How Does a Virus Scanner Work?

Let’s take a more detailed look at how antivirus software works. An article in the July 2004 issue of Scientific American titled “How Does a Virus Scanner Work?” stated that a virus scanner is essentially software that searches for a signature or pattern of a known virus. Keep in mind that the scanner works only if you keep it updated. And, of course, it works only with known viruses. While that article may seem a bit dated now, it is still accurate.

Recall that the second way a virus scanner works is to watch for certain types of behaviors that are typical of viruses. This might include any program that attempts to write to your hard drive’s boot sector, change system files, automate your email software, or self-multiply. Programs that attempt to modify the system Registry (for Windows systems) or alter any system settings may also indicate virus infection.

Another feature that virus scanners search for is a file that will stay in memory after it executes. This is called a terminate and stay resident (TSR) program. Some legitimate programs do this, but such activity is often a sign of a virus. Additionally, some virus scanners use more sophisticated methods, such as scanning your system files and monitoring any programs that attempt to modify those files.

Whatever the behavior, antivirus software uses specific algorithms to evaluate the likelihood that a given file is actually a virus. It should be noted that modern virus scanners scan for all forms of malware, including Trojan horses, spyware, and viruses.

There is a third method, called heuristic scanning, which basically involves examining a file and is similar to signature scanning. However, with heuristic scanning, the file need not exactly match the signature. Heuristics refers to functions that rank various alternatives using a branching step in the algorithm. So, a heuristic scan checks for the likelihood of a given file being a virus, based on file characteristics rather than behavior.

It is important to differentiate between on-demand virus scanning and ongoing scanners. An ongoing virus scanner runs in the background and is constantly checking the PC for any sign of a virus. On-demand virus scanners run only when you launch them. Many modern antivirus scanners offer both options.

Keep in mind that any antivirus program will yield some false positives and some false negatives. A false positive occurs when the virus scanner detects a given file as a virus when in fact it is not. For example, a legitimate program may edit a Registry key or interact with your email address book. A false negative occurs when a virus is falsely believed to be a legitimate program.

Due to false positives, it is recommended that you not set your antivirus to automatically delete suspected viruses. Rather, they should be quarantined and the computer user notified.

Virus-Scanning Techniques

In general, there are six ways a virus scanner might scan for virus infections. Some of these were mentioned in the previous section, but they are outlined and defined here:

• Email and attachment scanning: Since the primary propagation method for a virus is email, email and attachment scanning is the most important function of any virus scanner. Some virus scanners actually examine your email on the email server before downloading it to your machine. Other virus scanners work by scanning your emails and attachments on your computer before passing them to your email program. In either case, email and email attachments should be scanned before a user has a chance to open them and release viruses on the system.

• Download scanning: Any time you download anything from the Internet, either via a web link or through an FTP program, there is a chance you might download an infected file. Download scanning works much like email and attachment scanning but operates on files you select for downloading.

• File scanning: With file scanning, files on your system are checked to see whether they match any known virus. This sort of scanning is generally done on an on-demand basis instead of an ongoing basis. It is a good idea to schedule your virus scanner to do a complete scan of the system periodically. I recommend a weekly scan, preferably at a time when no one is likely to be using the computer.

• Heuristic scanning: Heuristic scanning, briefly mentioned in the previous section, is perhaps the most advanced form of virus scanning. Because it uses rules to determine whether a file or program is behaving like a virus, heuristic scanning is one of the best ways to find a virus that is not a known virus. A new virus will not be on a virus definition list, so you must examine its behavior to determine whether it is a virus. However, this process is not foolproof. Some actual virus infections will be missed, and some nonvirus files might be suspected of being viruses.

• Sandbox: The sandbox approach basically involves having a separate area, isolated from the operating system, in which a download or an attachment is run. Then, if it is infected, it won’t infect the operating system.

• Machine learning: Most antivirus vendors are now working to implement basic machine learning algorithms into their antivirus software. This allows the antivirus software to adapt to changing attacks. Machine learning is only beginning to be used and is not yet well developed.

One way to accomplish sandboxing is for the operating system to set aside a protected area of memory to open the suspected file and to monitor its behavior. This is not 100% effective, but it is far safer than simply opening files on your system and hoping there is no infection.

