Although many organizations have deployed antivirus software, new viruses, worms, and other forms of malware (malicious software) continue to rapidly infect large numbers of computer systems. There is no single reason for this apparent contradiction, but fundamental trends are apparent from feedback Microsoft has received from IT professionals and security staff in organizations whose systems have been infected, including such comments as: | • | "The user executed the attachment from their e-mail even though we've told them again and again that they aren't supposed to..." | | • | "The antivirus software should have caught this, but the signature for this virus hadn't been installed yet." | | • | "This never should have made it through our firewall; we didn't even realize those ports could be attacked." | | • | "We didn't know our servers needed to be patched." |
The success of recent attacks illustrates that the standard approach of deploying antivirus software to each computer in your organization may not be sufficient. Recent outbreaks have spread with alarming speed, faster than the software industry's ability to detect, identify, and deliver antivirus tools that are capable of protecting against attack. The techniques demonstrated by the latest forms of malware have also become substantially more advanced, enabling the most recent outbreaks to evade detection and propagate. These techniques include: | • | Social engineering. Many attacks attempt to appear as if they originated from a system administrator or official service, increasing the likelihood that end users will execute them and infect their systems. | | • | Backdoor creation. The majority of recent outbreaks have attempted to open some form of unauthorized access to already infected systems, enabling a hacker to repeatedly access the systems. This repeated access is used to infect systems with new malware, using them as "zombies" in coordinated denial of service attacks, or to run any code a hacker may wish to run. | | • | E-mail address theft. E-mail addresses harvested from infected systems are used by malware programs to forward themselves to other victims and malware authors also may collect them. Malware authors can then use the addresses to send new malware variants, barter them with other malware authors for tools or virus source code, or sell them to others interested in using them to produce spam mail. | | • | Embedded e-mail engines. E-mail is the primary means for malware propagation. Many forms of malware now embed an e-mail engine to enable the malicious code to propagate much more quickly and with less likelihood of creating unusual activity that can be easily detected. Illicit mass-mailers now exploit backdoors in infected systems to capitalize on these opportunities to use such e-mail engines. As a result, it is believed the majority of spam produced last year was sent via such infected systems. | | • | Exploiting product vulnerabilities. Malware is capitalizing more frequently on product vulnerabilities to propagate, which enables the malicious code to spread much faster. | | • | Exploiting new Internet technologies. As new Internet tools become available, malware authors quickly examine them to determine how they might exploit them. Recently, Instant Messaging and peer-to-peer (P2P) networks have become attack vectors for such efforts. These Malware terms and techniques are discussed in detail in the following chapters of this guide. |
Microsoft remains strongly committed to securing the applications that it produces and to working with the company's partners to combat malware threats. Recent Microsoft efforts to reduce the impact of these threats include: | • | Working closely with antivirus vendors to form the Virus Information Alliance (VIA). Alliance members exchange technical information about newly discovered malware so they can quickly communicate target, impact, and remediation information to customers. For more information about VIA, see the Virus Information Alliance (VIA) page on Microsoft TechNet at: http://www.microsoft.com/technet/security/alerts/info/via.mspx. | | • | Researching new security technologies such as Active Protection Technology and Dynamic System Protection to help secure the Microsoft Windows platform. For more information about these efforts, see Bill Gates' Remarks at the RSA Conference 2004 on Microsoft.com at:
http://www.microsoft.com/billgates/speeches/2004/02-24rsa.asp. | | • | Releasing Windows XP Service Pack 2 with advanced security technologies to help protect your PC against hackers, viruses and worms. For more information on this release, see Get Ready: Windows XP Service Pack 2 on Microsoft.com at:
http://www.microsoft.com/windowsxp/default.mspx | | • | Supporting legislation to eliminate spam and working with law enforcement officials and Internet service providers (ISP) to help prosecute spam operations. For information about an alliance dedicated to this effort, see America Online, Microsoft and Yahoo! Join Forces Against Spam on Microsoft.com at: http://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspx. | | • | Announcing the Antivirus Reward Program and working closely with law enforcement agencies to reduce these threats from malware authors. For more information about the Antivirus Reward Program, see the Microsoft Announces Antivirus Reward Program page on Microsoft.com at: http://www.microsoft.com/presspass/press/2003/nov03/11-05AntiVirusRewardsPR.mspx. |
Microsoft has produced this security guidance to help you identify all the points in your infrastructure where you should consider implementing antivirus defenses. Information on how to remedy and recover from an infection if one occurs in your environment is also provided. On This PageOverviewThe Antivirus Defense-in-Depth Guide is composed of the following chapters: Chapter 1: IntroductionThis chapter presents a brief introduction to the guide, touches on malware terms and techniques, and includes an overview of each chapter, and its intended audience. Chapter 2: Malware ThreatsThis chapter defines a variety of malware and specifies what types of programs are included — and not included — in this category. Information about malware characteristics, attack vectors, and means of propagation also is provided. Chapter 3: Antivirus Defense in DepthThis chapter details considerations Microsoft recommends to establish a comprehensive antivirus defense for your clients, servers, and network infrastructure. User policies and other general security measures that Microsoft also recommends considering for your overall security planning are also discussed. Chapter 4: Outbreak Control and RecoveryThis chapter provides a step-by-step approach to resolving malware attacks, and then recovering from them based on industry best practices and internal operations at Microsoft. AudienceThis guide is primarily intended to help IT and security staff better understand the threats that malware poses, as well as how to defend against these threats, and respond quickly and appropriately when malware attacks occur. While this guidance details considerations for antivirus defense that cover a wide variety of clients and servers, it is also applicable to organizations that run their entire business on a single server. Each of the defense considerations is intended to protect your environment against a threat posed by some type of malware attack, thus making them relevant to any organization of any size. Some of the recommended measures, such as systems monitoring and management, may go beyond the scope or need of some organizations. However, the team that produced this guide firmly believes that it is in your interest to carefully reviewed them nonetheless to better understand the nature of the risks that malware poses to computer systems around the world today. Style Conventions Used in This GuideThe following table notes the style conventions that are used in TheAntivirus Defense-in-Depth Guide. Table 1.1: Style Conventions Bold | File names and user interface elements appear in bold. | Italic
- or -
<Italic> | Italic is applied to characters that the user types and they may choose to change. Italic characters that appear within angled brackets represent variable placeholders where the user must supply specific values. Example: <Filename.ext> indicates that you should replace the italicized
filename.ext with another filename that is appropriate for your
configuration.
Italic is also used to represent new terms. Example: Digital identity — The unique identifier and descriptive attributes of
a person, group, device, or service. | Screen Text font | This font defines output text that displays on the screen. |
Monospace code font
| This font is used to define code samples. Example:
public override void Install(IDictionary savedState) |
Monospace command font
| This font is used to define commands, switches, and attributes the user types at a command prompt. Example:
At the command prompt, type the following:
CScript SetUrlAuth.vbs | %SystemRoot% | The folder in which the Windows operating system is installed. | Note | Alerts the reader to supplementary information. | Important | Alerts the reader to supplementary information that is essential to complete a task. | Caution | Alerts the reader that failure to take or avoid a specific action could result in the loss of data. | Warning | Alerts the reader that failure to take or avoid a specific action could result in physical harm to the user or hardware. |
| |
