Virus Attack!

Virus Attack!

Skinny margins may not make antivirus software the most exciting market for resellers, but it's still a market that they ignore at their peril. Ian Jacobs investigatesThere are two truths when selling antivirus solutions: no one wants to think about them, and everyone needs them. It really is that simple.

For antivirus software to work effectively, it must be updated frequently - and used every minute that a user is logged on to the system. Both of these aspects also need to be completely invisible to users.

Software publishers have worked hard to meet these two goals, and have now reached a level of product parity that makes it hard for integrators to differentiate themselves with software alone.

"Antivirus is such a given now," says Ben Rothke, a security consultant with the Information Security Services Group of Ernst & Young LLP in the US.

"The antivirus market isn't a sexy market anymore. Six years ago you'd have one vendor saying, 'we protect against 10,000 viruses' and another saying, 'we protect against 11,000'. Now they are all mature products - the technology is pretty much standardised, and there is no major advantage to using one over the other."

That doesn't mean that viruses aren't still a major security concern for corporations of all sizes or that combating them isn't of commercial importance to integrators. Worldwide antivirus software sales topped $US1 billion for the first time in 1998 and should more than triple to $3.5 billion by 2001, according to a study by International Data Corp (IDC). As Rothke points out, a large multinational spends in the six-figure range for antivirus software. However, the skimpy margins from sales of this mostly desktop software aren't what many resellers and integrators are after. The better reason to put antivirus software in your portfolio is to guard against the potentially significant damage a virus can cause to your customers' enterprise applications, systems availability, and data integrity.

Breeding grounds

Three factors are mostly responsible for driving the growth of the antivirus market: e-mail and macro viruses, the Internet, and malicious code in active content. Now that e-mail has become a necessity for many businesses, viruses can spread much more easily. And the proliferation of macro viruses - those that use the macro languages provided to developers to add functionality to applications - has in large part piggybacked on the explosion of e-mail use.

Since collaboration using e-mail has become standard in most enterprises, millions of documents are passed back and forth electronically every day. IDC estimates that in 1997 macro viruses accounted for 50 to 80 per cent of all infections.

"What's nice about this from a virus writer's point of view is that you obtain a copy of Microsoft Office and you have all the tools you need to write macro viruses, including help files that explain how the macro language works," says Jonathan Wheat, senior analyst at the Malicious Code lab of the International Computer Security Association (ICSA) in the US.

"In Office 97 the macro language is Visual Basic for Applications 5," continues Wheat. "That means that anything you can do in Visual Basic, you can make a macro do. This is really great for developers - a great boon for productivity. But it is also a great way for those who want to to wield that power for the dark side."

Antivirus vendors, as would be expected, have jumped all over this new threat. Sharon Ruckman, a group product manager at leading antivirus vendor Symantec, says her company's Norton AntiVirus will deal with any type of malicious content. Ruckman touts Norton AntiVirus's ability to detect and eradicate viruses and attacks that Symantec hasn't even heard of yet.

"Even when you create a file, Norton AntiVirus checks to make sure there are no viruses in memory that will corrupt your file," she says. Despite the extreme threat to productivity and the bottom line that viruses pose, most corporations still buy their antivirus software preinstalled on the systems they purchase from resellers.

Many of the biggest virus problems occur in smaller companies. These firms have fewer resources to fight the problem, fewer knowledgeable IT staffers to establish security procedures, and often less contact with integration partners to help out in the fight.

Michael Bledsoe, a partner at US integrator E=mc2, sees these problems every day. E=mc2 designs and custom builds desktops, network servers, LANs, and WANs for small businesses. Bledsoe used to try and generate revenue by selling two antivirus packages. He found his customers reticent at best. Bledsoe blames retailers, often the first stop for small businesses shopping for new systems, for continually providing poor information and making customers wary of any add-on sales. But Bledsoe remained convinced that for his customers, in the end, having antivirus software would prove significantly cheaper than remaining exposed and unprotected.

"Here's what I do now: whenever I build a system, the antivirus software is automatically on there. I no longer give them a choice," Bledsoe says. "This is at no cost to the customer; it is just part of my cost of doing business."

E=mc2 purchases an OEM five-pack of the software, which Bledsoe says reduces the cost to about $US20 per desktop. As he sees it, that $20 keeps customers from calling to have viruses removed from their systems, usually at a much greater cost.

