from the October 2002 Newsletter
by Rob Zorn

As most of you will probably be aware, some ISPs have introduced a new service (server-based virus scanning) where all incoming and outgoing e-mails are automatically scanned, and the viruses removed. This has, of course, generated a lot of interest and we are receiving occasional inquiries from customers as to where Actrix stands on this issue. Personally I'm ambivalent on the matter (it has its definite pros and cons), so this article will look briefly at some of the reasons for and against server-based virus scanning, and then I'll let you know where we're currently at regarding this service.

Why Server-Based Virus Scanning is So Attractive

The system seems to be working fairly well for those ISPs currently scanning for viruses on a server level. Every incoming and outgoing e-mail (including all attachments) is scanned and stripped of anything that is deemed to be a virus. Some also seem to be removing those annoying hoax e-mails that circulate encouraging people to delete legitimate Windows files, such as jdbgmgr.exe and/or sulfnbk.exe. If the server finds an infected email, it also notifies the sender and the intended recipient of the problem (by sending them another e-mail). Thus it serves as a good warning to someone with an infected machine who may otherwise continue passing the virus around for a while before finding out they have a virus.

There is no doubt that server-based virus scanning has had a positive impact on the amount of viruses circulating in New Zealand. By all accounts numbers are down and this can only be a good thing as each infected machine could potentially have infected many, many more and so on.  Whether this will remain a good thing in the long run is less certain, but we'll get to that below.

It is not hard to see why server-based virus scanning is an attractive service. Beside providing users with the feeling that they're safer, it may well give the impression to users that they can at last be done with expensive anti-virus programs, and the regular hassle of having to download and install the latest virus definitions from their anti-virus retailer. The download servers at these places are notorious for being slow and unreliable. It's not surprising when you consider how hard they are working and how many people are downloading from them at the same time.

That Seductive Safe Feeling

If users know that their ISP is scanning all incoming and outgoing e-mail for viruses, then of course they're going to feel safer; and this largely where the real danger in server-based virus scanning lies. Some of the customers who have asked about Actrix's plans for this service have indicated that they feel it is our responsibility as an ISP to protect them from viruses. I wonder whether people should be quite so keen to hand over their important responsibilities like that. The question is not so much who's responsibility it is (sorry, but no ISP with any business sense is going to accept any such responsibility). The question is more, whether it is it better to hand that responsibility to someone else, or whether it is much wiser to keep it firmly in your own hands. Of course I believe the latter to be true. For many years, ISPs and technical writers have gone to great lengths to educate Internet users about their own security and safety. It has been a hard and uphill battle. Now, with server-based virus scanning, any progress made is in danger of quick erosion. I just hope with all sincerity that Internet users are not now going to start feeling okay about clicking any old attachment that they receive.

The primary danger, of course, lies in the old "false sense of security." If you let your own personal virus protection lapse because you think your ISP will be able to handle all virus scenarios, then you're actually in more danger than you've ever been. If you think this way, then there are a number of things you need to learn about how viruses work, and about the people who make them:

The Limitations of Server-Based Virus Scanning

Firstly, your ISP will only be able to scan for known viruses. The ISP will engage the services of one of the larger anti-virus companies such as Symantec (they produce Norton Anti-Virus) or PC-Cillan. Their scanning servers will update themselves regularly with new virus definitions provided by the anti-virus company in much the same way that an individual user has to download and install his or her own virus updates. It's always a game of catch-up, so it is quite possible that new viruses will sneak through to customers before the ISP's servers have had a chance to update. This is one reason why no ISP is going to make you any legally-binding guarantees. If you, as a customer, have let your own personal pc hygiene lapse and you've forgotten about being careful with attachments or with updating your e-mail program with security patches, then there's going to be tears cried at your place.

Secondly, because an ISP can only scan for known viruses, it's going to be a lot harder for them to protect you from viruses written specifically with themselves as targets. Let me clarify and this will make more sense. We've all heard the famous virus names like KLEZ, Hybris, Magistr, Nimda etc. These are viruses that have been written in such a way as to have as widespread effect as possible. That's why we've all heard about them. However, what many of us may not know, is that it is also possible to write a virus targeted at just one individual, or just one company. You'll find that most ISPs are pretty private about the machinery and configurations of their networks. Knowing about these things is the first step in writing malicious code to attack an ISP or one of its machines. What we have to understand about the mindset of hackers and virus-writers is their love of challenge and experimentation. Often their motivation for breaking into something or writing nasty code is just to see whether or not they can. Any ISP that claims to protect its customers from viruses unwittingly throws out just the sort of challenge the hacker or virus-writer is looking for. Should this happen (and it's probably a matter of "when" rather than "if"), then all those who have been lulled into letting their own personal security habits lapse are going to be in all sorts of bother.

