Virus Protection Policy

Version: 1.00Issue Date: 12/16/2014

This Virus Protection Policy is intended to ensure that the organization has proper virus protection in place and active to protect the security of the network and the data residing in the care of the organization.

1.0 Overview

This Virus Protection Policy is an internal IT policy which addresses anti-virus policy on every computer including how often a virus scan is done, how often updates are done, what programs will be used to detect, prevent, and remove malware programs. It addresses what types of files attachments are blocked at the mail server and what anti-virus program will be run on the mail server. It may specify whether an anti-spam firewall will be used to provide additional protection to the mail server. It may also specify how files can enter the trusted network and how these files will be checked for hostile or unwanted content. For example it may specify that files sent to the enterprise from outside the trusted network be scanned for viruses by a specific program.

2.0 Purpose

The purpose of this Virus Protection Policy is to protect the organizational resources against intrusion by viruses and other malware thus helping to ensure the security of the data and resources in the organization.

3.0 Scope

This Virus Protection Policy applies to all computer equipment operated by the organization or functioning on the organizational network. All third parties operating computer equipment on the organizational network must have an acceptable anti-virus solution which is kept current and active. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Virus - Malicious software that spreads by attaching itself to files or creating files that may be executed in some way. Usually a computer virus is sent to users as an email attachment. A computer virus may require a computer software vulnerability to spread depending on the type of program the virus uses to spread. A computer virus runs on a system against the owner's or user's wishes and knowledge. The computer virus may alter data and files on the infected computer. Computer viruses normally attack at the application layer.

5.0 Anti-Virus Policy

Computer viruses are usually costly to the organization and it is very important to prevent them both due to the costs involved and to protect information sent on the network and stored on networked devices. Any computer in the organization with a virus may be used by an attacker to compromise other systems or acquire sensitive data without authorization. This anti-virus policy defines an enterprise wide anti-virus policy for the organization which shall be implemented by the Information Technology (IT) Department. The organization will use one or more approved anti-virus products for anti-virus protection. The following minimum requirements shall remain in force.

  • The anti-virus product shall be operated in real time on all servers and client computers. The product shall be configured for real time protection.
  • The anti-virus library definitions shall be updated at least once per day.
  • Anti-virus scans shall be done a minimum of once per week on all user controlled workstations and servers.
  • Workstations shall have virus updates managed by primary servers (if supported by the anti-virus product) which keep their virus definitions current.
  • Users shall be provided instructions for how to update their anti-virus software where applicable, perform a virus scan, and check to be sure the anti-virus program is functioning. Administrators shall have procedures for installing anti-virus programs on workstations and servers as required.
  • Security Officers have a duty to share information with each other and must pro-actively notify managers and users about new high risk viruses and hoaxes.

No one should be able to stop anti-virus definition updates and anti-virus scans except for domain administrators.

6.0 Email Server Policy

The email server will have additional protection against malware since email with malware must be prevented from entering the network.

6.1 Email Malware Scanning

In addition to having the standard anti-virus program, the email server or proxy server will include a second product which will be used to scan all email for viruses and/or malware. This scanner will scan all email as it enters the server and scan all email before it leaves the server. In addition, the scanner may scan all stored email once per week for viruses or malware. The product to use for this purpose shall be determined by the IT Management at the recommendation of the system administration team.

When a virus is found or malware is found, the policy shall be to delete the email and not to notify either the sender or recipient. The reason for this is that most viruses fake the sender of the email and sending them a notice that they sent a message with a virus may alarm them unnecessarily since it would not likely be true. It would simply cause an additional help desk call by the notified person and most likely waste system administrator's time needlessly. Notifying the recipient that someone tried to send them a virus would only alarm them needlessly and result in an increased number of help desk calls.

6.2 Blocked Attachment Types

The email server or proxy server will block all emails with attachment types listed on the blocked attachment types procedure sheet. This is because these attachment types are dangerous containing active content which may be used to infect a computer with hostile software or because these attachment types are commonly successfully used by virus programs or malware to spread.

When attachment types are blocked, a workaround must be given to business users. The workaround must be a method that a virus program would not typically use and the preferred method would be an out of band transmission of the file type. All business users must be informed about the types of files that are not allowed to be sent through email including file types, files above a set size, and content that is not allowed in the subject or body of the email.

Do not depend on your anti-virus software on each computer to prevent these viruses. Viruses have a period of time when they spread unrecognized by anti-virus software. Blocking these file attachments will prevent many trouble calls. Give the users a work around for your network to get some of their files sent to other organizations. Your solution will depend on your network and the software that is being used to block the file attachments. In one case we renamed the file to another type and instructed the recipient to rename it back to the original name before using it. This will not work in all cases since some file blocking software senses the actual file type reguardless of its named file extension.

