Using Behavioral Products to Fight Off Viruses

My company is having ongoing problems with computer viruses and worms. We use Symantec AntiVirus and keep the definitions up-to-date, but many of the viruses that have hit us have done so in the early stages of their distribution—before a patch was available from Symantec.

We've begun deploying Microsoft Software Update Services (SUS) to ensure regular distribution of OS patches. What else can we do to limit our exposure to viruses without compromising employees' access to data?

I sympathize with your situation. Finding a happy medium between security and accessibility can be difficult. Ensuring that your PCs have the most recent patches from Microsoft was a good start, and you can do a few other things to improve your network's resiliency.

I suggest you take a look at the new classes of "behavioral" products that are hitting the market. When used in conjunction with conventional antivirus products, these new tools can significantly reduce a PC's susceptibility to viruses. Behavioral-management solutions have several advantages over legacy antivirus products, not the least of which is that behavioral products don't use virus definitions. Instead, the applications monitor, intercept, and terminate application processes that don't meet with approved behavioral patterns. With a solution like this at your back, you don't have to worry as much about whether Symantec (or McAfee, or any of the other antivirus providers) has released a definition to identify the most recent version of the Sasser worm, for example.

Cisco Systems Security Agent is one example of such a product. This software, which you install on your server or client systems, sits between applications and the OS kernel and intercepts all OS calls to the registry, runtime resources, and network, permitting or denying the call according to predefined rules that you establish through client profiles. You configure and maintain these profiles through Cisco's CiscoWorks VPN/Security Management Solution (VMS), which you must purchase separately. Cisco CallManager and Cisco Unity voicemail provide a preconfigured Cisco Security Agent client at no extra charge. A Cisco Security Agent is available for Windows XP, but the software doesn't yet support Windows Server 2003.

Since you already use Symantec AntiVirus, you might want to look at a similar Symantec product: Symantec Client Security. The most recent version, Symantec Client Security 2.0, bundles Symantec AntiVirus, firewall, and intrusion detection into one package. This product monitors application behavior and terminates processes that display common virus characteristics (e.g., port scanning). The product can terminate processes in memory before they infect your PCs (a significant improvement over earlier versions) and also features location-based profiling and threat tracing.

Location-based profiling lets you tweak the firewall on a client PC to permit or deny access to specific ports depending on the system's location. This feature is a great benefit for companies that have a large mobile workforce; we've all heard of (or dealt with) the inevitable problems that result from employees plugging company notebooks into their home broadband connections without adequate firewall protection. Threat tracing is also greatly helpful. I can't count the hours I've spent tracking viruses to their source on my network. Network sniffers can simplify the process but can still be time consuming. Symantec Client Security, however, identifies the host IP address of any system it finds attempting to infect a client PC, vastly simplifying the tracking process.

Both Cisco Security Agent and Symantec Client Security have the added benefit of preventing spyware and unwanted application pop-ups. These annoyances can be as bad as or worse than many virus infections.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.