Polices, Procedures, and Awareness

Client, server, and network operational policies and procedures are essential aspects of the antivirus defense layers in your organization. Microsoft recommends consideration of the following policies and procedures as part of your organization’s antivirus defense in depth solution:

Antivirus scanning routines. Ideally, your antivirus application should support automated or real-time scanning. However, if this is not the case, you should implement a process to provide guidance on when the users in your organization should run a full system scan.

Antivirus signature update routines. Most modern antivirus applications support an automated method for downloading virus signature updates, and you should implement such a method on a regular basis. However, if your organization requires testing these updates prior to deploying them, you will generally not be able to use such methods. If this is the case, make sure your support staff identifies, downloads, tests, and updates signature files as soon as possible.

Policies on allowed applications and services. A clearly communicated policy should exist to explain which applications are allowed on your organization’s computers and others that access your organization’s resources. Examples of applications that can cause problems include peer-to-peer network applications and applications that users may download directly from rogue Web sites.

At a minimum, Microsoft recommends the following policies and procedures for all devices in your organization’s network defense layer.

Change control. A key security process for network devices is to control changes that impact them. Ideally, all changes should be proposed, tested, and implemented in a controlled and documented manner. Spontaneous changes to devices in the perimeter network are likely to introduce configuration errors or flaws that an attack could exploit.

Networkmonitoring. Correctly configuring your network devices to optimize them for security does not mean that other antivirus procedures can be neglected. Ongoing monitoring of all devices in the network is essential to detect malware attacks as soon as possible. Monitoring is a complex process that requires gathering information from a number of sources (such as firewalls, routers, and switches) to compile a "normal" behavior baseline you can use to identify abnormal behavior.

Attack detection process. If a suspected malware attack is detected, your organization should have a set of clearly defined and documented steps to follow to ensure the attack is confirmed, controlled, and cleaned with minimum disruption to end users. See Chapter 4, "Outbreak Control and Recovery," for more information about this subject.

Home computer network access policy. A set of minimum requirements should be established and met before an employee can connect a home computer or network to your organization’s network via a VPN connection.

Visitor network access policy. A set of minimum requirements should be established and met by visitors before they are allowed to connect to your organization’s network. These requirements should apply to both wireless and wired connectivity.

Wireless network policy. All wireless devices connecting to the internal network should meet minimum security configuration requirements before they can connect. This policy should specify the required minimum configuration for the organization.

There are many more policies and procedures you could implement to improve the security of your network devices; the ones listed in this section should be considered as a good starting point. However, because additional policies provide general security settings rather than antivirus specific settings, they are outside the scope of this guide.

Security Update Policy

Client, server, and network defenses should all have some form of security update management system in place. Such a system could be provided as part of a wider enterprise patch management solution. The operating systems of hosts and devices should be checked for vendor-supplied updates on a regular basis. The security update policy should also provide the operating criteria for the process that is used to roll out security updates to your organization’s systems. This process should consist of the following stages:


Check for updates. Some type of automated notification process should be in place to notify users of available updates.


Download updates. The system should be able to download updates with minimal impact on users and the network.


Test updates. If updates are for mission-critical hosts, you should ensure that each update is tested on a suitable non-production system before it is deployed in your production environment.


Deploy updates. Once an update has been tested and verified, a simple deployment mechanism should be available to help distribute it.

If the systems being updated in your environment do not require the testing phase of this list, your organization may wish to consider automating the entire process for its systems. For example, the Automated Updates option on the Microsoft Windows Update Web site makes it possible for your client computers to be notified and updated without user intervention. Using this option helps to ensure that your systems are running the latest security updates as soon as possible. However, this approach does not test the update before installing it. If this is a requirement for your organization, this option is not recommended.

Ensuring that your organization’s systems are maintained with the latest security updates should become a routine part of your organization’s system management.

Risk-based Policies

With so many clients, servers, and network devices connected at the perimeter and internal network layers of the antivirus defense-in-depth model, it can be difficult to create a single effective security policy to manage all of the requirements and configurations in your organization. One approach you can use to organize your policy is to group the hosts in your organization into categories based on their type and exposure to risk.

To help determine the level of risk to assign to a host or device, consider conducting a risk assessment on each of them. A detailed set of guidance on performing such risk assessments is available in "Chapter 3 – Understanding the Security Risk Management Discipline" of the Microsoft Solution for Securing Windows 2000 Server on TechNet at:

Microsoft recommends consideration of the following configuration categories for your organization’s client focused risk assessment policies:

Standard client configuration. This configuration category usually applies to office-based desktop computers that stay physically on site in an office building. These desktop clients are continuously protected by the existing external and internal network defenses, and they are secured within an organization’s buildings.

High-risk client configuration. This configuration category is designed to meet the needs of mobile computer users and mobile devices such as PDAs and mobile phones. These devices often move outside the protection of the organization’s network defenses and are therefore at a higher level of risk.