Do not depend on your anti-virus software on each computer to prevent these viruses. Viruses have a period of time when they spread unrecognized by anti-virus software. Blocking these file attachments will prevent many trouble calls. Give the users a work around for your network to get some of their files sent to other organizations. Your solution will depend on your network and the software that is being used to block the file attachments. In one case we renamed the file to another type and instructed the recipient to rename it back to the original name before using it. This will not work in all cases since some file blocking software senses the actual file type reguardless of its named file extension.

When an email breaks the rules and contains an illegal file attachment your policy should define one of the following to be done:

  1. Delete the email and notify neither the sender or the recipient. The problem with doing this is in the fact that people may be trying to send legitimate files to each other and have no way of knowing their communication attempts are failing. Training by letting users know what files are blocked is required to remedy this problem.
  2. Delete the email and notify the sender - This will notify senders when their emails do not go through, but it will also notify senders who really did not send an email (when a virus spoofed them as the sender) that they sent an email with an illegal attachment. This can cause more additional help desk requests and questions for the administrator on the spoofed sender's side.
  3. Delete the email and notify the sender and recipient. - This would have all the drawbacks of the above policy but would also increase help desk calls in your organization.
  4. Remove the attachment and let the email go through. - This would let the receiver know that someone tried to send them an illegal attachment. If the attempt was a legitimate one, they could contact the sender and tell them what to do to get the attachment sent. This policy would very likely cause your organization's help desk calls to increase with users calling to ask questions about why someone is trying to send them these files.

There is no ideal policy here and your system administrators must choose the best method depending on the situation being experienced by your organization. I usually use the first option and provide training to users so they know these files are blocked and what the work around is for this situation.

6.3 Proxy or anti-spam Server

To increase mail security, many organizations are adding an anti-spam server or proxy mail server to their network. This reduces their mail server to the threat of being intruded upon and an anti-spam server can significantly reduce the load on the mail server, not to mention the reduction of spam. Your organization should decide whether to use one of these types of servers or whether to use a service to prevent spam. The service or devices used for this purpose should be defined in this policy. Periodic updates should also be defined and the person who manages the additional servers or is the point of contact for the services should be defined.

7.0 File Exchange Policy

This part of the policy specifies methods that are allowed to be used when files are sent into the network by members of the public or employees of the organization. It specifies:

  1. All legitimate methods used including:
    1. FTP transfer to a FTP server.
    2. File transfer to a Web server with a legitimate file upload program.
    3. Any other method.
  2. The method and type of software to be used to scan the files for hosile content before they are completely transferred into the network. It will also specify the update frequency for the scanning software.
  3. The point in time when the files will be scanned.

8.0 Network Exploit Protection

This policy should cover any other possible malware including adware and spyware. It may specify methods to prevent and remove this type of malware. It may specify acceptable prevention and removal software. If the anti-virus product is a product that also handles other types of malware such as adware or spyware, it should be stated here.

Applicable Training

  1. Blocked email attachments
  2. How viruses work and avoidance
  3. Adware and spyware avoidance

9.0 Monitoring Effectiveness

The Computer Security Department and respective Security Officers are responsible for monitoring the effectiveness of the anti-virus protection systems and shall keep records detailing virus incidents on a monthly basis.

10.0 Maintenance

  • The IT Department will make sure all servers have anti-virus programs installed.
  • The IT Department will maintain servers daily and make sure anti-virus programs are operational on them on a daily basis and it is not disabled.
  • The IT Department will perform patching of servers for security flaws according to the Patch Management Policy.
  • The IT Department will create and implement a security incident plan covering virus incidents which defines who to contact and the process for identifying an incident and the steps to control and recover from the incident.

11.0 User Responsibilities

All users must be aware of the means by which their computer may be compromised and be cautious when opening emails, email attachments, and surfing the internet.

  • Users should know the type of file they are opening and should have their computer system configured to show all file types and extensions.
  • Users should not open email attachments that are suspicious and only open attachments when they know it was really sent by the person who is claimed.
  • Users should be aware that a sender name may be spoofed or misrepresented in the email.
  • Suspicious emails should be reported to the Computer Security Department.
  • Suspected infections of viruses should be reported to the Computer Security Department immediately. Provide all known information about the virus or incident including what was done to make the user think they got a virus and what messages were received from the computer system or software at the time of the incident.
  • Users are not allowed to disable anti-virus software.

12.0 Enforcement

Since virus protection is important to maintain the security of the organizational network and prevent unauthorized data disclosure, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

13.0 Other Requirements

  • A list of tested and approved anti-virus products must be created.
  • A list of prohibited file attachments must be created and maintained. Users must be informed about the types of file attachments that are blocked and what happens to email with those types of attachments. A work around for sending some types of files must be provided to users.
  • Additional instructions/procedures about installing and maintaining specific anti-virus products on workstations and servers must be provided.
  • Auditors should periodically audit servers to be sure anti-virus was installed and is properly maintained according to this policy.
  • A central log shall be created and virus and security incidents shall be tracked in it. The number and severity of incidents must be reported to management.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________