Virus Protection at the SSCC

Computer viruses, worms and other malicious software have become a serious and very public issue. SSCC staff have taken several steps to avoid being affected by viruses, and these have been generally quite successful. Most viruses, including the recent highly publicized ones, are dealt with before our users are even aware of them. We will continue to take whatever steps are needed to keep our systems secure. This article will describe the measures we have taken to stop viruses, and some steps you can take to further reduce your exposure.

Rest assured that SSCC staff monitor the bulletins of anti-virus software makers and others who work on detecting and eradicating viruses. We will be aware of threats before they are published in the mainstream media. Much as we appreciate your awareness and concern, there's no need to forward warnings you may have received to us. In addition, a substantial fraction of virus warnings are in fact hoaxes.

Server-Side Filtering

Our email server automatically checks incoming email attachments. If the software determines an attachment is dangerous, then the message is rejected and a warning is sent to our Linux system administrator. Attachments which are merely suspicious are "defanged" (see below) to prevent them from being run casually or even inadvertently.

Files that are known to be viruses are immediately rejected. In addition the file types are examined and those which experience has shown are far more likely to be viruses than legitimate are rejected. These include most program files (.exe, .com, .pif, .bat, .dll, etc.), Visual Basic script and JavaScript files (.vbs, .vbe, .js) and screen savers (.scr), among others. Another common trick is to use two different extensions to disguise a virus, for example paper.doc.exe, because on many PC's the final extension is hidden. Thus the file appears to be paper.doc, a harmless Word document rather than a malicious program. Our server rejects all files with two extensions. If you need to send someone a file which would be rejected, there are many alternatives to email (SFTP, etc.), or you can rename the file temporarily. Contact the Help Desk for assistance.

Finally, certain file types are "defanged." This simply means that some numbers and the word "DEFANGED" are added to the file name so that Windows can't recognize the file type. Thus you can't run it by just double-clicking on it. If you are confident that the attachment is indeed safe, save the file to a convenient location and then rename it, removing "#####DEFANGED-" from the name. Then it will run as usual.

This server-side filtering is our first line of defense against viruses, and is quite effective. It is particularly useful against new viruses before they are handled by anti-virus software (and often before anyone knows they exist). For example the Magistr virus spread for two days before it could be detected by anti-virus software. However, it spread by sending itself as an attachment with one of four different endings. We defanged all files with those endings, and this was enough to prevent it from spreading to anyone using our email.

Note that all of this only applies if you are using SSCC email (your email address is user@ssc.wisc.edu). DoIT email (user@wisc.edu) does limited filtering, though they are working on making their email system more secure.

Protecting University PC's

Each PC installed by SSCC staff includes Symantec Antivirus. This powerful and flexible software has two main components. Real-time protection constantly monitors your PC to prevent viruses from installing themselves, and scanning checks your PC for the presence of viruses. Real-time protection will always be running, you can start a scan any time you feel the need. With real-time protection running (in addition to our server-side filtering) the chances of a virus successfully attacking your PC are quite low. But if you are suspicious, simply scan your PC.

You know that Symantec Antivirus is running if you see the yellow logo in the lower right corner of the screen, on the system tray:

Norton Antivirus Logo in the System Tray

Right click on this icon and open Symantec Antivirus if you want to perform a scan.

New viruses are constantly being created, and anti-virus software must be kept up to date to be effective. Symantec Antivirus checks for updates whenever you log in to PRIMO, the SSCC's Windows network domain.

Protecting Home PC's

Home computers need to be protected from viruses as well. Symantec Antivirus is available free to UW faculty, staff and students, and we encourage everyone to take advantage of it. It must also be kept up-to-date to be effective. Please see Keeping Your PC Secure for detailed instructions.

Virus Hoaxes

Hoaxes about viruses are almost as common as viruses themselves. Typically these will come as an email warning with great urgency of the incredible damage the virus can do if not stopped. Often it will give a well known computer-related company as a source, but with no link to a page on the company's web site containing the information. Were it a real virus, such a page would exist. The message will always contain an exhortation to forward it to everyone you know; that's the author's goal. Think of these messages as just another form of email virus, one which dupes well-meaning computer users into spreading it rather than doing the work itself. If you are not sure whether a given message is a legitimate warning or a hoax, you can check Symantec's Hoax Page. You can find reliable, up-to-date information on real virus threats on Symantec's web site, or Network Associate's web site.

While not exactly a hoax, another common source of misinformation about viruses is automatic messages saying a virus was detected in an email you sent. Actual viruses almost always forge the from address in the messages they send, but some servers still respond to that address when they detect a virus. These messages can be ignored.

More Steps You Can Take to Avoid Viruses

Messages created by viruses often stand out if you know what to look for. Warning signs include subjects or text that are simply gibberish or are out of character for the purported sender ("love letters" from coworkers for example), or receiving identical messages from several different people (a sign they all got the same virus). If you suspect a message may contain a virus, contact the sender to see if they intended to send you the message in question, or simply delete it. Reading the message is usually (but not always) safe; never open suspicious attachments.

Last Revised: 3/06/2007