A related concept is called a “sheep dip” machine. This is useful in corporate networks. You set up a system that is identical in configuration to your standard workstations. However, this sheep dip machine is not networked. Suspect files are opened first on the system. Then the system is monitored for a period of time for signs of infection. Once the file has cleared this check, it can then be opened on normal workstations.

A simple way to do this in a home or small office is to set up a virtual machine on your computer and to open suspected attachments or downloads in the virtual machine first. This virtual machine can have virus scanners running on it. Also, you can change the time in the virtual machine in order to detect logic bombs. Allow the suspect file to reside on the VM for a period of time before bringing it to the host computer.

Commercial Antivirus Software

Four brands of antivirus software virtually dominate the antivirus market today, and it is typical for a company that offers a commercial scanner to also offer a free version that does not provide as many features as the commercial product. For example, AVG AntiVirus, available from www.avg.com, is a commercial product, but the company also offers the AVG AntiVirus Free Edition. McAfee, Norton, and Kaspersky are three other very well-known antivirus vendors. All four products are good choices and come with a number of options, such as spam filters and personal firewalls. Any of these four products can be purchased for a home machine for about $30 to $60 (depending on the options included). This purchase price includes a 1-year subscription to update the virus files so that the antivirus software will be able to recognize all known virus attacks, including new ones. Organizational licenses are also available to cover entire networks. Malwarebytes is another popular vendor that has both free and commercial versions.

Of course, there are other antivirus solutions available. Several free virus scanners can easily be found on the Internet. McAfee, Norton, AVG, Malwarebytes, and Kaspersky are mentioned here because they are so commonly used, and it is likely that you will encounter them frequently. But my mentioning these well-known products does not mean that I discourage you from using other systems. I do, however, strongly recommend that you stick with widely used, well-supported antivirus products.

Benefits and Limitations of Firewalls

A firewall, no matter what type you get (types are described in the next section), is basically a tool to block certain traffic. A set of rules determine what traffic to allow in and what traffic to block. Obviously, a firewall is a critical piece of your security strategy. I cannot even conceive of a reason to run a system without one. However, a firewall is not a panacea for security because it cannot block every attack. For example, a firewall won’t stop you from downloading a Trojan horse. It also cannot stop internal attacks. But a firewall can be an excellent way to stop a denial of service (DoS) attack or to prevent a hacker from scanning the internal details of your network.

Firewall Types and Components

There are numerous types of firewalls and variations on those types. But most firewalls can be grouped into one of the following three families of firewalls:

• Packet inspection

• Stateful packet inspection

• Application

The following sections discuss each of these and assess the advantages and disadvantages of each.

Firewall Configurations

In addition to the various types of firewalls, there are various configuration options. The type of firewall tells you how it will evaluate traffic and hence decide what to allow and not to allow. The configuration gives you an idea of how that firewall is set up in relation to the network it is protecting. Some of the major configurations/implementations for firewalls include the following:

• Network host-based firewall

• Dual-homed host

• Router-based firewall

• Screened host

Each of these is discussed in the following sections.

Commercial and Free Firewall Products

A variety of commercial firewall products are available, some of them free. If all you want is a basic packet-filtering solution, you can find such a solution from many software vendors. Major antivirus software vendors (including those mentioned previously in this chapter) often offer firewall software as a bundled option with antivirus software. Other companies, such as Zone Labs, sell firewall and intrusion detection systems (IDSs). Major manufacturers of routers and hubs, such as Cisco Systems, also offer firewall products. How much security you need is difficult to determine. A bare minimum recommendation is to have a packet-filtering firewall/proxy server between your network and the Internet—but that is a bare minimum.

Windows 10 Windows Defender Firewall

Windows 10 ships with a fully functioning firewall, called Windows Defender Firewall. (In fact, Windows has shipped with a firewall for many years.) Windows Defender Firewall can block inbound and outbound packets. To access it, click the Start button and type Firewall. Figure 9.1 shows Windows Defender Firewall.

Note that Windows Defender Firewall looks very similar to the firewall in Windows Server 2012 and 2016, but it is different from the firewall in Windows 7.

