Forgot your password?
typodupeerror
Privacy

University IT Departments and Viruses? 150

Posted by Cliff
from the keeping-the-campus-clean dept.
buggedByViruses asks: "I work for a University IT department, which I would prefer to keep anonymous. We are in the process of making a major decision in dealing with the onset of a large amount of viruses which may or may not have the possibility of causing a lot of damage to student's and university machines. The only solution we came up with is to get the students to download and install the university site licensed copy of Norton Anti-Virus managed by a Norton server which allows us to automatically keep the students machines updated properly with the latest virus definitions and be able to perform a mass scanning for viruses if we felt the need." I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well. Norton Anti-Virus is all fine and good in a business environment where homogeny is expected, but is this expectation true of many college networks?

"[It should be noted that] the Norton server allows you to view the entire directory structure of someone's machine and allows you to see the files it is scanning as if it were your own machine. We realize this was designed more for companies and businesses, but we have found that viruses have become a major problem and give us a huge headache when we try to support all the students connected to the university network.

My question is what do other university IT departments do in response to the increase in viruses over the past 2 years. I know there are a lot of university IT employees in the Slashdot community and I look forward to getting some feedback as to how they go about doing this without causing too many privacy problems. The way we are looking at it, and we are very privacy concerned and wouldn't do anything malicious with it, is that the students are using our network under our regulations and as long as we don't use the software to 'check up on' the contents of someone's hard drive (except obviously for viruses), then what we are doing is completely legit.

Any feedback would be greatly appreciated."

This discussion has been archived. No new comments can be posted.

University IT Departments and Viruses?

Comments Filter:
  • Boot from bootable CDROM with the drives sealed inside the machine. Read only media can never get infected. Or net boot all machines. Linux can do this. They you deinfect machines (infeced in RAM only) by rebooting them. With net booting you can patch your boot image with security fixes and then just reboot all machines to clean them. I know that Win 3.1/WFW can boot from read-only media too. Can 95/98/ME? Or NT?
  • by Anonymous Coward

    Easiest thing in the world. Install vmware. Make one image of win9x. Shove it out to all your linux/vmware boxes. Configure it so that it doesn't save any writes.

    You got virus?

    Reboot. Virus gone. Also removes the problems of illegal software, drivers, etc etc.

  • In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.

    What if a similar approach were taken with student (and faculty) systems?


    Ooh yah, that's a GREAT idea.

    University Official: "Well, sez 'ere you made a call to the Help Desk a few days after you got here."
    Student: "Yah, I wanted to know where I could download a new BIOS for my machine, the USB controller was acting up."
    University Official: (eyes narrow) "So you had a problem with your computer, eh? Well, you know, computer problems are caused by viruses, and if you had a problem it means you had a virus. And you're financially responsible for having viruses on your computer! University policy, you know. That'll be nine hundred dollars, please."
  • by Anonymous Coward
    A guy goes to the doctor complaining of eye pain. "Doctor, it hurts when I stick my finger in my eye like this...Ouch!" The doc says "Ah hah! I see the problem. Don't stick your finger in your eye." "I'm cured!" says the patient. He heads home feeling much better. The very next day while sitting at his computer the patient, once again, (sigh) sticks his finger in his eye. "Ouch!" A guy goes to the doctor complaining of eye.....
  • by Anonymous Coward on Sunday June 10, 2001 @08:59AM (#162523)
    I work with the mail systems for a major ISP, and 6 months ago I installed TrendMicro's VirusWall for our Business System. I have two Compaq DL 360's running RedHat 6.2 scanning inbound and outbound emails for our largest customer, 20,000 mail accounts. And I must say it works great! Anna was stopped dead in it's tracks-- which is more than I can say for our Corporate servers, which they had to shutdown. To date, I haven't had any problems and/or issues. And I don't have any manintenane concerns at all (stopping and starting services, checking memory, high loads, and the oh so critical updating of virus patterns,etc.). Trend has solutions for Web, FTP, and Sendmail. You might want to look into it. It's one system I'm happy to SA for.
  • If you are concerned about platform support, or the users turning off their software; scan before the data gets to their desktop.

    I wouldn't recommend Norton for this though; Norton was designed for the desktop and their server products are "lacking" compared to competitors. The two I've had the best experiece with are Trend Micro's Interscan Virus Wall or Aladdin's eSafe. My personal preference is for Aladdin's eSafe (as long as you don't tie it into Checkpoint's firewall ;-) if you do that use Trend).

    From what I've seen Aladdin's product holds up best under high stress using the same hardware; they don't have to operate as a proxy like Trend. Both of these companies started at the gateway, so their desktop product generally sucks compared to Norton.

    Trend's desktop is the usual anti-virus scanning program; Aladdin's is a personal firewall and content checking program (uses SurfCONTROL for the URL list).

    If you have any questions about the two drop me a line at "wpierce at athenasecurity dot com".

    Wayne

    --
  • Even though I do not work for them for over two years, I felt that a good part of the setup I know about by doing some server speilunking may help.

    Each machine, may it be Mac, NT, or Sun, on boot connects up either with an AFS server (NT/Sun) or AppleTalk server, and pulls a Makefile (the process is similar on the Macs). The Makefile is checked/run and files are replaced as need be. This includes McAffee Virus Shield patterns!!!



    --
    WolfSkunks for a better Linux Kernel
    $Stalag99{"URL"}="http://stalag99.keenspace.com";

  • First, program all mail servers to reject attachments commonly used to transfer viruses. This will block 95% of them. If that's still not good enough, scan all systems for Outlook and remove it. It's a lot easier to remove Outlook than to remove a potentially large number of random viruses. This will get most of what's left. If that's *still* not enough, you can either forbid the use of Microsoft-based systems or use various scanners on the more important machines and tell the students that they're on their own.

    Frankly, the technically easiest solution is to use operating systems that are not susceptible to viruses. People who insist on using inferior systems may do so, but may not attach to the network. Good luck implementing this, though; the people who set policy are all on the take from Microsoft.

  • Our company filters emails on content and doesn't allow any HTML type messages that look like they contain scripting.

    It's kind of annoying, though. I subscribe to a number of development email lists and a large portion of the content is whacked by the anti-virus software.

    I basically have to get around it by using a different mail account like hotmail.com.
  • I would recommend that you pose this question on a security mailing list that sans.org runs specifically for University Systems Administrators. Send an email with "subscribe unisog" in the body (not the subject) to majordomo@sans.org to subscribe.
  • "Tell em, don't open mail from people you don't know"... have you actually looked at the majority of viruses that have come out over the past 3 years? Viruses these days are more likely to come from people you know, making this piece of advice laughable.
  • Open Source virus filter: www.amavis.org

    Since we installed it, we've had only one virus problem, and it was a sneaker-net transimitted one.

    The wheel is turning but the hamster is dead.

  • Since everyone seems to be beating the dead horse of installing software on student boxes, I figured I'd interject some real-life experience with NAV Corporate.

    Ah, good ol' NAV Corporate. I just rolled out a hundred user license of that thing at my employer, only had three hiccups so far which are solved by an update. Unfortunately two of those three have fscked up their systems so badly not only will the update fail but the old version won't uninstall. That's right Bill, keep blathering about .NET and features people don't need/want, never focus on fixing bugs that are already there.