"They would really be screaming at that," he says. Even so, some of his customers try and take on too much of the work themselves. Bledsoe recounts the story of one customer, a home and corporate security business. The customer's office was infected with a Junkie virus on two workstations and a server. "He tried to take them off himself," Bledsoe says. "He got them cleanly off the workstations, but he lost the server and around $30,000 worth of data." One of the biggest problems, according to many integrators that work with smaller enterprises, is the "local computer guru".

Computer keeper

"Typically the guy who gets to be the computer keeper is like the guy that knew how to change the paper in the Xerox machine," Bledsoe says. These gurus are often called upon to fix problems to avoid escalating them into costly service calls. "That is not the best way to do tech support, but that is truly how it is done."

Unfortunately for small businesses, that often means that the problems only get worse. Of course, that leads to more mop-up-operations type of service business for smaller integrators. As Bledsoe points out, these clean-ups cost customers significantly more than proper prevention ever would have. A dash of business consulting might be in order. "In a sense, going in and educating the users is par for the course," says Ernst & Young's Rothke. "You need to say, 'You don't have any policies, so let's look at your systems and work on developing the policies.' Unless there are clear restrictions, people are going to use these systems however they see fit."

New macro virus also targets PowerPoint

An Australian company that makes antivirus software last month reported a new macro virus that exploits a vulnerability in Microsoft's Word 97 and infects Office 97 files via the Internet.

Eugene Kaspersky, head of virus research at Kaspersky Lab, said the virus was dubbed Triplicate because it is the first to infect all three components of Microsoft's Office 97 suite - Word, Excel and PowerPoint.

"There have been similar viruses that have used similar technology to infect Office 97's Word and Excel," Kaspersky said. "The Triplicate virus, however, uses a similar technique to infect PowerPoint, as well as Word and Excel."

The vulnerability in Word 97, which was patched by Microsoft in December, allows hackers to write malicious code and attach it to a template linked to Word 97 documents.

Word 97 warns users when they open documents containing macros, but no warning is given in cases where the code is attached to templates. After installing the patch, however, users will be warned before they launch templates containing macros and can choose to disable them, he said. "We've recommended that all users download this patch and should always disable any macros if they are unsure of their origin," Dixon said. "It's also a good practice to run the latest antivirus software."

Users who haven't installed the patch could be at risk if they visit a hacker's Web site containing a booby-trapped Word 97 document and then download it or if they are to open an infected Word 97 attachment sent via e-mail.

Triplicate's creator apparently distributed the virus to several servers belonging to hackers, Kaspersky said. by Tom DiederichThe wild, wild WebWhile big vendors focus most of their security efforts on enterprise-wide security or high-ticket security such as the stored-value smart-card, a lowly macro virus infiltrating a company via e-mail can bring all of their hard work crashing down. Ben Rothke, a security consultant with the Information Security Services Group of Ernst & Young in the US, says that viruses are still a big-time hassle for corporate America, but that the bigger threat may come from Java and its ilkIDG: In the overall security picture, how big a concern are viruses for enterprise customers?

Rothke: It is a major concern, especially with the spread of Internet e-mail. In the old days, floppies were the primary mechanism for virus transfer. It is now e-mail that all the viruses are coming from. Companies that don't have virus protection get bitten once, and then they get it. It's not really even a matter of if, it's when.

What about autoexecutable code, such as Java and ActiveX?

Now that these applications can be extremely powerful, they are the real threat. The nature of a virus is to wreak havoc on you: reformat your hard drive, bring up a pornographic image, or just waste your time. But with Java and ActiveX, viruses can have access to your file system. They could do file transfers, because they are real applications. Rather than merely bringing up an offensive image, these things can read your address book, read your e-mail, or even send bogus e-mails. The market is now focusing on that, because antivirus software is such a given that selling it isn't a big deal anymore.

Now that e-mail is becoming the most common point of infection, are we seeing different types of viruses entering the enterprise?

If you send an e-mail with a Microsoft Word attachment titled "Juicy Information", the user is going to open it. If it contains a macro virus, the user will infect his or her system; if the user forwards it on to friends, they get infected, and so on.

To see the power of this, look at how many people get these e-mail hoaxes that float around. The craziest one of these was the Disney/Bill Gates hoax. It claimed that it was Bill Gates' beta e-mail-tracking program. It told readers that they should forward the e-mail to everyone they knew, and if the mail reached 13,000 people, 1300 of them would receive $5000. The rest were supposed to get a free week of admission to a Disney park.