Beginning with Windows Server 2008 and for all versions after that, Windows includes stateful packet inspection firewalls. With Windows Defender Firewall for Windows 10, you can set different rules for outbound and inbound traffic. For example, your standard workstation will probably allow outbound HTTP traffic on port 80, but you might not want to allow inbound traffic (unless you are running a web server on that workstation).

You can also set up rules for a port, a program, a custom rule, or one of the many predefined rules that Microsoft allows you to select. You can also choose not only to allow or block a connection but to allow it only if it is secured by IPsec. This means you have three options for any connection.

Rules can allow or block given applications or ports. You can also have different rules for inbound and outbound traffic. The rules allow you to decide whether a particular type of communication is blocked or allowed. You can have different settings for inbound and outbound traffic. You can set rules for individual ports (all 65,554 available network ports) and for applications. The rules in the Windows 7 firewall give you a lot of flexibility.

Most importantly, you can apply rules differently depending on where traffic comes from. You can set up rules for three areas or profiles:

• Domain: For computers authenticated on your domain.

• Public: For computers from outside your network. You would treat outside traffic more carefully than traffic coming from another machine in your domain.

• Private: Private refers to traffic from your own computer.

Firewall Logs

Firewalls are excellent tools for attempting to ascertain what has happened after an incident has occurred. Almost all firewalls, regardless of type or implementation, will log activity. These logs can provide valuable information that can assist in determining the source of an attack, methods used to attack, and other data that might help either locate the perpetrator of an attack or at least prevent a future attack using the same techniques. Any security-conscious network administrator should make it a routine habit to check the firewall logs.

IDS Categorization

There are a number of ways in which IDSs can be categorized. The most common IDS categorizations are as follows:

• Passive IDSs

• Active IDSs (also called intrusion prevention systems, or IPSs)

Identifying an Intrusion

There are really two ways of identifying an intrusion. The first method is signature based. This is similar to the signatures used by antivirus. However, IDS signatures cover issues beyond malware. For example, certain DoS attacks have specific signatures that can be recognized.

The second method is statistical anomaly. Essentially, any activity that seems outside normal parameters and far enough outside the given parameters to be a likely attack is identified as a probable attack. Any number of activities can trigger this type of alert, such as a sudden increase in bandwidth utilization or user accounts accessing resources they have never accessed before.

Most IDSs use both forms of attack identification. The two real issues for selecting an IDS are its ease of use and its signature database. There are certainly other considerations, such as price, but ease of use and its signature database are the most important in deciding on an IDS.

IDS Elements

Whether it is an active IDS or a passive IDS, and regardless of whether it is commercial or open source, certain elements/terms are common to all IDSs:

• A sensor is the IDS component that collects data and passes it to the analyzer for analysis.

• The analyzer is the component or process that analyzes the data collected by the sensor.

• The manager is the IDS interface used for management. It is a software component of the IDS.

• The operator is the person primarily responsible for the IDS.

• Notification is the process or method by which the IDS manager makes the operator aware of an alert.

• An activity is an element of a data source that is of interest to the operator. It may or may not be a possible attack.

• An event is any activity that is deemed to be suspicious and a possible attack.

• An alert is a message from the analyzer indicating that an event has occurred.

• The data source is raw information that the IDS is analyzing to determine if there has been an event.

All these elements are part of an IDS and function together to capture traffic, analyze that traffic, and report anomalous activity to the operator of the IDS. An IPS has additional elements that enable it to shut down offending traffic.

Snort

A number of vendors supply IDSs, and each has unique strengths and weaknesses. Which system is best for your environment depends on many factors, including the network environment, security level required, budget constraints, and skill level of the person who will be working directly with the IDS. One popular open-source IDS is Snort, which can be downloaded for free from www.snort.org.

We will examine Snort briefly in this section. While it is not the only IDS available, it is free, and that makes it an attractive option for many people. We will walk through the basic configuration of Snort for Windows.

First, you must visit www.snort.org and register (for free). Then download the Snort installation program and the latest rules. Make certain you download the installer that has an .exe extension. The .rpm extensions are for Linux. Also, I have found that certain versions of Microsoft Internet Explorer do not work well with the Snort website, so it is recommended that you use an alternative browser such as Mozilla Firefox.

Once you have downloaded both the rules and the installation program, start the installation. Most of it is quite simple. There is a screen that asks you if you wish to support database connectivity. For most live situations, you would want to dump your Snort records to some database. However, for demonstration purposes, choose I Do Not Plan to Log to a Database. Figure 9.2 shows the installation options.

