Improving Virus Protection at Kent State University (Prepared by Joe Aulino. Distributed at UCT Oct. 31, 2003) For the purpose of this document, the term virus will be used generically to mean any piece of software that is loaded onto your computer without your knowledge and runs against your wishes. This very general use of the term virus is meant to cover viruses, worms, Trojan Horses and other computer infestations 1. How does KSU currently provide Virus protection? a. Information Services provide licenses for virus protection software for every faculty, staff and student. b. Updates to virus software are made available as soon as they are available from the vendor. c. All e-mail sent to kent.edu or Lotus Notes is scanned for viruses before being delivered. d. The Kent Network Users Group (KNUG) as a group and as a listserv is very active in sharing information among technical staff across the University. This helps to raise awareness and often stops viruses before they become problems. e. Some systems administrators across the University have also invested in their own virus protection systems to further protect resources under their control. 2. Have there been times when Kent State s approach to virus protection failed? Yes. Three incidents have happened over the last year where Virus protection failed in substantial ways. A brief description of each follows: a. SQL Slammer Virus: This virus hit the campus last spring. It caused unprotected servers running SQL server software to flood our network with traffic and brought the network down for approximately 1.5 days. b. RPC Virus: This virus hit the campus last week. While network services took fast action to contain the virus, technical staff had to clean numerous infected computers across campus. c. Sobig Virus: This virus hit on Tuesday, August 19 th. Virus protection software was not available from vendors until approximately 4 hours after the virus infected our computers. E-mail delivery was delayed (in some cases over 24 hours) but no e-mail was lost and the backlog was cleared by August 20. 3. What is the cost of these failures? a. Lost productivity by faculty, staff and students represents the greatest share of the cost and is immeasurable. Some more direct costs follow. b. SQL Slammer: i. Lost use of the network for 1.5 days ii. Roughly 98 Hours of IS staff time iii. Numerous hours of Lan Admin staff time
c. RPC Virus: i. Lost use of numerous desktop PCs ii. Roughly 84 Hours of IS staff time iii. Numerous hours of Lan Admin staff time d. Sobig Virus: i. Lost use of numerous desktop PCs ii. Delays of 24 to 48 hours in delivering e-mail (Lotus Notes to Lotus Notes e-mails were not impacted) iii. Roughly 60 hours of IS staff iv. Numerous hours of Lad Admin staff time The bottom line these outbreaks are disruptive, costly in man-hours needed for correction, costly in lost productivity and degrade the ability of IS to provide support for mission critical activities and 4. Are there any themes or patterns in the causes of these outbreaks? There are two areas that particularly raise Kent State s risk. The first is unprotected computers. In the case of Sobig, the virus moved too quickly (it was the fastest moving virus of all time) for the protection software to keep pace, but this is the exception. Unprotected servers and computers were definitely the problem in the SQL Slammer and RPC attacks. Second, the number of e-mail servers on campus presents the University with a very large risk. E-mail servers, particularly if unprotected, present the simplest way to infect the most computers in the shortest amount of time. This was evident in the Sobig attack. 5. How does IS recommend addressing these issues in the short term? a. The kent.edu and Lotus Notes e-mail servers should no longer accept certain types of e-mail attachments. A list of these attachment types appears at the end. There are ways that users needing to send or receive these attachments can safely do so (this is also explained in detail at the end). Information Services is proposing that this be implemented no later than September 15, 2003. b. All e-mail should be routed through smtp.kent.edu. This will ensure that all e-mail is virus checked and that the majority of spam is eliminated. This does not preclude units from running their own e-mail and from running their own e-mail virus scans. Information Services is proposing that this be implemented no later than Nov 15,2003. This time is necessary to increase the processing power of the existing mail relays. 6. Why eliminate certain types of e-mail attachments? E-mail attachments are the most common method used to deliver viruses to desktop computers. Viruses have to use these types of attachments because it allows them to automatically launch their program and infect the target machine. This relatively simple recommendation will eliminate many viruses - 2 -