    One thing to remember is that the product isn't a modified version of Symantec's NAV codebase, it's really Intel's LANDesk virus protection software. Intel sold it a while back to Symantec, and they modified it and released it as their own. Sounds like a bastard child but with 7.5 it's pretty close to NAV in terms of problems/solutions. Registry keys are still listed as Intel LANDesk, heh.

    Highs are the virus definitions coming to a central server and getting pushed out to secondary servers and all clients automatically, usually within minutes of the update being downloaded. AND without the users ability to cancel the update.

    Lows are program updates. First, LiveUpdate doesn't grab program updates, not on the central server, and not on the client boxes.This means you have to call Symantec for updates, which while free for one person does take time (sitting on hold for 1hr). Second, there doesn't appear to be a LiveUpdate-ish method for rolling out program updates. Granted you can use login scripts, etc. for rolling them out but that, to some extent, involves user interaction. When some users reboot several times each week in a vain attempt to avoid the weekly administrative scan ("But I want to use MY system!" It's not your system, it's the company's system, and if you didn't think a coworker loved you that mess a few months ago might've been avoided. Go have some more coffee, it only takes 15 minutes, if you left it alone it'd be DONE by now), even though reboots just start the process over, keeping them out of the picture is a good thing.

    Client support is limited to 9x/NT/2000, with NT/2000/Netware support for servers. A Mac client is in the box with 7.5.1 but it won't talk to the central server so it's back the end-user conundrum of the software asking to run LiveUpdate and the user declining to run LiveUpdate ("I just ran that there update three weeks ago! I don't need none of them updates for a while!").

    I wouldn't hold your breath for any un*x tie-ins. Then again, my experience with colleges has been that un*x has a small foothold outside of the CIS & technical arenas (at the very least I've met few fresh-from-college marketing/management/legal/etc majors with any lasting un*x experiences)
  • by Ed Avis (5917) <ed@membled.com> on Sunday June 10, 2001 @08:36AM (#162532) Homepage
    Just remove Outlook from all the machines. That's what will happen soon at my university.

    Not a 100% cure but it will eliminate most of the worms going around.
  • It's not possible to force people unless you compel them to install something like NAV and then locking it down with scheduled run they are powerless to control. Barring that you should be concerned with blocking the propagation of the malware. Put in mailscanning and mailblocking gateways assuming you support the same mail systems they support. And then put ingress/egree filters on your switches and routers to prevent unknown crud from flowing through whatever ports it wants. Disable the obvious like tftp, r* commands, limit the use of X, limit the use to nfs, udp traffic generally and stamp out fake dns servers. But of course none of this is entirely possible either.
  • by hatless (8275) on Sunday June 10, 2001 @10:17AM (#162534)
    I'm not crazy about viruses spread via Outlook and the rest of MS office either, but between desktop antivirus software with forced updates and antivirus software on the mail servers and, heck, the school's net gateways would trap damn near everything. The little that makes it in via, say, encrypted e-mail on CompSci students' machines, wouldn't get too far as long as students and staff didn't tamper with their desktops' software.

    As for "cross-platform", what's missing? The antivirus scanners on the net gateways would trap any worms targeting your Linux box, as long as you aren't receiving it via an encrypted protocol. Windows antivirus software--especially the server stuff--carries pattern files covering not just the zillions of Windows viruses and such, but also the far fewer Mac ones and the dozen or so Unix/Linux ones. And the two targeting PalmOS.

    If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.
  • by Christopher Thomas (11717) on Sunday June 10, 2001 @08:56AM (#162535)
    One of the most overhyped issues of IT today is virii. I have downloaded countless programs from the internet and only once had a virus install.

    Until we installed a virus checker at my old workplace, we were inundated with macroviruses in Word documents - many of them from our clients (large, hopefully professional companies who shall remain nameless).

    We were lucky. All these tended to corrupt were new documents we were writing. This person may not be so lucky.

    Also, we all know that half of the students will be installing their own entertainment applications. It's not beyond reason to think that one may pick up a bug. Heck, if it's anything like my undergrad days, the students will have already be storing pirated games in secret locations, possibly with the help of moles in the sysadmin office.

    Word macro viruses would be my main worry, though. These are _endemic_ to all Windows environments I've run across that exchange documents with the outside world.
  • by Christopher Thomas (11717) on Sunday June 10, 2001 @09:12AM (#162536)
    I'm assuming that your first priority is protecting machines administered by the university. Students' personal machines are probably beyond the coverage of university site licenses, and 90% or more of the students will either ignore administrative requests, or spend 5 minutes trying to figure out how to follow them and then give up.

    For the Windows network, my best suggestion would be a combination of virus scanning and regular, automated reinstall.

    Put virus scanners on all of the machines, as part of their standard installation. If it's Nav, tell it to check incoming file attachments and documents - this is very, very helpful (my old workplace had a problem with macro viruses). You can probably get away with telling it to scan only local drives.

    Put another virus scanner on a machine with direct access to all directories on the fileserver. It'll do your sweep of the network drives. You can either create a special NT profile for it that gives it access to all drives, or (failing that) you can run it on the fileserver itself at 4am Sunday morning (not Monday morning, because students will pull all-nighters on Sunday to finish projects due on Monday - I've TAd courses where they regularly did this).

    Next, set up the user machines with one of the third-party bootstraps that compares all system files to copies on the network server, removes anything that shouldn't be there, and fixes anything that's changed. This is the only way I know of to really bulletproof Windows, and as far as I can tell, it does work. The version installed on the PCs at my university also wiped the local drives and did a full reinstall weekly. Either tell the users to power off the PCs at the end of the day, or send an admin around to do it at the end of every week.

    Needless to say, you should enable boot virus protection in the BIOS. While you're there, you should also force booting from the hard drive first and then password the BIOS, to prevent student shennanigans. This is standard practice at most shared PC installations I've seen.

    Re. Macs, you're on your own. This is outside of my experience.

    Re. Linux, *BSD, Solaris, etc, you probably don't have much to worry about to the first order. The vast majority of viruses run under Windows. Anything malignant in the user's files should be caught by the sweep of the fileserver. I don't really see what could go wrong in an environment like this, given that the user doesn't have root access.

    To make *sure* the user doesn't have root access, set the machine to boot off of the hard drive first and lock down the BIOS, for any *nix-on-PC machines. If you're paranoid, set up a cron job to refresh the machine's configuration from a CVS server nightly or weekly, just in case something goes strange or is tampered with.

    If you're really feeling paranoid about *nix terminals, make them all netboot off of the file server, with the local hard drive just being swap space. Keep a close eye on the server's configuration, and you should be fine.

    In summary, with a bit of planning, you should be fine under most conditions. Virus-hardening merges naturally with hardening against bit-rot and active attacks by the users.
  • I work for a consultancy firm. We roll out e-mail virus scanners for our clients, as we saw that the _vast_ majority of virusses infects machines through e-mail. We use qmail + Jason Haar's qmail-scanner, which automatically updates its own datfiles through some scripts we've written. If you are going to do campus-wide scanning, don't forget e-mail (or rather, start with e-mail scanning).
  • This is true at VCU (Virginia Commonwealth University) as well -- basically a site license that can be used on any system, be it university or personal student/employee.

    Unfortunately, you have to know its there, which many people don't. And it has to be setup properly to auto-scan, and of course with IMAP the email scanning doesn't work...

    ---------------------------------------------
  • by Gerv (15179) <gerv@g[ ].net ['erv' in gap]> on Sunday June 10, 2001 @08:48AM (#162539) Homepage
    Er... why are you asking Slashdot rather than some, er, University IT Departments?