Guest client configuration. This configuration category is designed for client computers that your organization does not own or support. Managing the configuration of these computers may not be possible, because you are unlikely to have control over their configuration. However, you can set policies that will limit the ability of these computers to connect to your organization’s networks. Guest client computers are typically one of the following types:

Employee home computers.

Partner or vendor computers.

Guest computers.

Microsoft also recommends establishing risk categories for server roles, and the same risk assessment is recommended for servers as well as clients. As a starting point for your server policies, you could consider the following configuration categories:

Standard server configuration. This configuration category is designed to be a common denominator for the majority of server configurations in your environment. It provides a minimum level of security, but without restricting commonly used services. You can then modify the high-risk and role-specific configuration category policies to cover all policy requirements at an appropriate level.

High-risk server configuration. Servers that are in the perimeter network or exposed directly to external connections and files should be considered in this configuration category. For example, this category could include perimeter Web servers, firewall servers, and messaging servers. A server that contains particularly sensitive data, such as an HR database server, might also warrant this configuration regardless of its network location.

Role-specific configurations. Your organization may also choose to organize specific server roles into different configurations to more closely match the requirements of your server applications. For example, you may choose to use role-specific configurations for messaging servers, database servers, or firewalls. You may elect to use this approach in addition to either the standard or high-risk configuration category as required.

The use of risk-based policies is ultimately the choice of the planning teams in your organization, and you can use the referenced configuration classifications as a basis for further development. Ultimately, the goal is to reduce the number of configurations your management systems must support. In general, a standardized approach is more likely to yield a secure configuration than configuring the security of each host in your environment independently.

Automated Monitoring and Reporting Policies

If your organization uses an automated monitoring system or an antivirus application that can report suspected malware infections to a central location, it is possible to automate this process so that any alert will automatically inform all of the users in your organization’s IT infrastructure. An automated alert system will minimize the delay between an initial alert and users being aware of the malware threat, but the problem with this approach is that it can generate many "false positive" alerts. If no one is screening the alerts and reviewing an unusual activity reporting checklist, it is likely that alerts will warn of malware that is not present. This situation can lead to complacency, as users will quickly become desensitized to alerts that are generated too frequently.

Microsoft recommends assigning members of the network administration team the responsibility of receiving all automated malware alerts from all system monitoring software or antivirus packages that your organization uses. The team can then filter out the false positive alerts from the automated systems before issuing alerts to users. For this approach to be successful, the team needs to monitor for alerts 24 hours a day, 7 days a week to ensure all alerts are checked and, if required, released to network users.

User and Support Team Awareness

Team awareness and training should target the administration and support teams in your organization. Training for key IT professionals is a fundamental requirement in all areas of IT, but for antivirus defense it is especially important because the nature of malware attacks and defenses may change on a regular basis. A new malware attack can compromise an effective defense system almost overnight, and your organization’s defenses could be at risk. If the support personnel for these defenses are not trained in how to spot and react to new malware threats, it is only a matter of time before a serious breach in the antivirus defense system occurs.


User Awareness

User education is often one of the last considerations an organization makes when designing its antivirus defense. Helping users understand some of the risks associated with malware attacks is an important part of mitigating such risks, because everyone in the organization who uses IT resources plays a role in the security of the network. For this reason, it is important to educate your users about the more common risks that they can mitigate, such as:

Opening e-mail attachments.

Using weak passwords.

Downloading applications and ActiveX controls from untrusted Web sites.

Running applications from unauthorized removable media.

Allowing access to your organization’s data and networks.

As malware techniques change, antivirus defenses have to be updated. Regardless of whether an antivirus program’s signature file or the program itself needs updating, it takes time to create and deploy updates. The amount of time it takes to create updates has been dramatically reduced over the last few years, and these updates are generally available in a matter of hours. However, in rarer cases, it can still take days from the time a new malware attack is released to make an effective antivirus defense available.

During this time the best defense your organization may have is users who are aware of malware and its risks. Providing your users with basic antivirus guidelines and training can help prevent a new malware strain that makes it past your IT defenses from propagating throughout your environment.

Training users does not have to be a complex process. Basic antivirus guidelines are largely based on common sense principles, but ensuring such guidelines are enforced and communicated clearly can be more of a challenge. The Windows XP Baseline Security Checklists available on Microsoft TechNet at:
http://www.microsoft.com/technet/archive/security/chklist/xpcl.mspx can help you identify common antivirus and security related issues to communicate to your users.

Users responsible for mobile devices are likely to require additional training to help them understand the risks associated with taking a device outside of the organization’s physical and network defenses. It is likely that additional defenses will be required specifically to safeguard these mobile devices. For this reason, you may need to require additional configuration and training for users who manage these devices.

Note: There is some useful end user configuration information provided in:
www.microsoft.com/security/protect/ . This site is a good information resource that can help your users educate themselves on how to secure their home computers and networks.


