edelheit@smiley.uucp (Jeff Edelheit) (05/23/91)
While issues related to viruses on stand-alone PC's are relatively well understood (e.g., how to prevent, detect, fix), I'm at a loss when it comes to specifics about what to do with respect to viruses on PC lans. Specifically, what steps should be taken with respect to preventing the inadvertent insertion of a virus on a Novell server, how does one scan a NetWare volume (or disk) to determine if a virus is present, and how does one disinfect a NetWare volume or disk? My question is applicable to both the 286 and 386 NetWare products. I'd appreciate any information folks may have to pass on. If you are unwilling to post to the entire newsgroup, please just respond to me. If I get a significant number of direct responses, I'll summarize the results for the newsgroup (I'll keep the direct respondent's names out of my summary.) Thanks in advance. Jeff Edelheit email: edelheit@smiley.mitre.org The MITRE Corporation voice: (703) 883-7586 7525 Colshire Drive FAX: (703) 883-1397 McLean, VA 22102
will@ogre.cica.indiana.edu (William Sadler) (05/23/91)
I am currently using Netscan from McAfee to scan each volume for viruses. Here are some other ways to prevent them: 1) write protect boot disks and program disks 2) use virus protection software regularly 3) scan all new software before using 4) educate your users 5) minimize the number of users with supervisor priviledges 6) no one should have write priviledges in LOGIN,SYSTEM, and PUBLIC excepte Supervisor 7) Use the W and M flags to restrict access. Flag SRO does not work. 8) Run Netware's SECURITY program 9) Use the ps option with the network shells on boot up so that each user attaches to the correct server. 10) back up your server regularly Some symptoms are dissappearing disk space, dissappearing files, files increasing in size on their own, slow programs, out of memory errors, increased disk activity, users unable to login, and other strange behaviour. Thanks to Steve Gribble here at IU for providing most of this information after having experienced a Jerusalem-B infection first hand. Will -- *************************************************************************** * _______________\|/_ Will Sadler will@cica.indiana.edu * * Laser 44888 /|\ sadler@iubacs.bitnet * ***************************************************************************
silver@xrtll (Hi Ho Silver) (05/26/91)
Sayeth edelheit@smiley.uucp (Jeff Edelheit):
$While issues related to viruses on stand-alone PC's are relatively
$well understood (e.g., how to prevent, detect, fix), I'm at a loss
$when it comes to specifics about what to do with respect to viruses on
$PC lans. Specifically, what steps should be taken with respect to
$preventing the inadvertent insertion of a virus on a Novell server,
$how does one scan a NetWare volume (or disk) to determine if a virus
$is present, and how does one disinfect a NetWare volume or disk?
Preventing infection
--------------------
I've found the best prevention method is to have tight security on
the network. Ensure that users only have the minimum required access
to all executables (for example, SYS:PUBLIC should not allow anything
beyond ROS (286) or equivalent). For applications, the same applies.
Network-aware applications may require access to some directory for
storing configuration files; if at all possible, make this a separate
subdirectory so that the application itself can be read-only. Word
Perfect and Harvard Graphics, for example, allow you to specify where
the configuration files are kept, so the application directory itself
can be read-only.
Following the above steps will make sure that none of the NetWare
utilities and applications get infected, and that will severely limit
the number of files exposed to viral infection. One network at a client
of our company's had incredibly lax security - all users, basically, had
full access to all directories, including SYS:LOGIN. Needless to say,
LOGIN.EXE became infected, and the virus then spread very quickly onto
everyone's hard drives. After we disinfected them, they rapidly tightened
up their security.
In summary, the same measures which improve security from the
viewpoint of preventing unauthorized access will also serve you quite
well in preventing a virus from infecting your network.
I suppose you can also use an active solution such as McAfee's VSHIELD,
although I personally think this is overkill in all but the highest-risk
situations. Note that you will probably have to load this _after_ your
network shell, or else network redirection may take effect before the
shield program has a chance to detect anything.
Detecting infection
-------------------
I use McAfee's NETSCAN for this; it's the network version of his SCAN
software. The latest version I have is V77, released in late April.
It's available on many BBS systems, or you can get it directly from
McAfee's Homebase BBS at (408) 988-4004 (2400 bps), (408) 988-5138 (HST,
MNP2), or (408) 988-5190 (V.32, MNP5). It's shareware, so register
it if you use it.
There are other scanners that will work on networks; Central Point
Software has one that's supposed to do so. There are probably other
shareware scanners that work on networks as well.
Disinfecting
------------
McAfee's CLEAN program works on networks; that's how I cleaned up
the aforementioned infection. I would imagine that Central Point's
software will also disinfect a network; ditto for some other shareware
packages.
Hope this all helps ... you may also find something of interest in
the comp.virus newsgroup, though I've never been terribly thrilled by
what I've found there.
--
.--------------------------------------.nexus.yorku.edu!xrtll!silver
|Silver, perpetually searching for SNTF|----------------------------
`--------------------------------------'a vaguely phallic .signature