Where to Place Your Antivirus Defenses

Locate your antivirus defenses for maximum effectiveness

Deciding whether to run a virus scanner is a "no-brainer." The key decision is where to place it. You must place antivirus products where attackers might introduce malicious code into your environment. Because you probably don't have an unlimited security budget, you must make good cost/benefit decisions about antivirus products. Your decisions involve your entire environment—including those assets you choose not to protect with virus scanners. However, by carefully reviewing your networked environment, knowing which antivirus resources you can afford to implement, and placing the virus protection strategically, you can develop the most effective overall protection for your organization.

I review the potential sources of virus infections and take you through a process that can help you make the best virus-protection decisions. You'll want to perform a technology inventory and understand the placement options before you locate your antivirus products. After your antivirus products are in place, you need to define how you'll use them to protect your organization most effectively.

Reviewing Infection Sources
To determine where to place your antivirus defenses, you must understand the various ways viruses can invade networks, then figure out where your network is most vulnerable. Malicious code can come into your environment more than a dozen different ways. Figure 1 shows some of the most common sources of infection. Even if you protect file servers, email servers, and your Internet connection, malicious code can still enter. Remote offices and laptops are notorious for bringing in viruses and worms. Employees' home computer systems often get infected and infect their work machines. Outside consultants can also be a source of danger. Most organizations let vendors connect directly to their networks to perform system or application maintenance. (And how well do your vendors follow your organization's security policies?) Wireless networks, PDAs, and your managers' Internet-connected cell phones can also be sources of infection.

Performing an Inventory
You must review your overall technical environment to analyze which parts of that environment need virus protection and how you can best offer it. Do you have machines running Windows XP, Windows 2000, Windows NT, Windows 3.1, DOS, Microsoft Office, Linux, UNIX, or Mac OS? Do you have PDAs, wireless networks, email servers, file servers, storage servers, and Web servers? A thorough technology inventory can give you the overview you need.

Keep in mind that just because you have a particular system or device doesn't mean you'll automatically use virus scanning to protect it. Dollars are a limited resource. For example, although you might be aware that your company lets users sync their PDAs with their PCs, you might decide the risk of malicious code entering your environment by that means is too small to warrant special virus protection for PDAs.

Table 1, page 8, shows a segment of a sample technology inventory. In addition to noting each machine's identifying information (e.g., machine name, serial number, users), you need to note the machine's function and OS. You can also add information such as email gateways, Internet connection points, major software applications, and WAN connectivity platforms to the inventory record. After you've fully surveyed your environment, you can analyze its virus-related risks.

Understanding Antivirus Scanner Placement Options
After you have a general idea about which resources you must protect and which kinds of products you might use (a discussion of available products is beyond the scope of this article), you'll be ready to consider the best placement for your resources. Virus scanners typically run at the following locations:

Each location has its pros and cons.

Desktop. Almost every antivirus vendor offers a software solution designed to run on a PC desktop. Desktop protection, the first virus-protection model, is still the most popular. For strong protection, you must implement desktop solutions, then keep them up-to-date, which can be challenging for several reasons. First, keeping many desktops updated and current is difficult even with automated tools. Missing or bypassing a workstation is easy, and one weak link can harm the rest of the network. Second, when you place antivirus products on desktops, end users can disable the protection. Third, virus scanners loaded on desktops can severely affect local performance.

Most of the virus-scanning products allow different levels of aggressiveness. When scanning is set for maximum accuracy, to scrutinize every PC I/O function, performance suffers. When top PC performance is important, the scanner's aggressiveness must decrease, and the risk that the scanner might miss malicious code increases. A good desktop scanner balances acceptable performance and aggressive scanning, but PC performance will always decrease. For these reasons, network administrators often choose to place the antivirus software elsewhere.

Email server. Because most new malicious code arrives through Internet email, many organizations install antivirus software on email servers. For the most part, this choice works well. The antivirus software scans incoming and outgoing email messages for malicious code. However, email antivirus software can do nothing to malicious code that arrives by other paths. If malicious code arrives on a disk, through an FTP client, from the Web, or from any other file server, email-based protection does little to prevent its spread. Even if you have email-based virus scanning, users with third-party HTML-based email accounts, such as MSN Hotmail, might download and execute malicious code. Also, email-based scanners can't usually scan encrypted emails, such as those created with the pretty good privacy (PGP) plugin. Therefore, always consider email-based scanners an important, though partial, solution.