Support Team Awareness

The IT professionals responsible for the configuration and support of the servers, clients, and network devices of the organization will need antivirus training to help them ensure that their systems are optimally configured and maintained to stop malware attacks. Errors in the configuration of any of these computers or devices can open a route for a malware attack. For example, if a poorly trained firewall administrator opens all the network ports by default on a perimeter firewall device, a serious security and malware risk would be created. Administrators who are responsible for the devices that connect to your organization’s perimeter network should receive specific security training to help them understand the range of attacks that can affect the network devices.

Many events, hands-on labs, and Webcasts on security topics are available directly from Microsoft. For more information about these topics, see Your Security Program Guide on Microsoft.com at:

Security training and books are also available from Microsoft Learning. For more information about these publications, see the Microsoft Learning Security Resources page on Microsoft.com at:


Obtaining User Feedback

Malware-aware users can provide an excellent early warning system if they are presented with a simple and effective mechanism to report unusual behavior on the systems they use. Such a mechanism can take the form of a telephone hotline number, e-mail alias, or a rapid escalation process from the organization’s Helpdesk.

Proactive Internal Communications

If possible, members of the IT department should create a proactive antivirus response team that is responsible for monitoring external malware alert sites for early warnings of malware attacks. Good examples of such sites include:

Antivirus application vendor Web sites.

The Anti-Virus Information Exchange Network (AVIEN) Web site at: www.avien.org.

Antivirus alert services, such as the Antivirus Information Early Warning System (AVI-EWS) from AVIEN (you can subscribe to these services).

The Microsoft Security Antivirus Information Web site on Microsoft.com at: http://www.microsoft.com/security/antivirus/default.mspx.

Regular checking of reference sites like these should enable support staff to notify systems administrators and users of current malware threats before they penetrate your organization’s network. The timing of these checks is crucial. Ensuring that system users receive a proactive warning before checking their morning e-mail can make the difference between managing the removal of a few suspicious e-mails and trying to contain a malware outbreak. If the majority of your system’s users log on at 9 A.M., establishing a way to communicate new malware threats before this time would be considered best practice.

Internal Malware Alerts

Finding the most effective mechanism to inform all users of the potential for a malware attack in a timely and comprehensive way is crucial. Available communications systems vary greatly depending on the organization’s infrastructure, and it is impossible to provide a malware alert system that will work for all organizations. However, this section provides the following examples of mechanisms that your organization may wish to consider for this purpose:

Organization notice boards. A low-tech approach that should not be forgotten is to use internal office doors, notice boards, or paper-based information points that are obvious to employees. Although this process involves some overhead to maintain, it has the significant advantage of communicating vital information to your users when areas of the network are unavailable due to an attack.

Voice mail systems. If your organization’s voice mail system supports it, the ability to leave a single message for all users can be an effective mechanism to communicate a malware alert. However, it should be noted that this method relies on users accessing voice mail before e-mail to alert them of an e-mail threat.

Logon messages. You can configure the Windows operating system to deliver a message directly to your users’ screens during the logon process. This mechanism provides a good way to draw user attention to malware alerts.

Intranet portals. A common intranet portal that users have set as their home page can be used to provide malware alerts. Users will need to be advised to view this portal before accessing their e-mail to make this alert mechanism effective.

E-mail systems. Care should be taken when using an e-mail system to communicate malware alerts to your users. Because an attack could affect your e-mail servers, this mechanism may not be effective in all cases. Also, the nature of the inbox queuing process could deliver a malware warning after an e-mail containing malware has already been delivered to your users. For this reason, you may need to advise your users to first look for high priority malware warnings when they first log on to their computers before reviewing any e-mail messages.

Top of page


Antivirus defense is no longer a matter of installing an application. The most recent malware attacks have proven that a more comprehensive defensive approach is required. This chapter has focused on how you can apply the defense-in-depth security model to form the basis of a defense-in-depth approach to create an effective antivirus solution for your organization. It is important to understand that malware writers are continually updating their methods to attack new IT technologies that your organization may be using, and that antivirus technologies are constantly evolving to mitigate these new threats.

The antivirus defense-in-depth approach should help ensure that your IT infrastructure will address all possible malware attack vectors. Using this layered approach makes it easier to recognize any weak points in the entire system, from the perimeter network to the individuals working at their computers throughout your environment. Failure to address any of the layers described in the antivirus defense-in-depth approach could leave your systems open to attack.

You should constantly review your antivirus solution so that you can update it whenever needed. All aspects of antivirus protection are important, from simple automated virus signature downloads to complete changes in operational policy.

Similarly, because the information provided in this guide is subject to updates, it is important to continually monitor the Microsoft Security Antivirus Information Web site on Microsoft.com at http://www.microsoft.com/security/antivirus/ to receive the latest antivirus information and guidance.

Microsoft recognizes how disruptive and costly malware can be, and has invested a great deal of effort into making it more difficult for those who create and distribute malware. Microsoft is also working to make it easier for network designers, IT professionals, and end users to configure systems to meet their security requirements with minimal impact to their business operations.

Although it may not be possible to completely eradicate malicious code, focusing consistent attention on the areas highlighted in this antivirus defense-in-depth approach will help minimize the effect a malware attack can have on your organization’s business operations.



MR. B