Newsgroups: comp.sys.novell
Path: utzoo!utgpu!news-server.csri.toronto.edu!torsqnt!jtsv16!blister!itcyyz!xrtll!silver
From: silver@xrtll (Hi Ho Silver)
Subject: Re: Network Viruses
Reply-To: silver@xrtll.UUCP (Hi Ho Silver)
Organization: What you won't find on my desk.
Date: Sat, 25 May 91 23:58:08 GMT
Message-ID: <1991May25.235808.18841@xrtll>
Keywords: viruses
References: <1991May22.171859.12004@linus.mitre.org>
Sender:  Hi Ho Silver (Your Most Original Fantasy) 

Sayeth edelheit@smiley.uucp (Jeff Edelheit):
$While issues related to viruses on stand-alone PC's are relatively
$well understood (e.g., how to prevent, detect, fix), I'm at a loss
$when it comes to specifics about what to do with respect to viruses on
$PC lans.  Specifically, what steps should be taken with respect to
$preventing the inadvertent insertion of a virus on a Novell server,
$how does one scan a NetWare volume (or disk) to determine if a virus
$is present, and how does one disinfect a NetWare volume or disk?

Preventing infection
--------------------
   I've found the best prevention method is to have tight security on
the network.  Ensure that users only have the minimum required access
to all executables (for example, SYS:PUBLIC should not allow anything
beyond ROS (286) or equivalent).  For applications, the same applies.
Network-aware applications may require access to some directory for
storing configuration files; if at all possible, make this a separate
subdirectory so that the application itself can be read-only.  Word
Perfect and Harvard Graphics, for example, allow you to specify where
the configuration files are kept, so the application directory itself
can be read-only.

   Following the above steps will make sure that none of the NetWare
utilities and applications get infected, and that will severely limit
the number of files exposed to viral infection.  One network at a client
of our company's had incredibly lax security - all users, basically, had
full access to all directories, including SYS:LOGIN.  Needless to say,
LOGIN.EXE became infected, and the virus then spread very quickly onto
everyone's hard drives.  After we disinfected them, they rapidly tightened
up their security.

   In summary, the same measures which improve security from the
viewpoint of preventing unauthorized access will also serve you quite
well in preventing a virus from infecting your network.

   I suppose you can also use an active solution such as McAfee's VSHIELD,
although I personally think this is overkill in all but the highest-risk
situations.  Note that you will probably have to load this _after_ your
network shell, or else network redirection may take effect before the
shield program has a chance to detect anything.

Detecting infection
-------------------
   I use McAfee's NETSCAN for this; it's the network version of his SCAN
software.  The latest version I have is V77, released in late April.
It's available on many BBS systems, or you can get it directly from
McAfee's Homebase BBS at (408) 988-4004 (2400 bps), (408) 988-5138 (HST,
MNP2), or (408) 988-5190 (V.32, MNP5).  It's shareware, so register
it if you use it.

   There are other scanners that will work on networks; Central Point
Software has one that's supposed to do so.  There are probably other
shareware scanners that work on networks as well.

Disinfecting
------------
   McAfee's CLEAN program works on networks; that's how I cleaned up
the aforementioned infection.  I would imagine that Central Point's
software will also disinfect a network; ditto for some other shareware
packages.

   Hope this all helps ... you may also find something of interest in
the comp.virus newsgroup, though I've never been terribly thrilled by
what I've found there.
-- 
.--------------------------------------.nexus.yorku.edu!xrtll!silver
|Silver, perpetually searching for SNTF|----------------------------
`--------------------------------------'a vaguely phallic .signature
