发信人: jia()
整理人: emil(1999-05-08 13:03:12), 站内信件
|
发信人: poker (virus killer), 信区: Virus 标 题: viruses in lotus notes 发信站: BBS 水木清华站 (Thu Jul 23 11:02:03 1998)
I am too tired to translate it "Viruses in a Lotus Notes? Environment"
Abstract
Lotus Notes and Domino is a powerful communication infrastructure used to find, organize, mobilize, and share information in a database, an e-mail message, a desktop application, or on the Internet. Since computer viruses are able to use this system in several ways to propagate throughout an enterprise, virus protection is critical to avoid infection costs that the National Computer Security Association estimates at an average of more than $8000 per incident [1]. Devising virus protection for Notes and Domino is analogous to devising such protection for an entire enterprise--all virus entryways must be safeguarded. This paper explains how viruses spread in Lotus Notes and Domino, covers how to estimate the costs of virus infection, shows how virus protection is devised for Lotus Notes and Domino, and outlines how one product, ScanMail for Lotus Notes by Trend Micro, Inc., provides effective virus protection in this environment.
About Lotus Notes and Domino
The world's leading messaging and groupware product, Lotus Notes? is an e-mail and information sharing system tied together by a powerful database (i.e., complex object store). Almost 10 million users worldwide in thousands of companies today use Notes to break down traditional barriers and create alliances that extend across departments and beyond the walls of the organization. This allows teams of employees, customers, suppliers, and partners to access the information they need, no matter where they are located or what computer platform they are using.
Lotus Notes performs three main functions: communication, collaboration, and coordination. First, Notes provides the power to communicate using a reliable and innovative client/server messaging system (Notes Mail), which incorporates a popular messaging user interface, cc:Mail. Second, Notes enables users to collaborate and share ideas with team members on joint projects, access discussion databases, participate in group discussions, create document libraries, and access news databases. Third, Notes enables users to create custom business applications that coordinate everyday business processes from start to finish.
Notes provides the following four components:
· E-mail · Database applications (i.e., shared spaces to store all types of file and business processes) · Replication (i.e., synchronizing database changes) · Information sharing across Intranets and the Internet
These components make sharing of information and documents easy and efficient among employees, customers, suppliers, and partners in different locations. But this powerful form of information sharing also inherently carries with it ideal ways for computer viruses to spread.
Background
Electronic mail and groupware applications require specially designed virus protection software capable of dealing with issues of propagation, proprietary e-mail, and shared information (e.g., public folders). Typically these types of information bypass virus protection on file servers. As a result, the system administrator must rely on desktop virus protection, and the end user must implement scanning policies, update software, and refresh virus pattern files.
Server-based virus protection is recommended over desktop protection for several reasons:
· Security: Responsibility for updating software, cleaning viruses, and tracking the source of infections is in the hands of a professional, not the least experienced user in the network.
· Performance: The LAN administrator can best balance issues of performance (selecting when and what to scan) and network security.
· Costs: Costs to remove and clean up virus infections are greatly reduced when detected at the server level (source: NCSA).
Desktop virus software, such as Trend Micro's PC-cillin, is still recommended as the best way to detect viruses introduced by users--through infected diskettes, for example.
How Viruses Spread in Lotus Notes and Domino
Computer viruses (i.e., any program or code that replicates itself) are insidious. Without virus detection or protection, users typically do not know their systems are being infected until they see results that can range from annoying to catastrophic. And virus infection is on the rise. Despite a significant increase in the usage of anti-virus products, the rate of computer virus infection in corporate America nearly tripled in 1996[1].
For most users of Lotus Notes, viruses can spread in four ways, corresponding to Notes' four components--e-mail, databases, replication, and Internet/Intranet information sharing.
Today's typical office worker receives more than 40 e-mail messages each day, and many of these messages come with word processing and spreadsheet file attachments, such as those created in Microsoft Word and Microsoft Excel. A National Computer Security Association (NCSA) survey reports that e-mail attachments as a source of computer virus infection tripled from 1996 to 1997--from 9% of all infection sources to over 26% of infections. To make matters worse, a relatively new class of viruses, called macro viruses, are now spreading like wildfire, attaching themselves to word processed and spreadsheet documents. In fact, these viruses are spreading faster than most anti-virus software makers can find ways to detect and remove them. Macro viruses are now the most prevalent computer viruses in the world, representing 80% of all infections in 1997, compared to 49% a year ago [1].
The second mode of virus transmission possible in Lotus Notes involves Notes databases. These databases are capable of storing millions of archived documents that are accessible throughout the company and even outside the company. With the widespread proliferation of viruses, it is likely that this wide access to a company's Notes database will lead to virus infection, and macro viruses are likely to be included among these viruses. Each time a database document with a virus is accessed, network contamination can result.
Replication is a third way viruses can propagate in Lotus Notes and Domino. The act of synchronizing databases, which may include many databases at various locations on various servers, serves to spread viruses that reside in any one of the databases.
A fourth mode of virus infection and propagation now faces Lotus Notes users. The Lotus Notes' Domino server makes information sharing across Intranets and the Internet easy, opening up entire new worlds of data to the Notes user. For example, browsing the World Wide Web or their company's Intranet, a user can save information found in a common database for others to access.
But this powerful way of storing, and later retrieving, valuable information can lead to virus infection in several ways. For example, viruses carried by files downloaded from the web via FTP downloading can infect corporate databases. The NCSA survey reports that virus infection via downloading of files from the Internet increased from 10% of all infections in 1996 to 16% in 1997 [1].
Looking ahead, a new type of malicious code, carried by ActiveX and Java controls that spice up web pages, poses the potential for PC damage simply by browsing the web. Of course, users can be infected by viruses via FTP downloading or by simply browsing the web even if they are not Domino server users. However, this useful server increases the potential for the spread of these viruses within a corporation.
Complete Virus Protection for the Enterprise
In general, the most effective way to ensure that a corporate computer network remains free of viruses is to monitor all possible virus entryways. This is true of both users and nonusers of Lotus Notes. In practice, this involves a two-step process: (1) identifying possible virus entryways, and (2) implementing virus protection solutions for each entryway [2].
First, all possible virus entryways must be determined. Since viruses follow the same routes into a network as information, this step can be performed by considering all paths of information flow into the network. One of the most important of these paths is incoming e-mail with attachments. For Lotus Notes users, this path, along with data accessed from common databases, is critical. Other virus entryways include the Internet via FTP downloading, as well as simply web browsing.
However, there are other significant information paths, and hence potential virus propagation routes. For example, removable media (e.g., floppy disks, Zip disks, Jazz disks, optical disks, and CDs) can transmit a virus from a single workstation to an entire network. And remote users dialing into the network can also inadvertently spread viruses onto the network.
The second step is to identify and implement virus protection at each potential virus entryway. In most cases, this calls for establishing both significant server-based anti-virus presence and significant workstation-based virus protection. The reason is that, of course, viruses can enter the network either through the server or directly from the workstation (via removable media). Intercepting viruses as close to their source as possible, before they have a chance to spread, is the key to minimizing virus infection costs.
Estimated Virus Infection Costs
Depending on the size of the infection, a virus incident can cost between $2000 and $500,000 (U.S. dollars) in data and productivity loss [3]. One study showed that the average cost of recovering from a virus infection on a network is $15,000 (U.S. dollars) and that 85 percent of those sites were re-infected within 30 days [3].
Intercepting viruses from entry routes at servers, including Lotus Domino servers, rather than relying solely on workstation-based protection, makes economic sense. Using a spreadsheet, IS managers can estimate the cost of virus infection in two scenarios--one in which only workstation-based protection is used, and one in which both workstation and server-based protection are used [4]. Assume that a Notes Mail attachment infected with a virus is forwarded to 100 people throughout a company. If the company uses server-based virus protection, this software would intercept the virus, and at the assumed cost for an IS Manager to take action on this virus ($500 in the example), this would represent the only cost the company would incur.
But if the company did not install server-based e-mail anti-virus software, relying instead on workstation-based virus protection, cleanup would be much more costly. Each of the assumed 75 users with the protection who know how to use it would incur a loss of productivity cost of $100, amounting to $7500 companywide. In addition, IS Manager time to respond to inquiries from an assumed 20 users who have protection but need help to disinfect would cost $500 per user, or a total of $10,000. Finally, each instance of IS Manager cleanup on unprotected workstations (five of which are assumed here) would cost an assumed $1000 each, for a total of $5000. These three cost components total $22,500, which is $20,000 more than the server-based scenario. If such an infection occurs twice per month (a conservative assumption in large companies), the savings amounts to over $500,000 annually.
Virus Protection in Lotus Notes and Domino
The corporate-wide approach of monitoring all possible paths that viruses may use to enter the corporate computer network can also be extended to Lotus Notes and Domino. Here, the challenge is to pinpoint and protect all possible entry points for virus-infected files to the core of Lotus Notes--the Notes database. There are four ways that a virus can enter this database:
· A piece of Notes Mail with an infected attachment is saved into the Notes Mail database. · A Notes user opens the database and stores a virus-infected file in the database. · A Domino server with an infected file replicates that file through database replication into this "clean" database. · A file infected with a virus is downloaded via FTP.
An effective anti-virus product for the Notes and Domino environment must be able to monitor all of these events in real-time, scan any new entry into the database, and eliminate the infected file--all without affecting Notes performance.
Traditional anti-virus products view the Notes database as a single large file, and hence, are unable to locate viruses within the database. Hence, effectively eradicating viruses in Notes requires development of anti-virus software specifically tailored to Lotus Notes and Domino. The virus scanner must understand the Notes database format, scan individual files and documents within the database, and clean or remove infected files without impacting the Notes database structure.
About ScanMail for Lotus Notes
One example of such a tailored product is ScanMail? for Lotus Notes available from Trend Micro, Inc., of Cupertino, California. Designed specifically for Lotus Notes and Domino, ScanMail overcomes the weakness of traditional anti-virus software by detecting and eliminating viruses inside Notes databases, as well as monitoring e-mail transactions, public databases, and replication in real-time. This product uses both rule-based and pattern recognition technologies to maximize protection against viruses--known or unknown. What's more, the virus engine uses multi-threading for fastest performance. ScanMail also incorporates Trend Micro's MacroTrap? technology to detect the wide range of macro viruses now proliferating, and soon, ScanMail will check for ActiveX and Java components stored in the Notes database.
The ScanMail user interface is fully integrated with Lotus Notes. Similarly, all ScanMail program files, configuration data, and virus pattern files are stored inside the Notes database. This close integration provides several advantages. Since real-time scans are a Domino server task, they are loaded automatically when the Domino server starts up. Another benefit is that program files, configuration data, and pattern files can be initially replicated from Domino server to Domino server, and automatic virus pattern file downloads via the Internet can be distributed to other Domino servers with no user intervention required.
E-mail Protection. In Notes Mail, each piece of mail is first placed in a Notes Mail router, which stores the mail in a virtual mail queue. The Notes Mail scheduler reads the mail from the queue, resolves the address, and generates a copy of the mail for each recipient. This scheduler then either deposits a copy of the mail into the recipient's individual mailbox on the same server, or sends it to a router program on another server.
ScanMail for Lotus Notes ties into the mail router, detects new mail as it arrives, instructs the virus scanner to scan the mail queue, and prepares the mail for pickup by the mail scheduler. This approach has several advantages over alternative methods. First, since the mail is received by the router and then scanned, mail sending is not delayed. Alternative approaches retrieve each piece of mail before it reaches the router, introducing a delay prior to routing.
A second advantage also involves the timing of the virus scan. Since this scanning takes place before the mail is accessed by the scheduler, only one copy of the mail is scanned. This method conserves scanning resources and prevents infected mail from being routed to other servers before scanning. An alternative approach employing an agent to monitor each mailbox often requires scanning of multiple copies of the mail and allows infected mail to be routed to other servers. While Trend Micro's approach is two-way, scanning both in-bound and out-bound message attachments, the alternative approach is solely a one-way scan.
The third benefit of Trend Micro's approach is that the mail routing path remains unchanged. No special mail path or mailbox is used, increasing performance and eliminating false deliveries that are possible in alternative approaches.
Effective real-time mail scanning must also include logging, notification, and alerting functions to enable administrators to trace the source of infected files and isolate infection sites. In ScanMail for Lotus Notes, these functions include
· Notification of the mail sender, recipient, and administrator via a warning Notes Mail that includes the following information:
· Infected file name · Date of sent message · Mail sender · Mail recipients · Virus name (if known) · ScanMail action taken
· Insertion of a warning on the subject line and message to the recipient that a virus was detected in an attachment and that the attachment was removed from the message
· Automatic actions taken on the infected file (e.g., clean file and send to original recipient, delete file, move file into quarantine area, or pass file with a warning), according to the administrator's configuration instructions.
An efficient mail-scanning system for Lotus Notes and Domino must also accommodate a variety of attachment encoding and compression methods. ScanMail decodes attachments encoded using MIME and UUencode formats and locates viruses hidden in files compressed using PKZIP, ZIP2EXE, LZEXE, ARJ, LZH, PKLITE, and Microsoft Compress. ScanMail can even check files using multiple levels of compression (e.g., a ZIP2EXE file that has also been LZEXE and ARJ compressed). These features are important as various forms of file compression are increasingly used.
Database Protection. ScanMail for Lotus Notes features two types of protection for data stored in Notes databases: "on-demand" scans for archived data such as e-mail or old databases, and real-time scanning of documents as they are saved to Notes databases.
On-demand scans, which can also be scheduled to occur automatically, are able to penetrate the special Notes database format and examine all files that are part of the database. Only in this way can the Notes administrator be sure that the database is initially "clean," preventing re-infection each time an infected document is accessed.
Real-time scans are the heart of ScanMail for Lotus Notes database protection. On the Domino server, clients can open a document from the shared database, modify it (possibly infecting it with a virus), and return it to the shared database. Whenever a client saves a document in this database, ScanMail for Lotus Notes scans the document for viruses just before it is closed, preventing the spread of any virus present on the document. And this action is imperceptible to the user. Once the document has been found to be virus-free (or if found to have a virus, once cleaned, quarantined, deleted, or ignored), clients are allowed to access the file.
Replication Protection. In Lotus Domino, when replication begins, the replicator opens the database, updates an entry (i.e., document), closes the entry, updates the next entry, closes that entry, and so on. Whenever a database entry is updated, the real-time replication scan in ScanMail for Lotus Notes scans that document for viruses just before it closes. If a virus is detected in the entry, replication of that entry is blocked. But during this scan, ScanMail allows the task of replicating other entries to continue unabated. Hence, even if a virus is identified during a scan, replication of clean entries continues, and there is no degradation in replication performance. The result is replication of only clean entries. As during the database scan, at the administrator's option, infected files can be deleted, moved, passed, or cleaned.
Compared to methods that require virus scanning to be completed before replication is continued, this approach saves on costly dial-up telephone connections when replication involves remote servers. In fact, alternative approaches can double or even triple telephone connection time and costs.
Domino Server Protection. To protect Lotus Notes Domino Servers from viruses introduced via FTP downloading from the Internet, Trend Micro's ScanMail for Lotus Notes scans each downloaded file. Soon, Trend will extend Domino Server protection to include unwanted Java applets and uncertified ActiveX controls. Trend Micro was one of the first to provide server-based security solutions for both ActiveX and Java components. The technology the company uses selectively filters ActiveX code from unknown sources, while letting known vendor code to pass through. The filter blocks Java applets, uncertified ActiveX controls, FTP- and HTTP-borne viruses, CABinet, and Win 32 portable executables [5].
-- 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: ppp200.hr.hl.cn]
-- ※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 202.96.61.236]
|
|