    Here at Oxford, things are very decentralised. We have a crack team at the Computing Services (and our own version of CERT, OxCERT) who put emergency blocks on incoming mail if an email virus is doing the rounds (e.g. Kournikova) and manage the firewall between us and JANET, where some well-known and dangerous ports are firewalled out.
    However, although we may have a site license for something (Sophos, I think) no-one's forced to use it. People are responsible for their own machines.
    Why not just have a policy: "if your machine gets trashed by a virus and you didn't have this installed, we won't help you fix it." but not make it compulsory?

    Gerv
  • That's probably true- i've worked at much larger companies with lotus notes than with exchange. notes always seemed to scale better, too.

    however, at least in the securities industry, everyone seems to have exchange these days. I think it has something to do with conservative IT shops that are full of MS-oriented managers, who all view Lotus Notes as some old fringe product that is dying out.

    I personally prefer to use a combination of postfix and IMAP, but then again I don't make purchasing or deployment decisions about mail. and god forbid I not have a nice drag-n-drop solution for you to manage your contacts and your calendar!!!
  • Scanmail [antivirus.com] for Exchange or whatever else it is you people use for uni email (I like the other 70-odd percent of corporate america use MS exchange, and it does it's job relatively well.) if you use something else like basic sendmail/smtp stuff they have products for those as well.
    Trend Micro's [antivirus.com] desktop scanning software, no client required; you can either have it scan fileshares (ala NT c$ etc) or have the end user do it from a web page that starts a little java app and scans.

    There's other stuff out there but honestly speaking, trend micro's stuff is pretty nice. I had a few probs with scanmail to start but got it sorted and it's worked great (ILOVEYOU and other VBS email stuff dropped dead.) We used to use norton AV (corporate edition) but that is just a complete piece of crap. I dumped it entirely and moved to the (cheaper) trend micro stuff once I scored a demo copy.

    In terms of handling multi-OS'es, and yadda yadda yadda... that's why students have to meet a code of conduct and follow the rules. make one of those be that they have to comply with virus updates or scanning, or not have network access to the uni's network. Or, if you don't feel like being so heavy handed, you could offer supported AV platforms for different architectures and then support installing and updating them- say, emailing SARC updates instead of pushing them down, or whatever. I suppose that would depend on how fascist you want to be- I personally would lock down all computers that the uni owns, but personal machines would just have to meet the criteria that is set out in the usage policy (properly updated AV software that, if you want, we'll help you to install and keep updated.)

    Anyhow, you need to take some hard steps at first to keep it in check, and then that makes it easier later.... good luck!


  • what happens on student's personal machines any of the University's business?
    Also, how is it a risk? What kind of viruses are you afraid of here, exactly?
  • I put together the Mac part of Miami U's network client CD, and both the Mac and PC distributions feature NAI's anti-virus software installers. We sell this CD at the university bookstore and distribute it for free to all on-campus residents. The installers and documentation highly recommend installing anti-virus software, but it is not technically or policy-wise mandatory. The NAI workstation software may be configured to periodically download newer versions of itself, but it does not report back any findings to a central server.

    I'm also serving on Miami's committee to review responses to a university-wide email server RFP. Server-based anti-virus software was listed in our RFP as a strong preference. Most vendors included with their proposals referrals to third party anti-virus filters that could be shimmed into their email solutions.

    I have also recommended that we investigate a virus filter for our Internet borders, and I think my suggestion was taken seriously. The biggest speedbump down that road, I imagine, is going to be funding. Border filters are not cheap.

    Finally, I can say that our Support Desk has had an explosion in virus-related calls over the last few years. I believe I heard one of the SD managers say that viruses are now their biggest source of calls.

  • I too work at a University (if you read my e-mail address you can guess which one). We use Norton Antivirus as much as possible. We use Ghost and Assimilator on all new machines for Faculty and Staff, including Norton Antivirus. For the Students we produce a software CD every year, cross platform with Stuffit Installer Maker and Install Shield. It includes a variety of software, mostly Internet focused, including Norton Antivirus. We offer an obvious link to download the installer off of our ITS web page. But when it comes to automatic updates, we decided against it. It isn't our responsibility to protect users from their own mistakes. We can only show them the path, but they must walk it. We do what we can, including making sure that Norton will alert users when definitions are out of date, preconfiguring it to monitor opened files, and to run periodic full scans. We warn users via e-mail every time we see an outbreak of a new virus. We even try to filter some things (like kournikova) at the server level. We also provide complete and total support for those who have been afflicted with a virus. We provide network space and instructions so people can avoid floppy disks. We clean our own computers daily, to restrict the spread in public areas. We have a full service centralized Help Desk just for students (one of the top 5 amongst universities) . But we can't tell users how they can or can't use their computers. Generally speaking, we find it works. Most people desire to receive a virus about as much as you or I do, i.e., not at all. They do their part, provided they know how. So we focus on educating the users, providing the tools, and showing the way. We're confident that when our students go out into the corporate world they'll be able to update their own virus definitions, rather than blindly assuming that their corporate IS department will hold their hands and coddle them and make it so they never have to know anything by doing all the work for them. Users aren't that dumb, they just need to be shown the way.
  • I was going to flame you and say that there are enough legitimate reasons to send around exe's in a University envrionment that your suggestion would be intrusive. But, upon further consideration, anybody who was sending an executable for a letitimate reason is probablly l337 enough to zip it anyway :)
  • Good idea. Few problems (NB I'm not slaggin the whole thing, just picking a few nits)

    First, I wouldn't put it past the average university to blame students even if the latest update of the officially proscribed anti-viral software is installed and properly running.

    Second, damage deposits are usually the property of the person who makes the deposit. So is the interest.

    Despite the obvious signing of waivers, other students could claim that the university is responsible for their computers' safety should various protections be required.

    Faculty will never agree to anything that may endanger their funding. No way, no how. University IT dept's are the faculties' collective 'beeyatch'.

    Scan my ports, I DoS you. Deal with it. (I don't, but someone would.)

    A few things to answer, but not a bad idea.

  • I imagine that the University would take care of the Red Hat machines in much the way they would take care of the Mac OS machines: Not on My Network!

  • most viruses today are propogated via e-mail... there are plugins that will allow you to scan mail for viruses -- such as Virus Wall; thats what my organization uses, and it stops virtually 98% of the viruses that come in, the other 2% are picked up by McAfee VirusScan.

    I'd suggest you look into implementing some solution like that prior to imposing your anti-virus policies on the university as a whole. Oh, and furthermore, what about folks who aren't using Windows on your network? What do they have to do?
    -C
  • and we are using norton antivirus corporate edition on all of the university-owned computers (we don't have the live-update/management server up and running yet, but we will have one in a month or so). we haven't had any virus problems on the Winnt machines here since we started putting corporate edition on a year ago, and we have the software set to liveupdate itself every friday night at 8:00pm (and then run a scan of the entire computer 30 minutes later). the nice thing about corporate edition is that there is 'realtime filesystem protection' running all of the time, so any file-related activity that goes on is scanned (eg: copying/moving/downloading/opening files). this applies to the computers in our student-access labs as well. as for the student machines, does your site-license extend to their computers? if not, then they are obviously on their own; if it does, then i would prepare instructions on installing the corporate edition in an unmanaged state (not centrally managed, no remote filesystem access: no privacy issues), and include instructions on either how to run liveupdate themselves, or to set liveupdate to run once a week automatically. an advantage for the students of installing an unmanaged corporate edition client and settting the liveupdate to run weekly is that there are no subscription issues, like there is with the retail version of nav (so when they move off-campus, they still have a virus-scanner that works, and is updatable without them having to pay for subscriptions). good luck!

    wally
  • It also solves the problem of your students being able to write any files at all so that they lose all their coursework when they reboot.

    dave
  • Rubbish, absolute rubbish. The problem is people *EXECUTING* unknown scripts or executables. Sending data files backwards and forwards is fine.
    dave
  • Any moderator who mods this down as offtopic needs to take reading comprehension again. Read the joke again, relate to the virus "industry," and repeat, if necessary.