File server. You can install a virus scanner on a file server. From that location, the software can scan all incoming and outgoing files. Having a virus scanner in this location doesn't affect local desktop performance because the scanning occurs on the server. Also, as new malicious code appears, you need to update the antivirus software in only one location. Still, the file-server location has drawbacks. First, file server—based scanners can be buggy and cause the entire file server to crash. Second, the software scans only files stored on or sent to the file server. An infected document file opened on a disk won't trigger file server—based protection.

Finally, in most cases, a local PC must be infected for the server to eventually notice the infection. If you return to the previous example, you'll see that a locally infected Microsoft Word document can infect the local Office copy and make modifications before the server-based antivirus software becomes involved.

Internet border. Placing antivirus software on an Internet-connected firewall, router, or gateway, which Figure 2 shows, is an increasingly widespread choice. The software scans all incoming Internet packets (although in practice usually only HTTP, FTP, and SMTP packets by default) for malicious code. You can purchase border devices preconfigured with the scanning software, add a border device as an internal or external adjunct feature, or use such a device as a centralized update location. Some scanning firewalls, for example, work by verifying that every PC connecting to the Internet has the most up-to-date signature database.

When a monitored PC attempts to send a network packet through the firewall, the firewall queries the antivirus software on the PC to find out its version and virus signature database. If either is outdated or if the program doesn't respond, the PC is updated. If the PC fails to respond accurately or accept the antivirus update, the outgoing request is denied.

Many vendors' Web sites send new antivirus signature updates directly to the firewall (which mimics some file server—based configurations), which the firewall then distributes to the desktops. Even if users uninstall their desktop antivirus software, the firewall device reinstalls the software when they next connect to the Internet. You can configure most border-scanning products to look inside .zip and "safe" file extensions—if they don't already do so by default.

In the most common configuration for software-based firewalls, the antivirus program resides on the same server as the firewall. The customer might purchase the firewall from one vendor and the scanning software from another. The scanning software intercepts the traffic headed through the firewall before the traffic arrives at the network. Border devices that let a secondary interface device or software application perform the scanning are becoming increasingly popular. Internet border devices rely more and more on interface standards such as Common Content Inspection API (CCIAPI) and Open Platform for Security's (OPSEC's) Content Vectoring Protocol (CVP). Each interface standard defines a standard way to connect network-traffic-analyzing software to border devices, such as gateways, routers, and firewalls. For example, you can add virus-scanning software to a firewall or HTML-content scanning (to block banned Web sites or prevent malicious programs) to a proxy server.

Check Point Software Technologies' CVP standard originated in the early work on CCIAPI. The scanning software is considered a CVP server, while the border device is considered a CVP client, as Figure 3 shows. CVP and similar border-device interfaces help both antivirus vendors and consumers. For example, you can partner Finjan Software's SurfinGate software with Check Point's FireWall-1 product, Microsoft's Internet Security and Acceleration (ISA) Server, AXENT Technologies' Raptor Firewall, and the F-Secure Policy Manager tool. You can integrate Check Point's FireWall-1 product with no fewer than 20 security products.

OPSEC/CVP is often touted as an open standard, but Check Point completely controls it. For a product to be certified as compliant, the product must pass interoperability tests that Check Point solely determines. In actuality, it means many products denoted as CVP- or OPSEC-compliant work only with Check Point products. Some vendors whose products interoperate with additional vendors' products mark their more flexible products as "CVP-generic" or offer additional interfaces. When you consider a new firewall, proxy server, or router, check whether the product supports an antivirus interface, and if so, which one.

Although placing scanning software at the border prevents malicious content from invading the network perimeter, using that location has drawbacks. First, much like file and email server antivirus software, border antivirus software doesn't help when malicious code arrives another way. Most scanning firewalls scan only FTP, HTTP, and SMTP protocols by default. Malicious code can still come in through instant messaging (IM) clients, multimedia plugins, and every other protocol type. Second, scanning communication encrypted by PGP or Secure Sockets Layer (SSL) is difficult if not impossible. As encryption becomes more popular, gateway-scanning servers will either become impractical or will have to store the necessary decryption keys on the device. Third, scanning network packets at wire speed and comparing their payloads against thousands of signature strings can cause a performance penalty (just like the other options).

