SME strategies for virus-attack recovery

A simple virus can be extremely costly to businesses. Once a virus penetrates security defences, it can quickly rip through the network, destroy files, corrupt data, render applications useless and cause an expensive lull in productivity.

Understanding how viruses operate and assessing ways to prevent them from spreading is vital knowledge that every organisation, including small and medium-sized enterprises (SMEs), must have.

What is a virus?
Viruses are computer programs specifically written to change the way a computer functions, without the permission or knowledge of the user.

To be categorised as a virus, it must meet two criteria:

• It must execute itself, often placing its own code in the path of execution of another program
• It must replicate itself. For example, it may replace other executable files with a copy of the virus-infected file. The original virus can also modify the copy or the copy may modify itself, as occurs in a metamorphic virus

Viruses infect desktop computers and network servers alike.

Some viruses are designed to compromise a computer by damaging programs, deleting files or reformatting the hard disk. Others are not programmed to do any harm, but simply to duplicate themselves and make their presence known by presenting text, video and audio messages.

Even these benign viruses can create problems for small businesses, as they typically take up computer memory used by legitimate programs. As a result, they often cause erratic behaviour and can result in system crashes.

In addition, many viruses are bug-ridden. These bugs often lead to data loss and sometimes system failure.

Variety of viruses
Viruses come in many forms and spread through various ways, such as email, instant messenging, websites and devices.

• Email: Viruses are commonly transmitted through email attachments and, if activated, can result in the computer being compromised. In some cases, data can be erased from the hard disk. It is also common for attachments to be forwarded to everyone in the victim's address book
• Instant messenging: Viruses can be spread through instant messenging by downloading infected files or clicking on a link that takes the online user to an infected website. The effects of a virus attack include the victim's computer slowing down, spyware being installed to track information entered into the computer and files being compromised or damaged
• Web-based attacks: As the number of available web services grows, the number of new web-based threats will continue to increase. From applications in social-networking sites and website banner ads to online services, hackers have found ways to spread malicious code and steal identities online
• Devices: MP3 players, PDAs and portable hard disks are among the devices becoming more commonly used in the workplace to synchronise calendars or store files, for example. Viruses can be transferred onto such devices through USB ports, and to other PCs subsequently

With so many different ways for viruses to enter an organisation, SMEs have to be on their guard more than ever and make sure that they have the tools and processes in place to deal with virus attacks when they strike.

After an attack
Regardless of the form they take, viruses are costly and annoying. If a business has suffered a virus attack and its systems are compromised, it will need to take action promptly to stop the virus from spreading to other computers on its network.

Here are some suggestions on how to quickly get your business up and running again after an attack:

• Quarantine
  Once a computer is suspected of suffering a virus attack, IT managers must immediately quarantine the computer by physically disconnecting it from the core network. Infected machines pose a danger to all other computers connected to the network.
  If other computers are suspected of having been infected, even if they aren't displaying any symptoms, they still need to be treated as if they are infected. It would be counter-productive to clean one machine while an infected computer is still connected to the network.
  Operating on the assumption that more than one computer on the network has been infected is more cost-efficient than treating only one computer and finding out later that others are infected as well.
  
• Remove
  Once the infected computer has been disconnected, IT managers must focus on removing the malicious code. Use virus-removal tools written specifically for the virus that is causing the damage.
  Antivirus software should have updates or patches available for the specific security threat. If the antivirus software has not been updated recently, be sure to update it.
  
• Reinstall
  The type of damage caused by a virus attack varies depending on the particular virus. The damage can range from changed file names to permanently disabled software applications.
  If the operating system is completely damaged, reinstall it by using the quick restore CD that usually comes with the computer. This will restore the computer to its original configuration, so any application that has been installed or data files that have been saved previously will be lost.
  Before the reconfiguration process can be initiated, IT managers need to make sure they have all the necessary information handy: the original software, software licences, registration and serial numbers.
  
• Restore
  All organisations should back up their files and documents on a regular basis, so they can recover and restore lost data after a virus attack. If they do not perform routine backups of all data and files on computers' hard drives, infected files will most probably be permanently lost.
  It is important to keep in mind that not all viruses target data files; some attack applications. If an application is attacked and rendered unusable, the application needs to be uninstalled and loaded back onto the computer.
  
• Scan
  After reinstalling and restoring the data, businesses need to complete a thorough virus scan of computer systems on their network. Use the most recent virus definitions available for antivirus software.
  Be careful not to overlook anything, and do scan all files and documents on all computers and servers on the network.
  
• Prevent
  The first step to prevention is to run antivirus software and make sure security patches are up-to-date. Create and enforce a regular backup schedule to ensure no data will be lost in the event of a future attack.
  It is also important to change all passwords, including those for ISP and FTP access, for email and passwords used in websites. Some viruses can capture or crack passwords, leading to future system vulnerabilities. By changing passwords, businesses can boost their security.
  

If a virus manages to penetrate the network despite the fact that the company has implemented certain security measures, learn from the mistake and consider changing or enhancing current security practices.

Look into why previous security measures were not effective. Was there a firewall, and, if not, was it necessary? Were virus definitions and security patches updated promptly? Was a file downloaded before it was scanned for potential viruses?

Companies should refine and reinforce their IT security policy. By implementing prevention tools and practices, businesses can save themselves the time, money and stress associated with a virus attack.

Ronnie Ng is manager of systems engineering at Symantec in Singapore and is responsible for helping customers develop processes to protect data and deploy disaster-recovery policies.