    I think it's damn funny, myself.
  • by Wazm (33360) on Sunday June 10, 2001 @08:47AM (#162553)
    For university networks, the biggest problem are obviously pesky email viruses. The best solution I've seen is to have the university mail servers filter out all executable or .vbs email attachments. Nortan antivirus is a perk, but I don't think it should be required on everyone's system. (For obvious reasons.)
  • Enlightened universities will usually license Antivirus software for Mac OS. I only install it on machines that have to run Microsoft Office, as Word Macros are the only virus I've ever seen on Mac OS in the last decade (besides the auto-boot thingy, easily disabled from the QuickTime control panel).

    On the email side of things, we encourage people in our department not to use Outlook, which has paid off well, as the inevitable Outlook worms don't spread through us, which saves both the clients us time well spent doing more productive things.

    There's something in the Bible about not building your house on sand. That's one of my reasons for not supporting Microsoft.
  • You really really need to look into a good email-based virus scanner. Honestly that's where 95% of the threat can be stopped. When was the last time you received an infected CD or floopy? Ok, now when was the last time you received a variant of Hybris via email? You should look into John Hardin's E-mail Sanitizer [impsec.org]. The information there about threats is an excellent read. The next step is stopping mail clients (or configurations) that allow ease of spreading. People may like the way Outlook works but in all honesty it has been the best thing for viri since the invention of Windows. It can be secured but someone has to actually do that. Promoting Webmail can be an alternative. Make it incredibly user friendly and feature rich and the average user will choose it over something that they can only use from home. Hopefully this will help you.

    --

  • It's trivial to filter for viruses embedded in other formats. All you have to do is process the message in stages. That's what I'm doing right now with a tool that scans NNTP feeds for "hijack" scripts. The walking dead might be using %nn encoding of HTML within uuencoded blocks, but my software peels the layers of the onion and still pulls out their "<script..." crap.

    As for the inconvenience and extra work, that is not what happens in practice. A standard notice that an attached executable (or HTML containing scripts or whatever) has been deleted suffices. Alternately, some products put the attachments into a "holding area" which requires explicit actions to retrieve, but I don't think they're actually used that much in practice.

    I have a very hard time imagining even one user in 1000 preferring to lose internet connectivity once a month or so, as the University struggles with a viral infection, to being forced to use FTP or a different encoding to receive that rare legitimate executable image.

  • Let's see...

    1) Viruses can consume significant network resources as the propogate from machine to machine. Since students will usually have professors and other students high in their address book, you'll have combinatorical explosion. Alice infects Bob. Bob infects Carl. Carl tries to infect Alice. Carl infects Diane. Diane tries to infect Alice.

    2) Viruses often contain DDoS code. The university, being responsible netizens, will block the forged IP packets... but a large number of infected systems can still generate enough traffic to take down its network.

    3) Viruses often contain code to implement packet sniffing. Universities are notorious for old coo... esteemed professors who don't understand that security issues affect them as well. An infected system may allow access to systems essential to ongoing research.

    None of this should be viewed as a concession that the university has the right to inspect the student's computer "at will." It does, however, have a legitimate interest in taking reasonable efforts to ensure that these systems remain uninfected.
  • <i>If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network."... It's not your network, and you have no "rights" with regard to it."</i>

    In the US, there's this little thing known as the ECPA. You *do* have rights, some hefty ones, online. The only reason employers can monitor employee's (work) email is because it's legally addressed to the company but delivered to the person who is acting on behalf of the company. That argument might work with university employees, but not students.

    To answer the obvious question, the ECPA allows filtering for technical reasons, if it's something that can be done without exposing the content of the mail to any person. The classic example is rejecting mail that's larger than some acceptable limit, or in an unsupported format. Automatically identifying and stripping blocks of executable code would seem to fall in the same category. Forwarding messages containing "prohibited words" to a human censor is not.

    (IANAL, but this has been the law for many years.)
  • Back in '87 when I was in school, one of the other guys in the department was finding virus that he turned into companiens like Norton for $50 each. He "found" quite a number of them since he know how to code in assembly. Now that anti-virus software has made it so big, there are a number of small players tring to get in the game and some of them are still paying for unknow virii.

    So get out that book on assembly and start cracking. There's money to be made all in the name of paranoia.
  • At the university I work at, we use Command AntiVirus [commandcom.com] for the entire campus. We chose this over Norton's offering mostly for cost reasons (It has basically the same level of protection, but is pretty cheap). We have a site/blanket license where any computer on campus can have the software installed. It was very easy to configure the software to automatically download virus definition updates from our local Linux box rather than from Command, and automate the server to download the updates from Command every week (Our outgoing pipe isn't fat enough to support five thousand software updates every day). We started doing this about two years ago when we got an unexpected rash of Chernobyl infections and spent a week replacing motherboards, and we haven't had any problems at all with the setup.
  • Build your own hardware (incompatible with existing architectures), write your own operating system (do *not* conform to any standard), write your own language (keep it totally incompatible with C, Perl, etc.) and write your own apps with that. And write that in a bloated and complicated manner. Strip all comments. And if you want to write man pages, write them in your own language, don't use english.
    That way, if you ever have a virus on your campus, you can be sure that *YOU* wrote it.
  • Use optical fiber, not ethernet. Because virii live in the dark.
  • If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.

    If you don't want your ISP invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.
    ------

  • The organisation I work for solved this very simply. The majority of "viruses" we see these days are in fact worms that exploit faults in peoples email software. The way we solved this was to BAN Microsoft Outlook (or Outlook Express), and its variations. By switching to Netscape as the SOA mail handler we ensured that all attachments that were sent provided all of their information (rather than disguising themselves as something else), and that they were not auto executed.
  • by ffatTony (63354) on Sunday June 10, 2001 @08:41AM (#162565)

    I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well.

    Why is it the job of the University to ensure student machines are virus free? I completely understand using something like this for Department machines, Computer Labs, etc, but a machine in a dorm room is not the property of the school and should not be treated as such. Viruses are part of the computer experience and students should take charge themselves.

  • PATH=/bin:/usr/bin:/usr/bin
    MAILDIR=/var/spool/mail
    LOGFILE=/var/log/procmail

    ##vbs
    :0B
    *filename=.*.vbs
    junk

    I have been using this for months. I don't even worry about these new vbs files. This recipe forwards all vbs files to junk@yourserver

    Hope this saves you some time.

    Mike.

  • It sounds like scanning on the e-mail server would be a good thing to do. I also hear that filtering out VBS files at the server would provide a big reduction in the virus population. Virii thrive on Outlook's "feature" to process VBScript.