Other than this, simply use all default settings. At the end, the installation program will also attempt to install WinPCAP. If for some reason this fails, you will need to download and install it separately. WinPCAP is an open-source tool for capturing packets, and all IDSs depend on packet capturing.

After you copy the rules you downloaded from wherever you saved them to C:snort ules, you need to copy the configuration file from C:snort ulesetcsnort.conf to C:snortetc. Open that configuration file using WordPad, not Notepad. (Notepad does not support word wrap, and it will be difficult to read the configuration file in Notepad.)

You need to change the HOME_NET any to your machine’s IP address, as shown in Figure 9.3. In a live situation, you would also set the other IP addresses (for the web server, SQL server, DNS server, and so on).

Now you need to find and change the rule paths, which are Linux-style paths, as shown in Figure 9.4.

You need to change them to Windows-style paths, as shown in Figure 9.5.

You now need to find and change the library paths. This is a bit difficult because the names of the paths and the files are a bit different in Windows. The Linux-style library paths will look like the ones shown in Figure 9.6.

You can find your Windows pathnames and filenames by looking in the folder shown in Figure 9.7.

You must find the reference data and change it from Linux-style paths to Windows-style paths, as shown in Figure 9.8.

You are almost done. Now search for this:

#output log_tcp dump

and after it, add this line:

output alert_fast: alert.ids

Now you need to use the command line to start Snort. Simply navigate to C:snortin. There are several different ways to start Snort. Many of the common ones are listed in Table 9.1. I recommend that you try the simplest one first.

Snort is free and open source, but many people have a great deal of difficulty working with it at first. The slightest error in your configuration file or the command-line startup will cause it to not run correctly. The purpose of this section is just to introduce you to Snort. For more information on Snort, see the following sites:

• Snort Manual: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/

• Writing Snort Rules: http://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm

Honey Pots

A honey pot is an interesting technology. Essentially, it assumes that an attacker is able to breach your network security, and it would be best to distract that attacker away from your valuable data. Therefore, a honey pot involves creating a server that has fake data—perhaps an SQL server or Oracle server loaded with fake data, and just a little less secure than your real servers. Then, since none of your actual users ever access this server, monitoring software is installed to alert you when someone does access this server.

A honey pot achieves two goals. First, it takes the attacker’s attention away from the data you wish to protect. Second, it provides what appears to be interesting and valuable data, thus leading the attacker to stay connected to the fake server, giving you time to try to track the attacker. Commercial solutions, such as Specter (www.specter.com), are available. These solutions are usually quite easy to set up and include monitoring/tracking software. You may also find it useful to check out www.honeypots.org for more information on honey pots in general and on specific implementations.

Database Activity Monitoring

Database activity monitoring (DAM) involves monitoring and analyzing database activity that operates independently of the database management system (DBMS). It is separate from the DBMS auditing, logging, and monitoring. Database activity monitoring and prevention (DAMP) is an extension to DAM that goes beyond monitoring and alerting to also blocking unauthorized activities.

Other Preemptive Techniques

Besides IDS, antivirus, firewalls, and honey pots, there are a variety of preemptive techniques an administrator can use to attempt to reduce the chances of a successful attack being executed against a network.

Authentication

When a user logs on to a system, the system needs to authenticate her (and sometimes the user needs to authenticate the system). There are many authentication protocols. A few of the most common ones are briefly described here:

• PAP: Password Authentication Protocol is the simplest form of authentication and the least secure. Usernames and passwords are sent unencrypted, in plain text. This is obviously a very old method that is not used anymore. However, in the early days of computing, there were no widely available packet sniffers, and security was far less of a concern.

• SPAP: Shiva Password Authentication Protocol is an extension to PAP that encrypts the username and password that are sent over the Internet.

• CHAP: Challenge Handshake Authentication Protocol calculates a hash after the user has logged in. Then it shares that hash with the client system. Periodically the server will ask the client to provide that hash. (This is the challenge part.) If the client cannot provide it, then it is clear that the communications have been compromised. MS-CHAP is a Microsoft-specific extension to CHAP. These are the basic steps:

  1. After the handshake phase is complete, the authenticator (often the server) sends a “challenge” message to the peer.

  2. The peer responds with a value calculated using a “one-way hash” function.

  3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection should be terminated.

