Network Computingwww.networkcomputing.com

How did corporate America's antivirus strategies hold up? Not especially well. Many large organizations were forced to shut down their e-mail systems for several hours. And, according to one report, more than 80 percent of Fortune 1,000 companies were affected. The good news was that Melissa didn't carry a destructive payload; it just caused massive denial of service. And antivirus software gained a higher profile, encouraging many companies to buy these solutions. When ExplorerZip--a virus with a similarly fast propagation rate but a more destructive payload--came along, many organizations were more well-prepared.

There are five classes of antivirus solutions: Antivirus software for messaging servers, file servers and client computers, antivirus gateways and Web-based virus scanning. In the Melissa and ExplorerZip outbreaks, most of the major antivirus vendors did a commendably swift job of creating and posting the necessary updates. The problem was that in a very short time, Melissa was inside a huge number of networks and spreading fast.

In this case, the least useful antivirus measure proved to be the antivirus gateway, which loses its effectiveness once a virus is already spreading internally.

The challenge was not how to stop Melissa from entering the network but rather how to find the most efficient way of eliminating it. For that, antivirus software was needed on messaging servers. Organizations that had previously implemented this software were well positioned to rapidly eliminate the virus once their vendors posted the fix. Those that didn't found themselves installing such software in reactive mode.

There is no question that file-server and client protection are essential parts of an antivirus strategy. For example, there is no way to protect against boot-sector viruses except through client-based protection. Antivirus gateways provide an extra layer of protection, particularly against slower-spreading network-borne viruses. Web-based virus scanning tools that let you initiate a scan of a client PC from a Web site or corporate intranet have limited value in protecting against viruses, but they can be useful for the helpdesk if there are weaknesses in the organization's client-based antivirus measures.

But antivirus software is only part of a well-rounded antivirus strategy--a robust standardized desktop configuration and policy can do more to protect your organization against Melissa-like viruses than any antivirus software can. Good user education is a must.

Fortunately, the software offered by the major vendors consistently works as advertised and does a good job of virus detection and cleaning. Nearly all vendors also offer an online update mechanism, which gives corporate IT departments a fighting chance of keeping up with the latest strains of viruses.

But a note of caution is warranted here. We tend to judge antivirus solutions by their ability to prevent damage from traditional, self-spreading viruses. Destruction of data and denial of service should not be your only concerns: Viruses and their non-reproducing cousins, Trojan Horses, are increasingly being used as a means for hackers to bypass firewall protection.

Three viruses that popped up during the past year foreshadow this trend--Picture.exe, Caligula and BackOrifice. The first two steal passwords and encryption key-rings, respectively; the third provides full remote control of an infected PC via the Internet. Because firewalls have done such a good job of eliminating most traditional hacker techniques, you can bet these types of content-based attacks will become more prevalent. Therefore, antivirus software isn't just about preventing destruction and denial of service; it's also about preventing hacking and data theft.

What's needed now is the ability to tightly control users' activation of harmful programs--perhaps even by redirecting potentially harmful attachments or downloads (such as executables and macro-bearing documents) from untrusted sources so that the action may be actively approved or denied. This functionality gap is the reason for the low score in "suitability to task" for this otherwise mature product category.

We hope to see some developments targeted at this issue during the coming year. For now, it pays to spend the money to put an antivirus software solution in place, but beware of the chinks in the armor.

--Philip Carden