    In addition, here are some options that show up on a scan of the FreeBSD ports system.
    cd /usr/ports/security

    make search key=virus

    Output (condensed (non-dairy)):

    Port: amavis-perl-10
    Path: /usr/ports/security/amavis-perl
    Info: Mail Virus Scanner (uses external antivirus)

    Port: inflex-0.1.5.c
    Path: /usr/ports/security/inflex
    Info: Inbound/outbound antivirus e-mail scanner for sendmail servers

    Port: uvscan_dat-4141
    Path: /usr/ports/security/uvscan-dat
    Info: AntiVirus DAT file for uvscan

    Port: uvscan-4.14e
    Path: /usr/ports/security/vscan
    Info: Evaluation version of a DOS/Windows file virus scanner
  • Although I understand the problem you are facing, I think you're trying to do too much. You'd be farther ahead to double the efforts on the University servers, and let the students look after themselves.

    After all, it is the students decision to plug into the network, and the student's decision to double click the stupid attachments. Let them pay the consequences.

    The IT department of a University should be responsible for at MOST the connectivity of student machines, not the integrity.

    That said, try filtering mail for the common stupid attachments, and beef up the security provisions on any university boxen.

    -Ben
  • * Open ports -- not sure about this -- maybe perform periodic port scans for vulnerabilities? But then how do you report, update, etc.?

    Uh, isn't port-scanning illegal [slashdot.org]?

  • "We started doing this about two years ago when we got an unexpected rash of Chernobyl infections and spent a week replacing motherboards".

    Jeeze... and you wonder why it costs what it does to get an education today. Might as well throw the baby out with that dirty bathwater :-)

    Down here we just burn new bios, insert and we're done.
  • TrendMicro [antivirus.com] has a product that is an email gateway as well as an http proxy type thing and an ftp proxy type thing. These could help you keep the students from getting any viruses by making all students go through these gateways.
  • Actually the school I attend does this on windows 9x machines fairly well. They use norton ghost [symantec.com], which can make a disk image from one computer, and then the program can "ghost" all (or selected) computers on the network, which basically just loads the disk image onto them. It's a pretty effective solution.
  • by Greyfox (87712) on Sunday June 10, 2001 @02:18PM (#162573) Homepage Journal
    Ok, yes, this is funny, but there's a very big grain of truth in here too. Education is the biggest thing you can do to prevent virusses. Scanners promote a false sense of security, as do supposedly "Secure" operating systems and other security products. If a user thinks that all the security stuff has been dealt with so he doesn't have to worry about it, he's going to persist in risky behavior. And as we all know, the user is the weakest link.

    Seeing as how most colleges now mandate that all incoming freshmen must have a computer, the most sensible thing to do would be to mandate a computer security principles course in the first semester. Topics covered should include virusses and how they spread, E-mail hoaxes, physical security and protecting university assets, and miscellaneous other. It would have helped a lot even back when I was in college and the big security breach was the VM Christmas Card program.

    You shouldn't stop with education either. Plan on having your lab systems hit because they will be, and have a good backup policy in place. Set them up so you can just ghost or DD a hard drive image off the network. Have your E-Mail servers eat attachments that come from outside campus. Have your servers run in an environment of paranoia. Keep logs on a write-only file system (An old line printer is often enough.) Make security a policy rather than an end-goal and your systems will remain secure enough while also remaining usable.

  • by Greyfox (87712) on Sunday June 10, 2001 @11:33AM (#162574) Homepage Journal
    As long as you practise safe hex, you won't get a virus. The most important thing is to put the little plastic thing on your floppy disk. As long as you floppy disk has a plastic thing on it, you won't get a virus.

    Another vital part of Safe Hex is education. Now I know this is a controvertial subject among a lot of people (They should learn to do it on their own! They deserve to get a virus if they're doing immoral things like downloading warez or live goat porn!) but if you actually EDUCATE people about what's safe and what's not, you'll see a massive drop in the number of HTDs (Hexidecimally Transmitted Diseases) on your campus.

  • I don't know how you have it set up, but at the datacenter I work at, NAV gets installed automatically on all new machines. Norton has to be the worst enterprise virus protection scheme out there. Many a day a machine will crap out and we go up to it to see Norton running a scan in the middle of the day, even though it was told to do it at night. Oh, and then there was the time Norton updated itself and happened to install a DLL file that wasnt compatible with NT's virtual DOS machine. Wanna talk fun? Imagine 550 machine ground to a halt with a never ending array of "16 bit subsystem" error windows. I seriously research other solutions, from what I've seen these days, most companies are pretty hurt for sales and we get to try all the newest stuff for free. Maybe you can setup NAV to work right, we couldnt. Like I said, shop around. Don't get screwed like we did.

    ----------------------------------
  • It can be tricky getting your userbase all runnning the same thing. Even in a corporate environment like mine, where we have policies in place that we make people sign saying "we reserve the right to fire you if you uninstall your AV" it still happens.

    The approach I'd suggest is:
    * Identify the way virii are getting in and concentrate efforts there. These days, that means the e-mail servers.
    * Identify storage areas and say "what you put on here, my people will protect. We'll back it up and scan it for virii. If your disseration is valuable, put a copy of it here."
    * Make AV software available to users either free or at low cost. Promo campaigns to explain why it is a good idea.
    * And finally, since it's Slashdot: deprecate Windows OS's, and promote Linux, FreeBSD, MacOS et al. because no-one bothers to write viruses for non-wintel yet. (I know, I know, there are some. But I see 12 entries for Linux in McAfee's AV library, out of 50,000)
  • $ man condom
    CONDOM(1) EUNUCH Programmer's Manual CONDOM(1)

    NAME
    condom - Protection against viruses and prevention of child
    processes

    SYNOPSIS
    condom [options] [processid]

    DESCRIPTION
    _condom_ provides protection against System Transmitted
    Viruses (STVs) that may invade your system. Although the spread of
    such viruses across a network can only be abated by aware and cautious
    users, condom is the only highly-effective means of preventing
    viruses from entering your system (see celibacy(1)). Any data passed
    to condom by the protected process will be blocked, as specified by
    the value of the -s option (see OPTIONS below). condom is known to
    defend against the following viruses and other malicious
    afflictions...

    o AIDS
    o Herpes Simplex (genital varieties)
    o Syphilis
    o Crabs
    o Genital warts
    o Gonhorrea
    o Chlamydia
    o Michelangelo
    o Jerusalem

    When used alone or in conjunction with pill(1), sponge(1),
    foam(1), and/or setiud(3), condom also prevents the conception of a
    child process. If invoked from within a synchronous process, condom
    has, by default, an 80% chance of preventing the external processes
    from becoming parent processes (see the -s option below). When other
    process contraceptives are used, the chance of preventing a child
    process from being forked becomes much greater. See pill(1),
    sponge(1), foam(1), and setiud(3) for more information.
    If no options are given, the current user's login process (as
    determined by the environment variable USER) is protected with a
    Trojan rough-cut latex condom without a reservoir tip. The optional
    'processid' argument is an integer specifying the process to protect.
    NOTE: condom may only be used with a hard disk. condom
    will terminate abnormally with exit code -1 if used with a floppy
    disk (see DIAGNOSTICS below).
    ...
    Read the rest from http://www.netfunny.com/rhf/jokes/92q4/condomman.h tml [netfunny.com]

    - grunby
  • I second that recommendation...