It may not even necessitate hacking skills to get past an ISP's virus scanners. Outlook Express, for example, has the ability to split one e-mail up into smaller e-mails and then re-assemble it back into one e-mail again at the other end automatically. Conceivably, this process could split a virus up into undetectable smaller units which, though scanned, would not be recognised. After they pass the scanners and arrive at your machine, Outlook Express "helpfully" puts them back together into the nasty little surprise they originally were. You can read about this feature of Outlook Express at http://www.theregister.co.uk/content/55/27095.html.

These days it is true that 99% of viruses will come to you via e-mail. However, you can still become infected through other means such as accepting a word-processor document (e.g. Microsoft Word) from someone via a diskette, or by downloading a program or document from somewhere on the net. Server-based scanning cannot protect you or warn you about viruses that come to you in those ways. Only a personal anti-virus program can.

Other Considerations

How closely do you want your personal e-mail scrutinised and controlled by other parties? Just like your telephone company should not concern itself with what content you speak down the wire, your ISP should not be concerned about what content you send and/or receive. That's your business and you need to take your own responsibility for it. Normally, an ISP's mail server would only concern itself with the headers of your e-mail. All it's really worried about is who to pass your e-mail on to.  If your e-mails are being thoroughly virus scanned, then they have to be "read" in their entirety. This includes any documents attached to them. Then, without asking you, the scanning software makes a decision all by itself to delete part of something that was sent either to you, or by you. Then you are personally identified so that the server can send you and your correspondent an e-mail about the virus it is so proud to have just deleted for you. I'm not suggesting for a minute that certain ISPs are attempting to do anything sneaky or underhanded. Nevertheless,  I find this all just a tad disquieting, and a step in a direction that makes me just a little uncomfortable.

How much is server-based virus scanning worth to you? Unfortunately, implementing it is very expensive for an ISP. It's not just a matter of copying some scanning software on to the mail servers. Mail servers can work hard and fast, but they're not infinite in their capabilities. If you're forcing them to examine everything that passes through, comparing contents to an enormous list of copies of viruses, then, of course, the whole process is going to more than double in the time it takes.  The end result is that an ISP is going to have to double the number of mail servers it has running. Do you think that such an operation would end up really being free for customers? Though the ISP may not be directly charging for the service, you can be sure that customers will be carrying the cost for it somewhere along the line, perhaps through increased fees sooner rather than later. This is a cost that will be borne by all of the ISPs customers, whether or not they have asked for it or even want it.

Actrix Plans for Server-Based Virus Scanning

Actrix understands that a lot of customers, both actual and potential, see this service as something of value. Yes, we will therefore be implementing it as a service in the not too distant future. Plans have not yet been finalised in concrete, but at this stage we are intending to implement the service a little differently than other ISPs who currently offer it. For a start we will make it an "opt-in" service. This means that it won't happen for you automatically unless you specifically request it. This means that you don't have to worry about any of the impositions upon you or your privacy, described above, unless you specifically request them. We may introduce a small fee for the service, too, so that only those who truly want the service need contribute to the costs of its implementation.

Parting Recommendations

Always remember that there is no substitute for your own security practices. You don't need to be a genius to be able to install free security updates to your e-mail program. The Windows Update Page makes it a breeze and is even linked to under the Tools menu in Internet Explorer. if you feel intimidated by the process and worry that you may need to be some sort of geek, write to me and I'll point you at some articles that should help you. Once you've done it, you'll wonder what all the fuss was about.

If you're currently with a company that offers free virus scanning, even if its Actrix, whatever you do, don't just rely on that and imagine all your virus troubles are over. As I try to point out above, you may regret handing over that responsibility so freely and easily.

Get a reputable anti-Virus program and update it regularly. We can help advise you on that too (there are good free ones). Yes, the update downloads are slow, and a weekly hassle, but they're as important for your computer's welfare as other forms of protection are for your own personal well-being. You are your own last line of defence against viruses and no one can or should take that away from you.

Don't click attachments to e-mails that you aren't 100% sure of, especially ones that end in .exe, .scr or .pif. These are the most common file extensions on viruses.