Choosing the Best Location
Like any question about a wide-spectrum problem, no one answer is right for every environment. If you have the budget to buy software for only one location, purchase desktop scanners and become an expert at automating updates. The desktop is a good location because all malicious content must be executed on a desktop to spread. No matter how rogue code enters a networked environment, the code must eventually be activated on a PC (this will change as mobile devices become more prevalent).

Just as an infected email message can't spread on an email server until someone opens the message on a PC, an infected file lying in wait on a file server can't harm anything until someone executes the file, and someone must download a malicious Java applet to the local PC before the applet can execute. Also, placing an antivirus defense anywhere other than on PCs will eventually let something slip by. Malicious mobile code can gain access to a PC too many ways, as Figure 1 shows. If properly configured and kept up-to-date, antivirus software on the desktop can effectively prevent malicious code from spreading in a networked environment. Default scanner settings work for most end users. You should apply a more aggressive scanning policy to workstations that seem to get more than their fair share of infections.

Putting antivirus software on an Internet border device, whether the device is an email server or firewall, is the next best option. In today's world of email worms, Trojan horses, and infected Web pages, placing virus-scanning protection at the border offers excellent benefits for the cost. Shutting down malicious Internet code before the code spreads is important to keep your networked systems running smoothly. In most environments, I recommend placing scanners on Internet edge devices and on desktops.

File-server protection can be costly. You'll find implementing scanning software on every new server added to the network expensive. And because most workstations connect to multiple servers, you can't avoid a certain amount of redundancy. However, if you don't want to worry about distributing antivirus updates, you should consider placing your virus protection on a file server, gateway, or router.

Deploying Virus Scanning
Before you deploy virus scanning software, you need to consider some additional concerns. For example, whether you place scanning software on a file server or desktop, you must still decide when and under what circumstances to scan files. Unsurprisingly, when and why you scan often has performance implications. Possible scanning approaches include

Realtime scans. Most scanners let you scan files touched for any reason, including new incoming files, outgoing files, and all files that have been copied, opened, or moved. Although this option is the safest, scanning all such files can cause significant performance degradation. I've seen workstations operate three times as slowly when users enable this level of virus-scanning functionality. Scanning the same application programming files every time a program runs gives little benefit and significantly decreases performance.

Scheduled scans. Because of decreased performance, some administrators choose to schedule full file scans at preset intervals (e.g., every Monday morning). Such a schedule can work if your end users don't mind. However, many users resent having to wait 30 minutes while their PCs are scanned before they can access their computers. If you're going to schedule full file scans, run the scans at other than peak-use times. (If your PCs are left on at all times as a matter of policy, schedule scanning for a low-use time, such as 3:00 a.m.)

On-demand scans. Other administrators go in the opposite direction and disable all scanning, letting users determine when scans should be initiated, an approach that's called on-demand scanning. Workstations with on-demand scanning are scanned rarely, which offers little to no protection at all. Relying on either scheduled scanning or on-demand scanning clearly lets new infections take place between scans; neither approach is an optimal solution.

New-file scans. In my experience, scanning incoming files with predefined file extensions or all incoming files offers the best benefit for the cost. If your system was clean before you installed the virus scanner, you need to scan only new files anyway.

Many organizations use a hybrid approach. Email servers are set to scan all emails, coming or going. Likewise, scanning firewalls are set to scan any packets headed into or out of the network. File servers are set to scan all incoming files with predefined extensions and to run prescheduled full file scans during off-peak hours. User workstations are set with realtime protection for predefined file types. The hybrid approach falters when an attacker introduces a new file type (e.g., .shs files). When a new file type appears, you need to be able to add new file extensions to default scans. Nevertheless, the hybrid approach offers the best overall antivirus coverage with the least performance impact on the network.

Virus Scanning: One Tool
No successful malicious code defense plan relies on antivirus software alone. Scanners don't catch everything, and eventually a virus will get by. Make sure you use adjunct tools such as firewalls, Intrusion Detection Systems (IDSs), and mandated security policies. In addition, have a good recovery plan ready for when you face a successful attack. (For information about recovering from an email intrusion, see "Putting Down an Email Attack," February 2002, InstantDoc ID 23656.)