    Trend's system has a few quirks and bugs in it (like Norton and McAfee) but it seems much more capable and easier to set up than them both. I really like the single "autopcc" program (OfficeScan, the component that scans workstations in a LAN environment) that pushes out software AND updates signature files regardless of PC OS platform.

    Their server-based & e-mail protection is also excellent; signature files are updated automatically and transparently (as they should be) and there is a really neat web-based (IIS-based) console that pulls it all together. They also offer the "InterScan VirusWall" product which does a virus-stripping proxy that handles http, ftp & smtp sessions.

    And they're really quick to issue new signatures if there's a sudden outbreak...
  • Kaspersky antivirus (http://www.avp.ru) has unix versions. I'm running one under BSDI 4.0.1 and it works ok, catching everything so far. It works with sendmail, so viruses do not even go into mailbox and cron job fetches daily updates.

    Now I wish I was permitted to remove all floppy drives across the company...
  • I stand corrected.

    Latin is a language, as dead as it can be.
    First it killed the Romans, and now it's killing me.

  • 'Scuse, please. This argument of "it's not your network, it's the Organization's network" may be fine in a business environment. It's not a good argument in academia. The students are paying considerable bucks for the switched Ethernet dorm rooms. We are fully cognizent of the fact that a student doesn't just make the decision to attend our school once: he or she makes it each and every semester for four or five years. We engage in a never-ending upgrade cycle to keep our current students happy and attract new ones.

    So, sure, we can tell students that they may not serve pr0n from a campus server, but forcing them to surrender their privacy because we're troubled about viruses? I don't think so. It's never a good idea to piss off the people who are giving you money.

    Gaudeamus igatur, iuvenes dum sumus...

  • I am a student at Penn State and I work for Rescom [psu.edu] which is a group of tech-interested students who others can come to (free) if they have computer trouble. Viruses are by far the most common thing that we have to deal with. In the interest of privacy the University does not filter emails or attachments, so there's a danger that students will get viruses, but whenever we remove a virus we tell students to get a virus scanner and to keep it updated. It seems like people listen when a human being tells them to get virus protection instead of just a web page. Of course no matter what we say not everyone will get scanners, and if there is a new virus it still takes a little while before the scanner-makers will release an update. We actually wrote one virus fix ourselves for Romeo and Juliet becuase it happened to hit Penn State very hard and we couldn't wait for anyone else to come up with a fix. Do any other schools out there offer free tech support like this? It seems to work pretty well for us.
  • Here at the University of Texas at Austin - Red McCombs School of Business [utexas.edu] we use InoculatIT. It is a great program. Everything is automated. We set up a server to pull the updated infomation from the web and then set the clients to look for that server. We use Active Directory to push the client out to the client computers and to make sure that the lab machines and all notebooks keep it installed. The personal machines can uninstall the software if they choose.

    We have been very happy with the performance of this software. If you have any questions about it please email me at Benton.Wink@Bus.UTexas.edu .
  • by 4of12 (97621) on Sunday June 10, 2001 @09:23AM (#162584) Homepage Journal

    It sounds like you guys at Oxford have the right approach.

    Pardon me for possibly espousing an anachronistic viewpoint, but aren't universities places where students (you know, tomorrow's leaders) should learn both

    • depths of knowledge
    • depths of responsibility
    eh?

    To that end, I think it's great if you make available software tools for students to check their machines, and it's great if you care enough to support an expert IT staff on site that keeps up on the latest technology, runs vulnerability scans, consults with users, etc.

    Ultimately, however, you should expect the students to exercise some willingness to educate themselves as to the nature of the dangers of their computer (mis-)use, both about the technologies and about the responsibilities that are incumbent on them.

    In a nutshell:

    1. do provide a supportive environment (software, expert personnel, etc.), including a statement of dangers and an expectation that users will be responsible,
    2. don't mandate specific behaviors,
    3. do be prepared to use axes on network access to educate users about the consequences of not learning the lessons well enough.

    If our future leaders are spoon-fed with an iron-fist, then I shudder to think of the world we'll live in two decades from now.

  • I'm an admin there ... we have no campus-wide or even college-wide policy -- and lemme tell ya -- thats a disaster. Every couple months we're ravaged by the latest macro virus.

    What I do, is keep norton on all my (windows)machines -- it has a pop3 mail scanner (that always ends up fucking up, but its better then getting a virus).

    Second, Perform weekly scans of machines and nightly scans of home directories ( through a smb share ).

    Third, Procmail is your friend. I'll admit I haven't done it yet, but (when I get a free moment) I plan to write a procmail script to delete vbs attachments (*.vbs) and rename exes etc to *.e_xe in users mail ... theres no reason on earth anyone needs to send anyone a vbs attachment -- and by renaming all executables, people must explictly choose to rename the file to be able to run it.

    Lastly, you must educate your users ... Tell em, don't open mail from people you don't know, don't run EXE's you didn't compile or I didn't install :) Theres some idiots who think they know stuff who will never follow your directions, but mostly, people will.

    These steps will keep you from getting 99.9% of viruses ... now you have to figure out how to keep your users from installing that f***ing comet cursor :)

  • This sounds like an ideal place to do what everyone here likes to complain about: Support Windows, and only Windows.

    In other words, draw up a list of software (Windows 2000, Office 2000, Norton Antivirus, etc.) which constitutes the "standard university computer"; if you're running a "standard university computer", you'll get (limited) support with it. If you install something like Linux, FreeBSD, or Mach-running-under-VMware-under-OpenBSD, *you are assumed to be able to take care of yourself*.
  • Where I work(ed), University of South Carolina, we had anti-virus software available to all (with staff to support installation, along with online instructions), but it was not compulsory. That seemed to work fairly well. Now, it didn't catch everything by any means, but students' own computers are their own responsibility after all.

    I can't agree with the viewpoint that using the University network gives legitimate rights to access the students' hard drives. I don't think for a moment that you mean to use the access maliciously, but there are places that one doesn't go in order to avoid even the appearance of impropriety. To try the usual argument by analogy: the students go to class all day in University-owned buildings under University regulation. That does not give rights to the the University to inspect the contents of every (or any!) student's wallet as they traverse the campus, however non-malicious the intent of the search.

  • "People who have AOL and whatnot don't use outlook and aren't so succeptable"

    True, but they already have the AOL virus on their computer. Seriously, any program that messes with network settings, etc. is a virus in my opinion.


    -----------------
  • Why is it the job of the University to ensure student machines are virus free? I completely understand using something like this for Department machines, Computer Labs, etc, but a machine in a dorm room is not the property of the school and should not be treated as such. Viruses are part of the computer experience and students should take charge themselves.

    Well, I think the issue is that universities are held responsible, by outside parties, for anything that goes on on their network. As such, they're blamed whenever a virus comes from a machine on thier network, whether it be a "University-owned" machine, or a students machine.

    dopp

  • At the school I attend, we simply site-license Norton Corporate Edition for all the students, and let them take care of themselves. The University tries to keep students abreast of what viruses are currently going around, but in general, we have to fend for ourselves. I think the best policy is to set up some system for University-owned machines, probably with Norton or some other virus protection software, and then site-license Norton for the students. If they dont' want to download it, it's their problem. But the protection is there if they want it. That way the University is certainly helping the students protect themselves, but also isn't taking on the headache of trying to actually protect the students.
  • I think it's a great idea to install Norton Antivirus. If I were at that University, I would gladly install it on my arcade-mode Windows 95 boot. (But then again, I don't trust anything personal to Windblowz.)

