In-Depth
Antiviral Scanners
This is Roberta; are you working?
- By Roberta Bragg
- December 01, 2001
Yeah, the answer should be a no-brainer. Can you imagine a scenario in
which your shiny new antiviral scanner wouldn't find stuff to prove its
mettle? Just install it and forget about it right? You'll know soon enough
if it can handle an all-out attack. Whoa, do you purchase a car without
a test drive? (I'll just bet you have a favorite hill or stretch of freeway
you use. Fred, my son, likes to take his large screwdriver and place it
between the engine and his ear - claims he can diagnose engine problems
long before they are apparent by other means.)
Ok, then, how do you test-drive a viral scanner? You can't exactly go
out to the Internet and holler, "Hey, send me some viruses today I need
to test my scanner, but oh, please just send a few since I don't know
if it's working." Or can you?
The answer has three parts:
First, you don't want to obtain real viral code to test your scanner.
While I'm sure someone would be very happy to lend you some. (I have a
contact in California who collects viral code. Interesting hobby, but
trust me, you really don't want to make his acquaintance.) Instead, take
a little trip and visit EICAR (The European Institute of Antivirus Research)
at www.eicar.com. They had this thought some time ago and have developed
test files that they make available so that you can confirm that your
virus scanner is up and correctly configured. These files are not viruses
and cannot harm your system, but to your virus checker they look like
a virus. Use them as attachments - email them to recipients on a protected
server and watch the fireworks. You can also see the type of information
you antiviral scanner is producing from the new Antiviral API. Alternatively,
you can create a test file yourself by following these instructions. Enter
the following line (without line breaks) into its own file, as the first
line in the file, then save the file with the name EICAR.COM
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
You must use a plain text editor, such as Notepad, to do this.
Second, now that you can see the scanner detecting infected attachments,
load up the new Performance Monitor Counters (and some basic stand-bys
like % of CPU utilization). Granted, you're not going to see much activity
here, but you should be able to determine what your baseline activity
is and confirm that the product is working. Adding any processing activity
to a mail server is bound to result in some strain on the system. What's
it going to be like if you're under attack? Obtaining a baseline now can
assist you in determining server sizing. Growth in the sheer number of
messages your server and antiviral scanner have to handle is bound to
slow down the process. Monitoring it will help you understand it and anticipate
problems. Some of the new counters will tell you things like how many
messages and files have been processed by the scanner, the rate at which
its doing so, how many messages/files have been cleaned or quarantined
and the current length of the processing queue. More information can be
found in the knowledge-base article Q285696,
"XADM: Virus Scanning API Performance Monitor Counters In Exchange 2000
Server SP1."
Third, configure, examine, understand, and monitor event log messages.
Antivral API 2.0 has added to the range of messages logged when a viral
scanner is active. Specifically, events can warn you that configuration
is wrong and the viral scanner can't be started; or that problems are
occurring during the scanning of messages. To obtain these message you
need to adjust the logging level. This is done on the Diagnostics Logging
tab under Services\MSExchange\System\Categories\Virus Scanning in Exchange
Administrator. For more information see Q294336,
"XADM: Event Logging in Exchange 2000 Server SP1 for Virus Scanning API
2.0."
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.