The folks over at the SANS Internet Storm Center have a recent diary entry on keeping anti-virus (AV) software up to date. This kind of anti-malware protection typically tries to recognize “evil code” on the basis of a set of heuristics, or by recognizing bit patterns in the code itself (these are sometimes called “signatures”). These elements, especially the signatures, need to be updated as new varieties of malware are created and discovered “in the wild”. (The defender is always, in a sense, trying to catch up, since a new type of malware has to be found and identified as such before a signature can be developed.)
The contributors to the article are all very capable systems administrators, and I think it’s well worth a read, especially if you are responsible for a bunch of PCs. (There are also some comments following the article itself; they are, as usual, sort of a mixed bag.) I’d take away these suggestions from the discussion:
- You may need to schedule AV updates more frequently than your initial instincts (one participant suggests hourly), to account for the fact that the updates will not all run every time they are scheduled. (Machines may be rebooting, or turned off, for example.)
- Because updates are not guaranteed to occur on the advertised schedule, it’s important to measure how up to date your machines actually are — if there are big discrepancies, try to find out why and fix the problem.
- AV software is one layer of defense, but is certainly not a total solution.
Probably the most important advice is this: if a machine has been compromised by malware, it is highly improbable that AV software, or anything else, will be able to clean or repair it. Modern systems, and the malware that attacks them, are so complex that figuring out exactly what has been affected, compromised, or corrupted is effectively impossible. The only reliable recovery method is “nuking from orbit”: wiping the machines hard drive(s), and reloading the OS, applications, and data from known clean backup copies. Yes, it is a bloody nuisance, but it’s really the only way to make sure that you have a clean system.