Virus Protectionin

University of Windsor

Kelvin HwangClient Support and Services

ITS

December 3, 2004

1. Worldwide Impact of Viruses

Year Virus Name WorldwideFinancial Impact

2003 SoBig.F $1.1 billions

2003 Nachi $500 millions

2003 Blaster $400 millions

2003 Slammer $1.25 billions

2002 Badtrands $400 millions

2002 BugBear $500 billionsSource: Computer Economics, 2002-2003

2. Current Virus Statistics on

Campus Servers (per day)

- Normal: Total 50 – 80 viruses- Virus Outbreak: Over 2,000 viruses

Work Stations - Monthly Infected clients:

Normal: 150 – 400Virus Outbreak: Over 600

- Quarantined VirusesNormal: 200 – 400 viruses per dayVirus Outbreak: Over 10,000 within 1 hour

3. Reaction in ITS Virus Protection Task Force was formed in

October 2001 to determine campus-wide virus protection for servers and workstations

Trend Micro Incorporated was selected First Virus Information Server was set up in

2002 Current Virus Information Server was upgraded

in March 2004 (H/W & O/S) PC-cillin available to faculty and staff in 2002 ServerProtect and OfficeScan were upgraded

in September 2000

4. Current Products & Supports

ScanMail for Domino Servers (V 3.0) ServerProtect (V 5.58)

- 7 Novell Servers- 18 Windows Servers

OfficeScan (V6.5)- 15 Windows Servers- 2000 Work Stations

PC-cillin Internet Security 2004- Laptops- Students, Faculty and Staff home PCs

5. ServerProtect Architecture

TCP/IP ProtocolVirus Information Server

ServerProtect

U of W Firewall

Novell Domain (IPX/SPX/IP) Windows Domain (TCP/IP/RPC)

IPX: Internetwork Packet ExchangeSPX: Sequenced Packet ExchangeRPC: Remote Procedure Call

6. Major Configurations Download: Pattern Version, Scan Engine, etc.

from Trend Micro Active Update Server every hour

Deploy updates to servers at 01:00 AM every day Scan Options:

- Real-Time Scan: On- Manual Scan: By Administrator- Task Scan: Every Friday 02:00 AM

Virus Handling: - All files less than 2 MB- Cleanable … Clean- Not cleanable … Quarantine in local

7. ServerProtect Control Console Example

8. OfficeScan Architecture

TCP/IP Protocol

Virus Information ServerOfficeScan

U of W Firewall

IP/RPCIP/RPC

9. Major Configurations Updates:

Check updates from Trend Micro every hour Client Deployment:

Auto & Manual update Scan Options:

- Real-Time Scan: On- Manual Scan & Schedule Scan: By users

Virus Handling: Clean and Quarantine

Outbreak Prevention:- Block shared folders- Block ports- Deny write files and folders

10. OfficeScan Control Console Example 1

11. OfficeScan Control Console Example 2

12. OfficeScan Client Example

13. PC-cillin 2004 Architecture

Trend Micro Active Update Server

TCP/IP Protocol

TCP/IP Protocol

14. PC-cillin Example

15. Current Limitations

OfficeScan for Workstations ScanMail & ServerProtect for Mail Servers and other

servers

Purpose Increase Virus Protection at Client Level

Increase Virus Protection at Server Level

Limitations

- Some clients disable or unload virus protections- Not all components are always up-to-date- Lap tops owned by students, Faculty, staff, or contractors may not have virus protection software- Lacks management oversight if desktop virus protection are not managed by Trend Micro management tool

- Virus infections via non-centralized servers cannot be detected- Students and employees can still download infected files from other Webmails

* Viruses can pass firewall looking for possible hosts. (No protections at firewall level)

16. Virus Evolution

Threats increasingly migrating to server and gateway

Web/Email

Code RedNimda

Goner

2001 2002

Web/Email

Code RedNimda

Goner

2001 2002

Email

BubbleboyMelissa

1999 2000

LoveLetter

Diskettes

1997 1998

17. Other Threats

18. Enforce Protections

Virus protection at firewall level needs to be improved

Other protection are required (Ad-ware, Spy-ware, Intruders)

Virus

Virus

Virus

Virus

Virus

Questions&

Comments?

AppendixStart

MaliciousPurpose?

CodeReplicates?

InfectsA carrier toreplicate?

End

Not a Malware

Virus

TrojanHorse

Worm

Y

Y

Y

Y

Y

N

N

N