminate a virus that has infected a LAN. These steps alleviate some of the panic that a virus infection causes. This is a blanket repair approach taken from Computer Viruses, A High-Tech Disease, by Ralf Burger, and will not fit all network situations. 1) Turn off the system (including workstations) to prevent further spread of the virus, and to destroy any memory resident viruses. Do not warm boot the system computers, some viruses can survive a CTRL-ALT-DEL. 2) Disconnect all data transfer lines from the system. This isolates the system from infecting other systems and keeps infection from recurring while the system is being restored. 3) Write-protect all media that has not previously been protected. This includes all notched diskettes, and all drives and magnetic tapes that have write-protect switches. 4) Use the original version of the operating system to reboot the system. It is possible that a virus has infected the backup or working copies. 5) Save the system data and programs on new media. These can be used to support damage claims, and may also give an idea where the virus originally infected the system. 6) Format old media, a virus cannot survive a media format. 7) Use the original versions of all other software to restore system packages. Make sure they are still write protected. 8) After the restoration, check all data for dependability. When proper order has been restored, the data can be used. 9) If data consistency cannot be guaranteed, then use a backup copy which will guarantee consistency. 10) Install detection software that will check the system in the future. If unusual behavior continues, then contact a virus consulting firm for help. Another effective method for removing a virus is the use of commercial disinfecting programs. Many of these programs can clean up infected systems by removing just the virus code. Others clean up the system by removing the infected software completely. Familiarity with a particular package will be helpful in case of infection. Conclusion Knowing how viruses work, how they spread and the damage they can do allows network managers to better secure their systems. By using good management techniques in conjunction with NetWare security, a virus can be prevented from entering and spreading throughout a network. As networks continue to grow and involve all aspects of company's business, the access points to a network increase. Therefore, to safeguard networks and data on those networks, network managers must be willing to implement these techniques before a virus enters their system. Bibliography Baker, Virginia E. Infectious Diseases. LAN Times (Dec. 1989). Burger, Ralf. Computer Viruses: a High Tech Disease. Abacus. (Second ed. 1988). De Martin, Lawrence. How to Protect PCs from Viruses and Anti-Viral Software. Connect. (Summer 1989). Gerber, Barry. Sometimes -Abort, Retry" Means -Network Virus". PC Week. (April 1990). Hoffman, Patricia. Virus Information Summary List. (Feb. 1990). Neff, Ken. Fifteen Preventive Measures. LAN Times. (Dec. 1989). Cumulative Index NetWare Application Notes Novell Systems Engineering Division Released Application Notes To request additional NetWare Application Notes, contact your Authorized NetWare Reseller, your Novell Field Sales Representative or Systems Engineer. Application Note Edition Part Number Title June 1990 119-000010-001 286-Based NetWare v2.1x File Service Processes: The Final Word Novell NetWare and AT&T Integration NetWare Internal and External Bridge Performance Benchmarking July 1990 164-000011-001 NetWare 386 System Messages: Disk, Memory and Accounting An Overview of Virus Prevention Strategies in a NetWare Environment Compaq Application Notes (NetWare-related only) Compaq Systems Engineering Department Released Application Notes To request additional Compaq Application Notes, contact your Authorized COMPAQ Computer Dealer or your Compaq Field Sales Representative. Application Note Document Number Control Number Title ------------------------------------------------------------------------- 1989 AN89-0002 191A/0489 Influence of Ethernet NICs on LAN Server Benchmarks AN89-0003 192A/0489 DCA IRMALAN Gateways on Novell Ethernet/Token-Ring LAN AN89-0008 114A/0689 Installation of Gupta Technologies SQLBASE in Single and Bridged Token- Ring/Ethernet LAN Environments 1990 AN90-0002 122A/0290 Installation of Novell NetWare 386 on the COMPAQ SYSTEMPRO AN90-0003 223A/0390 RAM Cram Relief Using Expanded Memory Management Products AN90-0004 224A/0390 Configuration of a Dataproducts High-Speed Line Printer with COMPAQ Platforms AN90-006 269A/0390 Novell 286-Based NetWare Installation on the COMPAQ SYSTEMPRO AN90-0008 208A/0590 Use of COMPAQ-Product RAM Greater Than 16MB With Novell NetWare 386 v3.0 AN90-0009 209A/0590 Novell 286-Based NetWare to UNIX Connectivity Using Racal-Interlan TCP Gateway for Novell NetWare AN90-0011 196A/0790 Emeral Tape Backup System for Novell 286-Based NetWare