    But don't force anyone to install the software, or disallow alternate operating systems. I would sooner take my computer back home and use good old pencil and paper than be forced to use Windblows.

  • updates itself automatically (via cron of course) every month
    You meant to say 'every day' right?
  • The only thing worse than having no virus protection is having inadequate virus protection that gives users a false sense of security. Besides, if there's no updates, traffic will be minimal. :-) I'd say every week at a minimum. Find out when your provider puts out their 'scheduled' releases (Trend, for example, is every Tuesday, IIRC) and do it then.
  • Is this a troll?

    I have downloaded countless programs from the internet...who are these people that run untrusted executables?

    Either you download all those programs from the internet and never run them or you are one of those people that run untrusted executables

    You can't even necessarially trust "trusted" programs. Weren't you paying attention when MS posted a virus infected files [theregister.co.uk] or when HP distributed infected drivers [theregister.co.uk]

  • Remember that there are viruses that spread by sharing dirty software, something College students are know to do in the name of Freedom and being broke.

    --

  • I'm working at a universitity as well, and we recently switched from a CAI (Computer Associates) product to Norton Antivirus, but we obviously don't worry about student's computers as they are their own responsibility (such as your own car is) but on our own machines, Norton is set to automatically monitor all activity and automatically remove any viruses it finds, therefore there's no problem with us needing to manually scan.

    ---=-=-=-=-=-=---

  • I'm a first year undergrad EE at UCLA. I can tell you that here, a vast majority of the students use Windows, but among those, there is a fairly even spread among the various flavors. I thought that this mass searching for infected files only worked on NT based machines. Maybe not?

    I had an interesting time setting up the two boxes that are currently running in my dorm. One is Win2k, and the other is Redhat 7.1 There's a very specific set of instructions here about which set of protocals and settings to use to connect a Windows machine to the campus network. For Linux, no help is offered. It's as if the people in the Student Technology Center who run the network don't want students using Linux. It turned out to be easier to set up the Redhat box for network use, though! They seem to boot me off the network every few days, though, just for running apache with a couple of text files.

  • Are we talking about student-administred machines here? Are they owned by the students? In dorms? In that case, provide a central repository with the latest versions if your antivirus software, and leave it up to the students to install and update it on their computers. The U cannot possibly be responsible for machines which it has not control over. Either you have complete control over the computer, or you don't.

    If the university's computer system is at risk because some student administrated computers have viruses, then the university's computer system is too vulnerable, and should be fixed.

  • UCLA is a state school. They are subject to the First Amendment, as they are government. The Constitution MUST be followed by all government agencies. Allowing ANY network traffic, but not servers, is restricting some forms of speech and not others. That would be against the highest law of the land, the Constitution, and thus the policy should not be enforcable.

    I am not a lawyer, and I know the Constitution isn't 100% in force these days, so the above is likely wrong.

  • In a cross platform world about the only thing you can do limit exposure is to provide students with a good non-Outlook mail client. That'll eliminate a lot of virus exposure. In terms of the software, the University of Michigan has a licenses for McAfee and on PC and Mac. The strategy they use with students and staff is education and encouragement. I dunno how well this works tho. Ironically, staff gets bitten by Outlook propagated virus more than the students do because the student accounts rely on pine over telnet for email access.
  • Geez. Most college students pay for tuition, books, housing, liqour, etc and now more money should be slapped on if they have a computer? Me thinks many students would forgo the whole expense of a computer and instead spend the money on booze. At least getting caught with liqour is cheaper than having a virus under this plan.
  • do this
    1. make the software valitary, people love free stuff.
    2. Disclose to them your Problem with the sotware
    3. MASSIVE PR move about viruses, notes on all of IS web pages, E-mail newsletter, print information
    4. Antivirus software on all collage computers as standard, but alow it to be removed.
    5. set in place a system to contact comptuer users
    if a virus strikes the network, i.e. E-mail alert or notice on a big webpage.
    6. MASSIVE PR move to change the Defult settings in IE to make it stop VBS files.
    7. and finaly keep everyone updated, knowlage is not only power but motavation, if they know whats going on people can get involved.
  • I work at/attend Yale, and we don't support Linux either. Any Windows > 95, and any (recent) Mac OS is fully covered. There's no anti-Linux bias, since many of the computing assistants run Linux and the institutional servers and CS machines all run some flavor of Unix. We just feel that anyone using Linux should be competent to set up and run their machine on their own, or find someone else to help them.

    There's certainly no obstacle to anyone running Linux- and I've had no problem with Irix or Solaris either. I think we will continue to offer zero support for the forseeable future, though.
  • Of course nowadays you could also just set all files accept for the user files to read-only in bot NT and Linux/Unix.
    There are very little of not any now (since fixes are available very soon) voor worm/virii that use a security hole to get root/administrator acces to infect.

    A university deparment that uses Windows 9x on their computer shouldn't bother installing any anti-virus software
  • I was browsing the reply's for this post! I'm surprised it is posted so late.

    MacAffee (and most other REAL virusscanner) are cross-platform, silent and automatically updateble.

    On my work I've installed MacAffee on the (Linux-)virusscanner in combination with Amavis (http:/www.amavis.org I thought) that intercepts all infected mail messages and updates itself automatically (via cron of course) every month.
  • Actually not :-)
    I didn't want to waste internet bandwith, for virus-paranoia.
  • Seriously, any program that messes with network settings, etc. is a virus

    Yeah I'm sick of those programs that keep messing with my settings. Like linuxconf, ifconfig, ipchains, netconfig and vi. Does anyone have a virus scanner that can get rid of these damnable programs?


    Enigma

  • by Antipop (180137) on Sunday June 10, 2001 @08:38AM (#162623) Homepage
    But.. but... but... Daddy Bill says it's part of the operating system!

    -antipop
  • When I worked at a faculty media/technology center on campus, a Microbio prof. asked if I could build an online database to which students could contribute their research. I contacted their admin to see what they were running and came across some rather startling news.

    Due to a fear of virii and 'hackers' (and the fact that this was a "trained-monkey" MS admin), there was to be no remote ftp access to the server - not even for professors! Basically, I had to build the Db and front end, then burn it onto a CD and walk it across campus to the Biology building, and hand it to the admin.

    Of course, there were some small bugs to be squashed. At least he let me email him the fixes.

  • Part of your message, software being able to ruin hardware got to me. I was thinking about the easiest hardware to screw up in a machine, and the DVD drive came to mind - changing the region. Anyone heard of a virus that changes your region to something useless, like 6 or 7, repeatedly, until it locks? How many people would be whining about DVDs not playing?
  • by martyb (196687) on Sunday June 10, 2001 @10:21AM (#162634)

    Back in the day when I was in college (mainframes and dumb terminals), it was required for each student to fund a breakage account. The funds in the account would be refunded to the student upon graduation (transfer, leaving, etc.) MINUS any damages caused by the students (holes in the dorm room walls, broken windows, etc.) In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.

    What if a similar approach were taken with student (and faculty) systems? (The following is off the top of my head and likely has some holes in it, but I would hope it would provide a starting point; add or adjust as you see fit.)

