When malware reaches a host computer, the defense systems must focus on protecting the host system and its data and stopping the spread of the infection. These defenses are no less important than the physical and network defenses in your environment. You should design your host defenses based on the assumption that the malware has found its way through all previous layers of defense. This approach is the best way to achieve the highest level of protection.

Client Antivirus Protection Steps

There are a number of approaches and technologies you can use for client antivirus configurations. The following sections provide details that Microsoft recommends for consideration.

Step 1: Reduce the Attack Surface

The first line of defense at the application layer is to reduce the attack surface of the computer. All unnecessary applications or services should be removed or disabled on the computer to minimize the number of ways an attacker could exploit the system.

You will find the default settings for Windows XP Professional services on the Default settings for services page of the Windows XP Professional Product Documentation on Microsoft.com at: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx.

Once the attack surface has been minimized without affecting the required functionality of the system, the primary defense to use at this layer is an antivirus scanner. The scanner’s primary role is to detect and prevent an attack, and then to notify the user and perhaps the system administrators in your organization as well.

Step 2: Apply Security Updates

The sheer number and variety of client machines that may be connected to an organization’s networks can make it difficult to provision a fast and reliable security update management service. Microsoft and other software companies have developed a number of tools you can use to help manage this problem. The following patch management and security update tools are currently available from Microsoft:

Microsoft Update. What’s new? Now you can access the same updates and downloads available from Windows Update?plus the latest updates for Office and other Microsoft applications?all in one place, at Microsoft Update. Issues with this approach for some organizations include the lack of support for testing prior to deploying updates from this service, and the amount of network bandwidth that the clients may consume in the organization when downloading the same package at the same time. Information on using this service is available on the Microsoft Update home page at:

Software Update Service. This service was designed to provide a security update solution for Windows clients in the enterprise. The service addressed both of the Microsoft Update shortcomings for larger organizations by allowing internal testing and distributed security update management. However the Software Update Service is being replaced by the Microsoft Update services which provides a broader set of functionality (see the next bullet point). Information on using this service to develop a solution for your organization is available on the Software Update Service home page on Microsoft.com at:

Windows Update Services. These services are designed to replace the Software Update Service to provide a higher level of functionality across a wider range of Microsoft software. Windows Update Services reduces the cost and risk associated with update management while providing the flexibility to address a broad range of update management scenarios. Information on using these services for your organization is available on the Windows Update Services home page on Microsoft.com at:.

Systems Management Server 2003. Microsoft Systems Management Server 2003 is a complete enterprise management solution that is capable of providing comprehensive security update services and much more. For more information about this solution, see the Systems Management Server home page on Microsoft.com at:

Each of these Microsoft security update tools has specific strengths and goals. The best approach is likely to use one or more of them. To help you evaluate the security update solutions for your organization, see the features comparison provided on the Choosing a Security Update Management Solution page on Microsoft.com at:

Step 3: Enable a Host-based Firewall

The host-based or personal firewall represents an important layer of client defense that you should enable, especially on laptops that users may take outside your organization’s usual physical and network defenses. These firewalls filter all data that is attempting to enter or leave a particular host computer.

Windows XP includes a simple personal firewall called the Internet Connection Firewall (ICF). Once enabled, the ICF monitors all communication aspects that pass through it. The ICF also inspects the source and destination address of each data packet it handles to ensure that each communication is allowed. For more information on ICF, see the Windows XP Help system and also the Use the Internet Connection Firewall page on Microsoft.com at:

Windows XP Service Pack 2 enables the personal firewall by default and introduces a number of significant enhancements to that firewall (now called the Windows Firewall) as well as other security-oriented improvements. A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates created for defects found internally since the release of a product. Service packs may also contain a limited number of customer-requested design changes or features. For information about this update for Windows XP, see the Windows XP Service Pack 2 page on Microsoft TechNet at:

Versions of Windows before Windows XP did not come with a built-in firewall. Third-party host-based firewall solutions are available that can be installed to provide firewall services on earlier versions of Windows. For information about these firewall products see the Frequently Asked Questions About Internal Firewalls page on the Microsoft Protect Your PC Web site at:

Step 4: Install Antivirus Software

Many companies produce antivirus applications, each of which attempts to protect the host computer with minimal inconvenience to and interaction with end users. Most of these applications have become very effective in providing this protection, but they all require frequent updates to keep up with new malware. Any antivirus solution should provide a rapid and seamless mechanism to ensure that updates to the required signature files for dealing with new malware or variants are delivered as soon as possible. A signature file contains information that antivirus programs use to detect malware during a scan. Signature files are designed to be regularly updated by the antivirus application vendors and downloaded to the client computer.