  4. At random intervals, the authenticator sends a new challenge to the peer and repeats steps 1 to 3.

  The goal of CHAP is to not only authenticate but to periodically reauthenticate, thus preventing session hijacking attacks.

• EAP: Extensible Authentication Protocol is a framework frequently used in wireless networks and point-to-point connections. It was originally defined in RFC 3748 but has been updated since then. It handles the transport of keys and related parameters. There are several versions of EAP, and it has many variations, including these:

  • LEAP: Lightweight Extensible Authentication Protocol was developed by Cisco and has been used extensively in wireless communications. LEAP is supported by many Microsoft operating systems, including Windows 7 and later versions. LEAP uses a modified version of MS-CHAP.

  • EAP-TLS: Extensible Authentication Protocol–Transport Layer Security uses TLS to secure the authentication process. Most implementations of EAP-TLS utilize X.509 digital certificates to authenticate the users.

  • PEAP: Protected Extensible Authentication Protocol encrypts the authentication process with an authenticated TLS tunnel. PEAP was developed by a consortium including Cisco, Microsoft, and RSA Security. It was first included in Microsoft Windows XP.

• Kerberos: Kerberos is used widely, particularly with Microsoft operating systems. It was invented at MIT and derives its name from the mythical three-headed dog that was reputed to guard the gates of Hades. The system is a bit complex, but the basic process is as follows: When a user logs in, the authentication server verifies the user’s identity and then contacts the ticket-granting server. (These servers are often on the same machine.) The ticket-granting server sends an encrypted ticket to the user’s machine. That ticket identifies the user as being logged in. Later, when the user needs to access some resource on the network, the user’s machine uses that ticket-granting ticket to get access to the target machine. There is a great deal of verification for the tickets, and these tickets expire in a relatively short time.

More on Kerberos

Since Kerberos is so widely used, it bears a bit closer look than the other authentication methods. In this section we will look a bit more in depth at Kerberos. If this is your first exposure to Kerberos, you may need to read this section more than once to really digest it. While there are variations, the basic process is shown in Figure 9.9. (Note that Figure 9.9 is a very simplified overview of Kerberos and omits some steps that are discussed later in this section.)

The elements of Kerberos follow:

• Principal: A server or client that Kerberos can assign tickets to.

• Authentication server (AS): A server that authorizes the principal and connects it to the ticket-granting server.

• Ticket-granting server (TGS): A server that provides tickets.

• Key distribution center (KDC): A server that provides the initial ticket and handles TGS requests. Often it runs both the AS and TGS. It must be noted that Kerberos is one of the most widely used authentication protocols. Europe often uses an alternative, SESAME (Secure European System for Applications in a Multivendor Environment).

Point-to-Point Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP) is the oldest of the three protocols used in VPNs. It was originally designed as a secure extension to Point-to-Point Protocol (PPP). PPTP was originally proposed as a standard in 1996 by the PPTP Forum—a group of companies that included Ascend Communications, ECI Telematics, Microsoft, 3Com, and U.S. Robotics. It adds the features of encrypting packets and authenticating users to the older PPP protocol. PPTP works at the data link layer of the OSI model (discussed in Chapter 2, “Networks and the Internet”).

PPTP offers two different protocols for authenticating the user: Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP). EAP was actually designed specifically for PPTP and is not proprietary. CHAP is a three-way process whereby the client sends a code to the server, the server authenticates it, and then the server responds to the client. CHAP also periodically reauthenticates a remote client, even after the connection is established.

PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt packets. MPPE is actually a version of DES. DES is still useful for many situations; however, newer versions of DES, such as DES 3, are preferred.

Layer 2 Tunneling Protocol

Layer 2 Tunneling Protocol (L2TP) was explicitly designed as an enhancement to PPTP. Like PPTP, it works at the data link layer of the OSI model. It has several improvements over PPTP. First, it offers more and varied methods for authentication: PPTP offers two methods (CHAP and EAP), whereas L2TP offers five (CHAP, EAP, PAP, SPAP, and MS-CHAP).

