Newsgroups: comp.sys.novell Path: utzoo!utgpu!news-server.csri.toronto.edu!torsqnt!jtsv16!blister!itcyyz!xrtll!silver From: silver@xrtll (Hi Ho Silver) Subject: Re: Network Viruses Reply-To: silver@xrtll.UUCP (Hi Ho Silver) Organization: What you won't find on my desk. Date: Sat, 25 May 91 23:58:08 GMT Message-ID: <1991May25.235808.18841@xrtll> Keywords: viruses References: <1991May22.171859.12004@linus.mitre.org> Sender: Hi Ho Silver (Your Most Original Fantasy) Sayeth edelheit@smiley.uucp (Jeff Edelheit): $While issues related to viruses on stand-alone PC's are relatively $well understood (e.g., how to prevent, detect, fix), I'm at a loss $when it comes to specifics about what to do with respect to viruses on $PC lans. Specifically, what steps should be taken with respect to $preventing the inadvertent insertion of a virus on a Novell server, $how does one scan a NetWare volume (or disk) to determine if a virus $is present, and how does one disinfect a NetWare volume or disk? Preventing infection -------------------- I've found the best prevention method is to have tight security on the network. Ensure that users only have the minimum required access to all executables (for example, SYS:PUBLIC should not allow anything beyond ROS (286) or equivalent). For applications, the same applies. Network-aware applications may require access to some directory for storing configuration files; if at all possible, make this a separate subdirectory so that the application itself can be read-only. Word Perfect and Harvard Graphics, for example, allow you to specify where the configuration files are kept, so the application directory itself can be read-only. Following the above steps will make sure that none of the NetWare utilities and applications get infected, and that will severely limit the number of files exposed to viral infection. One network at a client of our company's had incredibly lax security - all users, basically, had full access to all directories, including SYS:LOGIN. Needless to say, LOGIN.EXE became infected, and the virus then spread very quickly onto everyone's hard drives. After we disinfected them, they rapidly tightened up their security. In summary, the same measures which improve security from the viewpoint of preventing unauthorized access will also serve you quite well in preventing a virus from infecting your network. I suppose you can also use an active solution such as McAfee's VSHIELD, although I personally think this is overkill in all but the highest-risk situations. Note that you will probably have to load this _after_ your network shell, or else network redirection may take effect before the shield program has a chance to detect anything. Detecting infection ------------------- I use McAfee's NETSCAN for this; it's the network version of his SCAN software. The latest version I have is V77, released in late April. It's available on many BBS systems, or you can get it directly from McAfee's Homebase BBS at (408) 988-4004 (2400 bps), (408) 988-5138 (HST, MNP2), or (408) 988-5190 (V.32, MNP5). It's shareware, so register it if you use it. There are other scanners that will work on networks; Central Point Software has one that's supposed to do so. There are probably other shareware scanners that work on networks as well. Disinfecting ------------ McAfee's CLEAN program works on networks; that's how I cleaned up the aforementioned infection. I would imagine that Central Point's software will also disinfect a network; ditto for some other shareware packages. Hope this all helps ... you may also find something of interest in the comp.virus newsgroup, though I've never been terribly thrilled by what I've found there. -- .--------------------------------------.nexus.yorku.edu!xrtll!silver |Silver, perpetually searching for SNTF|---------------------------- `--------------------------------------'a vaguely phallic .signature