    • Make the anti-virus software readily available.
    • Install filters on the campus e-mail servers.
    • Require each student to fund their "computer breakage" account with, say, $US400.
    • If a virus is traced to a student AND the student was using current virus filters, then NO funds would be deducted from their account.
    • If the student was NOT using a current filter, deduct, say $US50 per incident (e-mail? event?) from their breakage account.
    • A student breakage account must not drop below, say, half of the original amount -- additional funds must be provided for the student to "continue their studies" (I'm waving hands a bit here, but whatever physical breakage account policy they have would probably have a similar requirement.)
    • Invest the computer breakage funds in an interest-bearing account.
    • Use the interest income to pay for tech support.
    • Maybe even hire tech-savvy students with an interest in computer security to help with implementation and tech support -- student aid to help with their college expenses and valuable hands-on job skills.
    • Recognize some students will be computer illiterate and offer, free, tech support to set up and verify virus filters. (Once of prevention / pound of cure.)
    • Keep a log of when each system had its virus definitions updated. (Hmm, track the MAC address? Not sure how to identify systems.)
    • Faculty whose systems have a virus that infect other systems would lose some part of their funding. (What is good for the goose is good for the gander.)
    • Open ports -- not sure about this -- maybe perform periodic port scans for vulnerabilities? But then how do you report, update, etc.?
    • Allow the use of leftover funds at graduation for "Senior Week" activities -- students have a last hurrah with classmates at no out-of-pocket expense. (I know MY senior week was well worth it!)

    Ultimately, nothing is bulletproof, but make the protection readily and easily available, and impose penalties (sticks) on those who choose to not make use of them and provide benefits (carrots) for those who DO use the protection. Some viruses may get through, but the ones you DO catch are that much less to worry about.

    Okay, now I'm going to step back and let the /.'ers blow holes in this. :)

  • by pjdepasq (214609) on Sunday June 10, 2001 @08:33AM (#162642)
    Here at Virginia Tech, everyone (faculty, staff, students) has access to downloading Norton AntiVirus. Apparently, the school signed a license with Norton to make quite a few version available for free for both the PC and the MAC.

    It's nice to see the school do this as a "perk" for us, and to help everyone stop the spreak of viruses.

    antivirus.vt.edu

  • I'm not terribly up on my av solutions, but considering that 95+ percent of what's on a college student's machine is either a) from a trusted binary (os and 'productivity suite' binaries don't need virus scans) or b) downloaded unencrypted through the u.'s network, wouldn't you think there would be a server-side solution that scans any files being downloaded through it, and which the university could install on a large server (cluster) essentially right before the raw-net connection hits the university network? It's not as good as client-side solutions, esp. with college students compiling downloaded source these days, but it's a helluvalot better than nothing, no? Or am I way off-base?
    ~
  • by xenocide2 (231786) on Sunday June 10, 2001 @10:18AM (#162647) Homepage
    At Kansas State we're fairly wired, with the residence hall Ethernet and the developing wireless deployment for laptops. I think the largest help in fighting virii is to get people to stop using Outlook, since most virii are .vbs. The best way to do that is not to outlaw outlook, but to provide a better solution [slashdot.org] than Outlook.

    Considering that most school communications now rely on email and other electronic means, I think our department is doing an outstanding job. We have a help center too. A good friend of mine says the largest portion of issues they get is how to use MS productivity tools, although I'd bet they got quite a bit of calls when the IRC server (which USED to be connected to DALnet) got DDoS'd. If you really want to get people to fight virii, forcing them won't help. Just put out some Press Release type emails about how you want to help, and write up some guidelines, instructions on how to forward mail, etc. Rather than force people to use Norton and "sanctioned hardware" , maybe get a site liscence and encourage people to download it. If your server allows it, write a tutorial on how to filter email, especially things that have .vbs or .exe attachments. Instead of telling people what not to do, help them do things on their own.

  • First of all, most of the recent worms have been sent as VBS embedded in HTML mail, so the filtering you propose wouldn't prevent them.

    More importantly, such an across the board ban is a nontrivial decline in the quality of service for students, especially since most universities implementing it wouldn't bother to inform students of their filtering policy. Would you want to be the uni. tech support guy who has to answer "My attatchment disappeared!" calls all day?

    --

  • Why is it the job of the University to ensure student machines are virus free

    Well, considering how many viruses there are that can turn a machine into a zombie (or help do it), its a good pursuit. University PCs are prime targets of DDoS hackers given the bandwidth these systems have available. Its not gonna be perfect, but it helps keep the thousands of student machines somewhat inoculated against script kiddies. Course if they don't get their virus in they'll take control of the machine some other way. But you gotta do something/start somewhere!

  • Why are you hard pressed on making students run virus scanners? Most viri only hurt the local machine, and the rest can be solved with a good firewall and e-mail filtering.

    But you do not have a right to force students to use any anti virus products, and you also do not have a right to grant/deny network access on the basis of usage of such products.

    It's good to want your network to have high uptimes, but, frankly, most network failures are due to failed routers. Also in many University networks there are frequent cable problems. When I was at OSU, it was every other day an intra-campus cable had failed. Now that they're using fiber, it's probably more severe. But seriously, viruses only cause harm in mass, and although an e-mail virus can quickly spread to every person in the school (and their parents, grandparents, etc.) via Outlook, if you have e-mail filters the above said is no problem.

    You should by all means encourage students to run virus scanners, because most support requests are local problems. As to the capabilities of the scanners, most do little than perform filename searches and occasionally search a bit of the file. Today's up-start global virus is usually polymorphic, embedding itself in rundll.exe or systray or constantly chuking itself up.

    However, for catching things like Sub7, these scanners do work well. That being said, I have never used a commercial virus scanning product and have never had a virus. The only reason commercial virus products are so popular for their limited (null?) functionality is because of hype much associated with blaming something YOU did on an invisible gremlin 'virus' that 'must' be screwing things up.

    But for the reckless who fancy accepting file transfers from haxor3llt in IRC, those who frequent warez sites, and those who infect themselves with sub7, they should by all means be forced to use any University-controlled virus software. Unfortunatly, I've just described virturall all college students so it fits perfectly ;)
  • Given that I have worked for a university that faced this very same issue, I know that this kind of power will lead to abuses. The problem this type of policy causes is that it results in an erosion of trust by faculty, students and staff and the actions they take in response to that loss. I have found most people get upset when they actually learned what was happening. Just wait to a dean or an already upset student finds out they are being watched and it actually processes in their minds. Even file names give away private information. If you have not seen it happen yet, then chances are they have not figured it out yet. One big lawsuit and you will have a whole new problem. Furthermore, I know for a fact that Norton's responses to its server can be faked; many people where I used to work did not want the very abusive IT staff to see anything on their hard drives. They started downloading various hacks for just this purpose not to mention several trojans. You may be creating a greater nightmare by having people willingly installing gateways for hackers. The university was in fact hacked this way when someone the IT center let a keyboard monitoring trojan infect their computer that sent the root password for our servers to them. I left that job because these type of issues began erode every ones' happiness. Do not go down that road. I would suggest that you mandate that in order to connect to the university's system that students must prove that they have a recent anti-virus program or that they use the university's system with a privacy warning. Since all modern anti-virus programs by default offer an Auto-Update feature that should help you problem. As for faculty and staff, I have found that telling them exactly what his happening, why it is necessary and doing it in on the weekend worked fine. They took off anything they did not want looked at and the IT department got to do their scans. Also, I found that asking them to bring me their license of anything special they wanted to have installed that was personal. This allowed them greater flexibility, gave me a proof of their ownership and more assurance it was legit software. Remember, trust is a lot more valuable than hardware or software and a good back-up policy protects information.

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...