Conservatively, the number of people who got this thing was in the millions. This message was just text, but there's no reason why it couldn't have been hiding a macro virus; writing macro viruses is far from rocket science. A lot of Fortune 1000 companies have groups in their e-mails, so it isn't hard to imagine someone sending a message containing a macro virus to 2000 people at once. Whole companies have been wiped out for a while because once a company is infected, you need to shut everything down and go machine by machine to wipe out the viruses.

Companies are now educating users about these bogus e-mails, and as time goes on users will get smarter about them. But there is still a lot of room out there for macro viruses.



Hot on the heels of its Norton AntiVirus (NAV) for Macintosh 5.0 release last year, Symantec's NAV 5.0 for Windows 95, 98 and Windows NT workstations, touts a number of enhancements which the company claims will provide protection at all virus entry points, including shared floppy disks, the Internet, e-mail attachments and networks.

NAV 5.0 Gold Edition features a new Scan and Deliver capability enabling users to isolate potentially infected files, e-mail them to the Symantec AntiVirus Research Center for analysis and receive a response within a week. In addition, a new Quarantine option provides users with the means to quarantine viral files in a safe location while allowing an administrator to fix the file.

Symantec claims the NAV 5.0 also features improved handling of compressed file formats, including ZIP, LZEXE, LHA and LZH, to combat the growing threat of virus infection through compressed file e-mail attachments.

In conjunction with the workstation antivirus product, Symantec has released a Windows NT Server version, designed to simplify the management of virus detection and removal on NT-based servers while preventing infections from moving to workstations.

With an estimated RRP of $99, NAV 5.0 will be bundled with version NAV 4.0 for Windows 3.1, Windows NT (3.51) and DOS customers, with upgrades available for an estimated RRP of $59.

Computer Associates

With its acquisition of leading local antivirus software developer Cybec earlier this year, Computer Associates is now able to offer the popular Vet antivirus product range. Vet Corporate, retailing at under $1000, combines the desktop protection of Vet Enterprise with the added protection of an organisation's NT or NetWare server which, the company claims, prevents viruses at the source through the desktop and preventing their spread via the server.

Touting features standard to most comprehensive enterprise antivirus products, Vet Corporate provides licensing for multiple PCs, installation across networks on a number of operating systems, logging of all virus incidents, e-mail notification of virus attack to the administrator and password protection of the settings chosen by users.

Vet Corporate includes free feature upgrades, virus updates and phone support for one year.

Network Associates International

Released late last year, Total Virus Defence (TVD) 4.0 represents the initial showcase of Network Associates International's acquired technology.

Combining Dr Solomon's and Network Associates' antivirus technology Anti-Virus Informant - a customisable, NT-based enterprise reporting and analysis tool - enables administrators to analyse data and proactively monitor and address virus outbreaks across all known points of entry from a single location.

Featuring all the latest in Anti-Virus Informant technology, TVD includes AutoImmune technology enabling corporate users to extract potential viruses automatically from files and send them to Network Associates for detection and cleaning updates.

The product is supported by Network Associates' Antivirus Emergency Response Team (AVERT), protecting customers with regular online updates, which are posted by AVERT every hour.

Total Virus Defence 4.0 supports all major platforms and is priced at $63 for 500 to 1000 nodes for a one-year subscription.

TVD is available as a stand-alone solution and as part of Network Associates' security suite Net Tools Secure.

Network Associates' products are distributed in Australia by LAN Systems, Marketing Results, Scholastic New Media and Tech Pacific.

Norman Data Defence Systems

The current version of Norman Virus Control (NVC) provides protection for Windows NT (server and workstation), Windows 3.x, Windows 95/98, DOS, OS/2, NetWare and GroupWare products for MS Exchange and Lotus Domino.

NVC has full detection and repair-on-the-fly capabilities for all macro, file and boot sector viruses through the use of a heuristic scanning approach, Cat's Claw, with the ability to detect and remove new and unknown macro viruses in documents, templates and spreadsheets.

Bundled with every corporate user CD is a software distribution tool called N_dist. The software can be used on a NetWare or Windows NT server for remote installation.

Another feature of NVC is the Smart Behaviour Blocker (SBB) which prevents the execution of code whose actions are consistent with the behaviour of viruses.

The product includes free upgrades and maintenance for one year.

Distributed via Norman Data Defence Systems, the workstation for DOS, Win 3.X/95/98/NT and OS/2 is priced at $99 for one user to $12,500 for 1000 users.


Computer Associates Tel (02) 9937 0500 Associates International Tel (02) 9437 5866 www.nai.comNorman Data Defence Systems Tel (03) 9562 7655 Tel (02) 9850 1000

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments