发信人: jia()
整理人: emil(1999-05-08 13:03:12), 站内信件
|
发信人: poker (virus killer), 信区: Virus
标 题: viruses in lotus notes
发信站: BBS 水木清华站 (Thu Jul 23 11:02:03 1998)
I am too tired to translate it
"Viruses in a Lotus Notes? Environment"
Abstract
Lotus Notes and Domino is a powerful communication infrastructure used
to find, organize, mobilize, and share information in a database, an
e-mail message, a desktop application, or on the Internet. Since
computer viruses are able to use this system in
several ways to propagate throughout an enterprise, virus protection is
critical to avoid infection costs that the National Computer Security
Association estimates at an average of more than $8000 per incident [1].
Devising virus protection for Notes
and Domino is analogous to devising such protection for an entire
enterprise--all virus entryways must be safeguarded. This paper
explains how viruses spread in Lotus Notes and Domino, covers how to
estimate the costs of virus infection, shows how
virus protection is devised for Lotus Notes and Domino, and outlines how
one product, ScanMail for Lotus Notes by Trend Micro, Inc., provides
effective virus protection in this environment.
About Lotus Notes and Domino
The world's leading messaging and groupware product, Lotus Notes? is an
e-mail and information sharing system tied together by a powerful
database (i.e., complex object store). Almost 10 million users
worldwide in thousands of companies today use
Notes to break down traditional barriers and create alliances that
extend across departments and beyond the walls of the organization.
This allows teams of employees, customers, suppliers, and partners to
access the information they need, no matter
where they are located or what computer platform they are using.
Lotus Notes performs three main functions: communication, collaboration,
and coordination. First, Notes provides the power to communicate using
a reliable and innovative client/server messaging system (Notes Mail),
which incorporates a popular
messaging user interface, cc:Mail. Second, Notes enables users to
collaborate and share ideas with team members on joint projects, access
discussion databases, participate in group discussions, create document
libraries, and access news databases.
Third, Notes enables users to create custom business applications that
coordinate everyday business processes from start to finish.
Notes provides the following four components:
· E-mail
· Database applications (i.e., shared spaces to store all types of file
and business
processes)
· Replication (i.e., synchronizing database changes)
· Information sharing across Intranets and the Internet
These components make sharing of information and documents easy and
efficient among employees, customers, suppliers, and partners in
different locations. But this powerful form of information sharing also
inherently carries with it ideal ways for
computer viruses to spread.
Background
Electronic mail and groupware applications require specially designed
virus protection software capable of dealing with issues of propagation,
proprietary e-mail, and shared information (e.g., public folders).
Typically these types of information
bypass virus protection on file servers. As a result, the system
administrator must rely on desktop virus protection, and the end user
must implement scanning policies, update software, and refresh virus
pattern files.
Server-based virus protection is recommended over desktop protection for
several reasons:
· Security: Responsibility for updating software, cleaning
viruses, and tracking the source of infections is in the hands of a
professional, not the least experienced user in the network.
· Performance: The LAN administrator can best balance issues of
performance (selecting when and what to scan) and network security.
· Costs: Costs to remove and clean up virus infections are
greatly reduced when detected at the server level (source: NCSA).
Desktop virus software, such as Trend Micro's PC-cillin, is still
recommended as the best way to detect viruses introduced by
users--through infected diskettes, for example.
How Viruses Spread in Lotus Notes and Domino
Computer viruses (i.e., any program or code that replicates itself) are
insidious. Without virus detection or protection, users typically do
not know their systems are being infected until they see results that
can range from annoying to
catastrophic. And virus infection is on the rise. Despite a
significant increase in the usage of anti-virus products, the rate of
computer virus infection in corporate America nearly tripled in 1996[1].
For most users of Lotus Notes, viruses can spread in four ways,
corresponding to Notes' four components--e-mail, databases, replication,
and Internet/Intranet information sharing.
Today's typical office worker receives more than 40 e-mail messages each
day, and many of these messages come with word processing and
spreadsheet file attachments, such as those created in Microsoft Word
and Microsoft Excel. A National Computer
Security Association (NCSA) survey reports that e-mail attachments as a
source of computer virus infection tripled from 1996 to 1997--from 9% of
all infection sources to over 26% of infections. To make matters worse,
a relatively new class of viruses,
called macro viruses, are now spreading like wildfire, attaching
themselves to word processed and spreadsheet documents. In fact, these
viruses are spreading faster than most anti-virus software makers can
find ways to detect and remove them. Macro
viruses are now the most prevalent computer viruses in the world,
representing 80% of all infections in 1997, compared to 49% a year ago
[1].
The second mode of virus transmission possible in Lotus Notes involves
Notes databases. These databases are capable of storing millions of
archived documents that are accessible throughout the company and even
outside the company. With the widespread
proliferation of viruses, it is likely that this wide access to a
company's Notes database will lead to virus infection, and macro viruses
are likely to be included among these viruses. Each time a database
document with a virus is accessed, network
contamination can result.
Replication is a third way viruses can propagate in Lotus Notes and
Domino. The act of synchronizing databases, which may include many
databases at various locations on various servers, serves to spread
viruses that reside in any one of the databases.
A fourth mode of virus infection and propagation now faces Lotus Notes
users. The Lotus Notes' Domino server makes information sharing across
Intranets and the Internet easy, opening up entire new worlds of data to
the Notes user. For example,
browsing the World Wide Web or their company's Intranet, a user can save
information found in a common database for others to access.
But this powerful way of storing, and later retrieving, valuable
information can lead to virus infection in several ways. For example,
viruses carried by files downloaded from the web via FTP downloading can
infect corporate databases. The NCSA
survey reports that virus infection via downloading of files from the
Internet increased from 10% of all infections in 1996 to 16% in 1997
[1].
Looking ahead, a new type of malicious code, carried by ActiveX and Java
controls that spice up web pages, poses the potential for PC damage
simply by browsing the web. Of course, users can be infected by viruses
via FTP downloading or by simply
browsing the web even if they are not Domino server users. However,
this useful server increases the potential for the spread of these
viruses within a corporation.
Complete Virus Protection for the Enterprise
In general, the most effective way to ensure that a corporate computer
network remains free of viruses is to monitor all possible virus
entryways. This is true of both users and nonusers of Lotus Notes. In
practice, this involves a two-step process:
(1) identifying possible virus entryways, and (2) implementing virus
protection solutions for each entryway [2].
First, all possible virus entryways must be determined. Since viruses
follow the same routes into a network as information, this step can be
performed by considering all paths of information flow into the network.
One of the most important of these
paths is incoming e-mail with attachments. For Lotus Notes users, this
path, along with data accessed from common databases, is critical.
Other virus entryways include the Internet via FTP downloading, as well
as simply web browsing.
However, there are other significant information paths, and hence
potential virus propagation routes. For example, removable media (e.g.,
floppy disks, Zip disks, Jazz disks, optical disks, and CDs) can
transmit a virus from a single workstation to an
entire network. And remote users dialing into the network can also
inadvertently spread viruses onto the network.
The second step is to identify and implement virus protection at each
potential virus entryway. In most cases, this calls for establishing
both significant server-based anti-virus presence and significant
workstation-based virus protection. The
reason is that, of course, viruses can enter the network either through
the server or directly from the workstation (via removable media).
Intercepting viruses as close to their source as possible, before they
have a chance to spread, is the key to
minimizing virus infection costs.
Estimated Virus Infection Costs
Depending on the size of the infection, a virus incident can cost
between $2000 and $500,000 (U.S. dollars) in data and productivity loss
[3]. One study showed that the average cost of recovering from a virus
infection on a network is $15,000 (U.S.
dollars) and that 85 percent of those sites were re-infected within 30
days [3].
Intercepting viruses from entry routes at servers, including Lotus
Domino servers, rather than relying solely on workstation-based
protection, makes economic sense. Using a spreadsheet, IS managers can
estimate the cost of virus infection in two
scenarios--one in which only workstation-based protection is used, and
one in which both workstation and server-based protection are used [4].
Assume that a Notes Mail attachment infected with a virus is forwarded
to 100 people throughout a company.
If the company uses server-based virus protection, this software would
intercept the virus, and at the assumed cost for an IS Manager to take
action on this virus ($500 in the example), this would represent the
only cost the company would incur.
But if the company did not install server-based e-mail anti-virus
software, relying instead on workstation-based virus protection, cleanup
would be much more costly. Each of the assumed 75 users with the
protection who know how to use it would incur a
loss of productivity cost of $100, amounting to $7500 companywide. In
addition, IS Manager time to respond to inquiries from an assumed 20
users who have protection but need help to disinfect would cost $500 per
user, or a total of $10,000. Finally,
each instance of IS Manager cleanup on unprotected workstations (five of
which are assumed here) would cost an assumed $1000 each, for a total of
$5000. These three cost components total $22,500, which is $20,000 more
than the server-based scenario.
If such an infection occurs twice per month (a conservative assumption
in large companies), the savings amounts to over $500,000 annually.
Virus Protection in Lotus Notes and Domino
The corporate-wide approach of monitoring all possible paths that
viruses may use to enter the corporate computer network can also be
extended to Lotus Notes and Domino. Here, the challenge is to pinpoint
and protect all possible entry points for
virus-infected files to the core of Lotus Notes--the Notes database.
There are four ways that a virus can enter this database:
· A piece of Notes Mail with an infected attachment is saved into the
Notes Mail database.
· A Notes user opens the database and stores a virus-infected file in
the database.
· A Domino server with an infected file replicates that file through
database replication into this "clean" database.
· A file infected with a virus is downloaded via FTP.
An effective anti-virus product for the Notes and Domino environment
must be able to monitor all of these events in real-time, scan any new
entry into the database, and eliminate the infected file--all without
affecting Notes performance.
Traditional anti-virus products view the Notes database as a single
large file, and hence, are unable to locate viruses within the database.
Hence, effectively eradicating viruses in Notes requires development of
anti-virus software specifically
tailored to Lotus Notes and Domino. The virus scanner must understand
the Notes database format, scan individual files and documents within
the database, and clean or remove infected files without impacting the
Notes database structure.
About ScanMail for Lotus Notes
One example of such a tailored product is ScanMail? for Lotus Notes
available from Trend Micro, Inc., of Cupertino, California. Designed
specifically for Lotus Notes and Domino, ScanMail overcomes the weakness
of traditional anti-virus software by
detecting and eliminating viruses inside Notes databases, as well as
monitoring e-mail transactions, public databases, and replication in
real-time. This product uses both rule-based and pattern recognition
technologies to maximize protection against
viruses--known or unknown. What's more, the virus engine uses
multi-threading for fastest performance. ScanMail also incorporates
Trend Micro's MacroTrap? technology to detect the wide range of macro
viruses now proliferating, and soon, ScanMail will
check for ActiveX and Java components stored in the Notes database.
The ScanMail user interface is fully integrated with Lotus Notes.
Similarly, all ScanMail program files, configuration data, and virus
pattern files are stored inside the Notes database. This close
integration provides several advantages. Since
real-time scans are a Domino server task, they are loaded automatically
when the Domino server starts up. Another benefit is that program
files, configuration data, and pattern files can be initially replicated
from Domino server to Domino server, and
automatic virus pattern file downloads via the Internet can be
distributed to other Domino servers with no user intervention required.
E-mail Protection. In Notes Mail, each piece of mail is first placed in
a Notes Mail router, which stores the mail in a virtual mail queue. The
Notes Mail scheduler reads the mail from the queue, resolves the
address, and generates a copy of the mail
for each recipient. This scheduler then either deposits a copy of the
mail into the recipient's individual mailbox on the same server, or
sends it to a router program on another server.
ScanMail for Lotus Notes ties into the mail router, detects new mail as
it arrives, instructs the virus scanner to scan the mail queue, and
prepares the mail for pickup by the mail scheduler. This approach has
several advantages over alternative
methods. First, since the mail is received by the router and then
scanned, mail sending is not delayed. Alternative approaches retrieve
each piece of mail before it reaches the router, introducing a delay
prior to routing.
A second advantage also involves the timing of the virus scan. Since
this scanning takes place before the mail is accessed by the scheduler,
only one copy of the mail is scanned. This method conserves scanning
resources and prevents infected mail
from being routed to other servers before scanning. An alternative
approach employing an agent to monitor each mailbox often requires
scanning of multiple copies of the mail and allows infected mail to be
routed to other servers. While Trend Micro's
approach is two-way, scanning both in-bound and out-bound message
attachments, the alternative approach is solely a one-way scan.
The third benefit of Trend Micro's approach is that the mail routing
path remains unchanged. No special mail path or mailbox is used,
increasing performance and eliminating false deliveries that are
possible in alternative approaches.
Effective real-time mail scanning must also include logging,
notification, and alerting functions to enable administrators to trace
the source of infected files and isolate infection sites. In ScanMail
for Lotus Notes, these functions include
· Notification of the mail sender, recipient, and administrator via a
warning Notes Mail that includes the following information:
· Infected file name
· Date of sent message
· Mail sender
· Mail recipients
· Virus name (if known)
· ScanMail action taken
· Insertion of a warning on the subject line and message to the
recipient that a virus was detected in an attachment and that the
attachment was removed from the message
· Automatic actions taken on the infected file (e.g., clean file and
send to original recipient, delete file, move file into quarantine area,
or pass file with a warning), according to the administrator's
configuration instructions.
An efficient mail-scanning system for Lotus Notes and Domino must also
accommodate a variety of attachment encoding and compression methods.
ScanMail decodes attachments encoded using MIME and UUencode formats and
locates viruses hidden in files
compressed using PKZIP, ZIP2EXE, LZEXE, ARJ, LZH, PKLITE, and Microsoft
Compress. ScanMail can even check files using multiple levels of
compression (e.g., a ZIP2EXE file that has also been LZEXE and ARJ
compressed). These features are important as
various forms of file compression are increasingly used.
Database Protection. ScanMail for Lotus Notes features two types of
protection for data stored in Notes databases: "on-demand" scans for
archived data such as e-mail or old databases, and real-time scanning of
documents as they are saved to Notes
databases.
On-demand scans, which can also be scheduled to occur automatically, are
able to penetrate the special Notes database format and examine all
files that are part of the database. Only in this way can the Notes
administrator be sure that the database is
initially "clean," preventing re-infection each time an infected
document is accessed.
Real-time scans are the heart of ScanMail for Lotus Notes database
protection. On the Domino server, clients can open a document from the
shared database, modify it (possibly infecting it with a virus), and
return it to the shared database. Whenever
a client saves a document in this database, ScanMail for Lotus Notes
scans the document for viruses just before it is closed, preventing the
spread of any virus present on the document. And this action is
imperceptible to the user. Once the document
has been found to be virus-free (or if found to have a virus, once
cleaned, quarantined, deleted, or ignored), clients are allowed to
access the file.
Replication Protection. In Lotus Domino, when replication begins, the
replicator opens the database, updates an entry (i.e., document), closes
the entry, updates the next entry, closes that entry, and so on.
Whenever a database entry is updated, the
real-time replication scan in ScanMail for Lotus Notes scans that
document for viruses just before it closes. If a virus is detected in
the entry, replication of that entry is blocked. But during this scan,
ScanMail allows the task of replicating
other entries to continue unabated. Hence, even if a virus is
identified during a scan, replication of clean entries continues, and
there is no degradation in replication performance. The result is
replication of only clean entries. As during the
database scan, at the administrator's option, infected files can be
deleted, moved, passed, or cleaned.
Compared to methods that require virus scanning to be completed before
replication is continued, this approach saves on costly dial-up
telephone connections when replication involves remote servers. In
fact, alternative approaches can double or even
triple telephone connection time and costs.
Domino Server Protection. To protect Lotus Notes Domino Servers from
viruses introduced via FTP downloading from the Internet, Trend Micro's
ScanMail for Lotus Notes scans each downloaded file. Soon, Trend will
extend Domino Server protection to
include unwanted Java applets and uncertified ActiveX controls. Trend
Micro was one of the first to provide server-based security solutions
for both ActiveX and Java components. The technology the company uses
selectively filters ActiveX code from
unknown sources, while letting known vendor code to pass through. The
filter blocks Java applets, uncertified ActiveX controls, FTP- and
HTTP-borne viruses, CABinet, and Win 32 portable executables [5].
--
来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: ppp200.hr.hl.cn]
--
※ 来源:.广州网易 BBS bbs.nease.net.[FROM: 202.96.61.236]
|
|