from ever reaching a computer. Again, for those who need to send or receive such attachments, the last page explains two methods for doing so. 7. Won t those sending viruses just go to different attachment types? Of course this is possible and in some cases likely. However, viruses need a type of file that is able to execute a command on your computer. This limits the choices that virus purveyors have, and it makes this approach very robust. 8. What will happen to the e-mails with the offending attachments? The e-mails will be delivered as addressed. However, the attachment will be deleted from the e-mail. The recipient can then contact the sender and request the attachment be modified in a way that it can arrive safely. 9. Does e-mail have to be routed through IS servers if sufficient virus protection is in place on local e-mail servers? No. If local e-mail servers have sufficient and appropriate virus and spam protection in place, e-mail does not have to be routed through IS servers. However, e-mail administrators will have to contact IS (Greg Seibert gregs@kent.edu) and arrange for an audit of their systems if they wish to take advantage of this exception. IS will evaluate these requests on a case-by-case basis. Exceptions will be granted if the e-mail server is sufficiently protected, if the e-mail server removes attachments per the list at the end of this document, and the unit has sufficient dedicated resources to maintain an appropriate level of protection. Exceptions will be revoked if systems fail to maintain adequate virus protection or resources to support the e-mail server. Given the risk to the University, IS will err on the side of not granting exceptions. 10. What does IS recommend in the longer-term to address these issues? a. Establishing a patch server(s) on Kent State. This patch server would house the latest patches for operating systems and applications to protect computers against viruses. Ideally, these patches would be pushed onto computers connected to the Kent State network. How to run and maintain such a server, issues associated with pushing fixes onto computers and other policy issues will have to be addressed as this moves forward. IS will take a collaborative approach and work with all divisions in developing and implementing this idea. b. Providing Active Directory services to all faculty, students and staff. This will simplify the task of getting patches and virus protection out particularly in short notice situations. Again, a University-wide, collaboratively developed plan will be necessary to make this a success. - 3 -
11. When do the long-term solutions need to be in place? The long-term solution should be in place as quickly as possible. But, there are technical, process and policy issues to be evaluated and addressed before we can move forward. To help hasten this, IS is working on a pilot project to test these technologies. - 4 -
Attachment Extensions to Be Removed from E-Mails E-mail containing attachments with these extensions will have the attachments removed and then be delivered..ade Microsoft Access project extension.adp Microsoft Access project.mdb Microsoft Access program.bas Microsoft Visual Basic class module.mde Microsoft Access MDE database.bat Batch file.mhtml Eudora metarefresh.chm Compiled HTML Help file.msc Microsoft Common Console document.class Java bytecode file.msi Microsoft Windows Installer package.cmd Microsoft Windows NT Command script.msp Microsoft Windows Installer patch.com Microsoft MS-DOS program.mst Microsoft Visual Test source files.cpl Windows Control Panel extension.pcd Microsoft Visual compiled script.crt Security certificate.pif Shortcut to MS-DOS program.exe Program.reg Registration entries.hlp Help file.scf Windows Explorer.hta HTML archive.scr Screen saver.inf Setup Information.sct Windows Script Component.ins Internet Naming Service.sh[bs] Shell Scrap object.isp Internet Communication settings.url URL.jar Java archive.vb Visual Basic scripts.js Javascript file.vb[es] Visual Basic scripts.jse Javascript encoded script file.[xl]xnk Microsoft Exchange shortcut.jsp HTML-Java link.ws[cfh] Windows Script.jsp HTML-Java link.ma[dfgmqrstvw] Microsoft Access shortcuts If You Need to Send or Receive an E-Mail with one of these Attachment Types There are two options: 1. Change (or have the sender change) the extension of the attachment to a name that s not restricted. At the receiving end, the extension can be changed back. For instance a file named test.scr could be changed to test.sss and then changed back to test.scr upon receipt. 2. Put the file in a zip format and then attach it. zip files will go through with no problem. - 5 -