Note: Such updates present their own security risk, because signature files are sent from the antivirus application’s support site to the host application (usually via the Internet). For example, if the transfer mechanism uses File Transfer Protocol (FTP) to obtain the file, the organization’s perimeter firewalls must allow this type of access to the required FTP server on the Internet. Ensure your antivirus risk assessment process reviews the update mechanism for your organization, and that this process is secure enough to meet your organization’s security requirements.

Due to rapidly changing malware patterns and techniques, some organizations have adopted an approach that recommends requiring certain "high risk" users to run more than a single antivirus package on the same computer to help minimize the risk of malware going undetected. The following user types typically fall into this category:

Webmasters or anyone who administers content on the Internet or an intranet.

Release lab workers or anyone who produces electronic media such as CD-ROMs.

Development team members who create or compile compressed files or other product software.

It should be noted that running antivirus applications from a number of different application vendors on the same computer may cause problems due to interoperability issues between the antivirus applications. System issues that can result from running more than one antivirus application in your environment at the same time include:

Memory overhead. Many antivirus applications use active agents that stay resident in memory, reducing the amount of available system memory.

System crashes or stop errors. Such crashes and errors can be caused by antivirus applications attempting to simultaneously scan the same file.

Performance loss. As antivirus applications scan files for malicious code, system performance may decrease. Scans are repeatedly performed when multiple applications are used, which may lower your system performance to an unacceptable level.

Loss of system access. Antivirus applications attempting to run concurrently may cause the system to halt during startup. This problem is more common in older versions of Windows, such as Microsoft Windows NT and Windows 9x.

For these reasons, the use of multiple antivirus applications on the same computer is not a recommended approach and should be avoided if possible.

An alternative approach to consider is to use antivirus software from different vendors for the client, server, and network defenses in the organization. This approach provides consistent scanning of these different areas of the infrastructure with different scanning engines, which should help reduce the risk to your overall antivirus defenses if a single vendor’s product fails to detect an attack.

For more information about antivirus vendors, see the Microsoft Antivirus Partners on Microsoft.com at:

For more information about antivirus software designed for Windows XP, see the Microsoft Windows Catalog Antivirus page on Microsoft.com at: http://go.microsoft.com/fwlink/?LinkId=28506.

Step 5: Test with Vulnerability Scanners

Once you have configured a system, you should check it periodically to ensure that no security weaknesses have been left in place. To assist you with this process, a number of applications act as scanners to look for weaknesses that both malware and hackers may attempt to exploit. The best of these tools update their own scanning routines to defend your system against the latest weaknesses.

The Microsoft Baseline Security Analyzer (MBSA) is an example of a vulnerability scanner that is capable of checking for common security configuration issues. The scanner also checks to ensure that your host is configured with the latest security updates.

For more information about this free configuration tool, see the Microsoft Baseline Security Analyzer page on TechNet at: http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

Step 6: Use Least Privileges Policies

Another area that should not be overlooked among your client defenses is the privileges assigned to users under normal operation. Microsoft recommends adopting a policy that provides the fewest privileges possible to help minimize the impact of malware that relies on exploiting user privileges when it executes. Such a policy is especially important for users who typically have local administrative privileges. Consider removing such privileges for daily operations, and instead using the RunAs command to launch the required administration tools when necessary.

For example, a user who needs to install an application that requires administrator privileges could run the following setup command at a command prompt to launch the setup program with appropriate privileges:

runas /user:mydomain\admin "setup.exe"

You can also access this feature directly from Microsoft Windows Explorer, in Windows 2000 or later systems, by performing the following steps:

To run a program with administrative privileges


In Windows Explorer, select the program or tool you want to open (such as a Microsoft Management Console (MMC) snap-in or Control Panel).


Right-click the program or tool and select Run As.

Note: If Run As does not appear as an option, press and hold the SHIFT key while you right-click the tool.


In the Run As dialog box, select The following user: option.


In the User name and Password boxes, type the user name and password for the administrator account you want to use.

Step 7: Restrict Unauthorized Applications

If an application is providing a service to the network, such as Microsoft Instant Messenger or a Web service, it could, in theory, become a target for a malware attack. As part of your antivirus solution, you may wish to consider producing a list of authorized applications for the organization. Attempts to install an unauthorized application on any of your client computers could expose all of them and the data they contain to a greater risk of malware attacks.

If your organization wishes to restrict unauthorized applications, you can use Windows Group Policy to restrict users’ ability to run unauthorized software. How to use Group Policy has already been extensively documented, you will find detailed information about it at the Windows Server 2003 Group Policy Technology Center on Microsoft.com at:

The specific area of Group Policy that handles this feature is called the Software Restriction Policy, which you can access through the standard Group Policy MMC snap-in.


MR. B