Besides making more authentication protocols available for use, L2TP offers other enhancements. PPTP will only work over standard IP networks, whereas L2TP will work over X.25 networks (a common protocol in phone systems) and ATM (Asynchronous Transfer Mode, a high-speed networking technology) system. L2TP also uses IPsec for encryption.

IPsec

Internet Protocol Security (IPsec) is the newest of the three VPN protocols. One of the differences between IPsec and the other two methods is that it encrypts not only the packet data (recall the discussion of packets in Chapter 2) but also the header information. It also has protection against unauthorized retransmission of packets. This is important because one trick that a hacker can use is to simply grab the first packet from a transmission and use it to get his own transmissions to go through. Essentially, the first packet (or packets) has to contain the login data. If you simply re-send that packet (even if you cannot crack its encryption), you will be sending a valid logon and password that can then be followed with additional packets. Preventing unauthorized retransmission of packets prevents this from happening.

IPsec operates in one of two modes: Transport mode, in which only the payload is encrypted, and Tunnel mode, in which both data and IP headers are encrypted. Following are some basic IPsec terms:

• Authentication headers (AHs) provide connectionless integrity and data origin authentication for IP packets.

• Encapsulating Security Payload (ESP) provides origin authenticity, integrity, and confidentiality protection of packets. It offers encryption-only and authentication-only configurations.

• Security associations (SAs) provide the parameters necessary for AH or ESP operations. SAs are established using Internet Security Association and Key Management Protocol (ISAKMP).

• Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange.

• Internet Key Exchange (IKE and IKEv2) is used to set up a SA by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used.

Essentially during the initial establishment of an IPsec tunnel, SAs are formed. These SAs have information such as what encryption algorithm and what hashing algorithms will be used in the IPsec tunnel. (Recall that we discussed encryption in some depth in Chapter 8.) IKE is primarily concerned with establishing these SAs. ISAKMP allows the two ends of the IPsec tunnel to authenticate to each other and to exchange keys.

Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) uses the stream cipher RC4 to secure data and a CRC-32 checksum for error checking. Standard WEP uses a 40-bit key (known as WEP-40) with a 24-bit initialization vector (IV) to effectively form 64-bit encryption. 128-bit WEP uses a 104-bit key with a 24-bit IV.

Because RC4 is a stream cipher, the same traffic key must never be used twice. The problem with WEP is that the committee that created it was composed of very good computer professionals who thought they knew enough about cryptography but did not. They reused the IV, which defeats the entire purpose of an IV and leaves the protocol open to attacks. A simple search of YouTube for “how to crack WEP” will yield a deluge of videos on techniques for cracking WEP.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was definitely an improvement over WEP. First, WPA uses AES, which is a very good encryption algorithm. In addition, WPA uses Temporal Key Integrity Protocol (TKIP), which dynamically generates a new key for each packet. So even if you crack a WPA key, there will be a different key for the next packet.

WPA2

WPA2 is the most widely used Wi-Fi security today, and if it is at all possible, this is what you should be using. WPA2, which is based on the IEEE 802.11i standard, provides Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP), which provides data confidentiality, data origin authentication, and data integrity for wireless frames. (Some of these terms you should recall from Chapter 8.) CBC prevents known plain text attacks.

The MAC preserves message integrity and ensures that packets are not altered in transit, either accidentally or intentionally. This means that WPA2 uses very strong encryption along with message integrity.

WPA3

WPA3, which was released on 2018, has many interesting features. Among its more interesting new properties is that all traffic to and from the wireless access point (WAP) is encrypted. WPA3 also requires attackers to interact with your Wi-Fi for every password guess they attempt, which makes brute-force attacks less likely to be successful.

Multiple Choice Questions

1. Which of the following is the most common way for a virus scanner to recognize a virus?

A. To compare a file to known virus attributes

B. To use complex rules to look for virus-like behavior

C. To look for only TSR programs

D. To look for TSR programs or programs that alter the Registry

2. What is one way of checking emails for virus infections?

A. Block all emails with attachments.

B. Block all active attachments (for example, ActiveX, scripting).

C. Look for subject lines that are from known virus attacks.

D. Look for emails from known virus sources.

3. What are TSR programs?

A. Terminal signal registry programs, which alter the system Registry

B. Terminate and system remove programs, which erase themselves when complete

C. Terminate and scan remote programs, which scan remote systems prior to terminating

D. Terminate and stay resident programs, which stay in memory after you shut them down

4. What is the name for scanning that depends on complex rules to define what is and is not a virus?

A. Rules-based scanning (RBS)

B. Heuristic scanning

C. TSR scanning

D. Logic-based scanning (LBS)

5. Which of the following is not one of the basic types of firewalls?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

6. Which of the following is the most basic type of firewall?

A. Screening firewall

B. Application gateway

C. Heuristic firewall

D. Circuit-level gateway

7. Which of the following is a disadvantage to using an application gateway firewall?

A. It is not very secure.

B. It uses a great deal of resources.

C. It can be difficult to configure.

D. It can only work on router-based firewalls.

8. What does SPI stand for?

A. Stateful packet inspection

B. System packet inspection

C. Stateful packet interception

D. System packet interception

9. What is the term for a firewall that is software installed on an existing server?

A. Network host-based firewall

B. Dual-homed firewall

C. Router-based firewall

D. Screened host

10. What is a major weakness with a network host-based firewall?

A. Its security depends on the underlying operating system.

B. It is difficult to configure.

C. It can be easily hacked.

D. It is very expensive.

11. What is the term for blocking an IP address that has been the source of suspicious activity?

A. Preemptive blocking

B. Intrusion deflection

C. Proactive deflection

D. Intrusion blocking

12. What is the term for a fake system designed to lure intruders?

A. Honey pot

B. Faux system

C. Deflection system

D. Entrapment

13. Which of the following is the correct term for making a system less attractive to intruders?

A. Intrusion deterrence

B. Intrusion deflection

C. Intrusion camouflage

D. Intrusion avoidance

14. What method do most IDS software implementations use?

A. Anomaly detection

B. Preemptive blocking

C. Intrusion deterrence

D. Infiltration

15. How do most antispyware packages work?

A. By using heuristic methods

B. By looking for known spyware

C. The same way antivirus scanners work

D. By seeking out TSR cookies

Exercises

Exercise 9.1: Setting Up a Firewall

Microsoft Windows (in every version since XP, including Windows 10) and Linux both offer built-in packet-filtering firewalls of some sort. Ideally, if you have access to both operating systems, the best exercise is to experiment with setting up firewalls for both.

1. Using the documentation for whichever operating system you have, decide what packets you wish to block.

2. Set your firewall to filter those packets.

Exercise 9.2: Router-Based Firewalls

This exercise is for students with access to a lab router-based firewall.

1. Consult your router documentation for instructions on how to configure the firewall.

2. Configure your router-based firewall to block the same items you chose to block in Exercise 9.1.

Exercise 9.3: Evaluating Firewalls

Write a brief essay explaining whether you think the router-based solution or the built-in operating system solution is best. Explain your reasons.

Exercise 9.4: Active Code

Using the Web or other resources, find out why blocking active code (for example, ActiveX scripts) might or might not be a good idea in some situations. Write a brief essay explaining your position.

Exercise 9.5: Hardware Used by a Company

Visit the IT department of a company and ascertain what hardware it uses in its computer system’s defense. Does the company use a hardware firewall in addition to a software firewall? What form of intrusion detection software does it use? Does it use antivirus and antispyware software on the workstations within the company? Write a brief report summarizing your findings.

Projects

Project 9.1: How Does the Microsoft Firewall Work?

Using Microsoft documentation, the Web, and other resources, find out what methodologies the Microsoft Windows (whichever version you are using) firewall uses. Write a brief essay explaining the strengths and weaknesses of that approach. Also discuss situations in which you feel that approach is adequate and those in which it might be inadequate.

Project 9.2: How Does Antivirus Software Work?

Using documentation from the vendor, the Web, or other resources, find out what methodology Norton AntiVirus uses, as well as the methods that McAfee uses. Armed with this information, write a brief essay comparing and contrasting any differences. Also discuss situations in which one might be recommended over the other.

Project 9.3: Using Snort

This is a longer project and appropriate for groups.

Go to the Snort.org website (www.snort.org) and download Snort. Using the vendor documentation or other resources, configure Snort. Then use port scanners on the machine that has Snort configured and note whether Snort detects the scan.