IRC bots & anti-virus software

I mentioned in my first post the IRC bot infection that brought our LAN down. If you don't know what an IRC.bot infection is like, it's a real mess - your PCs and LAN become weapons at the hands of outside hackers using your PCs to launch attacks against other websites.

If you want to read what IRC bots are all about, check out this account by Steve Gibson, of Spin Rite fame. He recounts his experience with a DDOS attack launched by a 13-year old hacker that rendered his website inoperable for the better part of a couple of weeks: http://www.grc.com/dos/drdos.htm

When I took the job, I immediately noted on the 3rd day of work that the school's PCs never had anti-virus software on them and it was only a matter of time before we got hit. Following Murphy, the inevitable happened ahead of schedule. It was the twelth day on the job and .... WHAMMMO! I just didn't have time to manuever against the hordes of internet worms and viruses that cast a long dark shadow across our sun dappled LAN. ;-)

It was a total meltdown. The only immediate solution was to go into the wiring closet and start pulling plugs until the network stopped being saturated by network traffic. All of the Windows 2000 machines - the Teacher's PCs - were useless, running at 100% CPU, bombarding the rest of the network with massive packet storms. Everyone was offline.

There were 20 of those to fix (along with another 20 student PC's with Windows 98 that I haven't gotten around to fixing even yet). I ultimately discovered (after trying five different antivirus vendors) that every machine in the school had something in them: Script exploits, infected downloaded executables, WORMs, viruses, IRC bots, Java threats some dating back 2 years or more. Every machine took multiple sittings in order to repair them: Windows Explorer wouldn't start, so I had to start the Windows GUI manually (alt-control-delete --> Task Manager --> Run --> explorer).

When it came to disinfecting my machines I tried many different anti-virus vendors in the weeks that followed. The list wasn't exhaustive, but I picked the most obvious candidates. Only after trying at least five major antivirus name brands did I finally select F-Prot. I found that F-Prot was the most price-competitive and cost-effective and yet provided first-rate antivirus protection. F-Prot proved to be the quickest and easiest to install with only a minor caveat (see below).

The F-Prot program suite is small and nimble and doesn't interfere with the operation of Windows. Some of the other anti-virus vendors either failed to detect viruses that F-Prot found, or they were so cumbersome and unweildly that they functionally became unreliable (especially on older machines and/or older versions of Windows).

I had actually forgotten about F-Prot, but a couple of friends reminded me to try F-Prot (one a LAN admin). After they jogged my memory, I recalled F-Prot from the 1980's and early 1990's when the main virus vector was floppy disks. Back then LAN administrators swore by F-Prot. I gather that many still do with F-Prot keeping its place as an industry standard, replete with versions for Unix, Linux, Macintosh, Solaris and AIX. Perhaps only one other small independent vendor covers as many platforms.

An interesting note about the company that makes F-Prot: Frisk is still a small firm in Reykjavik, Iceland (40 employees at last count) distributing F-Prot via VARs. So instead of becoming a huge marketing behemoth like so many other software shops (which shall remain nameless) demanding $20-$30/seat for volume site licenses (!), F-Prot's license runs about $2.00-$3.00/seat (for 30+ seats). Frisk's modest educational discount even beat the deep "donation" price for another anti-virus program offered via TechSoup, plus Frisk didn't hassle me for proof of our 501(c)(3) non-profit status).

My only caveats about F-Prot are these: If your Win2K/XP users do not have admin. rights to the machine, you have to be ready to adapt a Win2K/XP machine to update F-Prot virus pattern database reliably. To do that you have to be ready to tweak some registry and file system security settings.

I'll post the fix scripts for this later, but you'll have to use the cacls utility in Windows XP/Win2K and the SetACLS utility at www.sysinternals.com. Frisk should do something to address this (like provide some simple scripts with their Windows kit) along with improving their scheduling interface. Other than those concerns (and those are minor compared to the false negatives or the bloatware of some of the other vendors), I have only good things to say about F-Prot: It's a first-rate product, its antivirus heuristics are as good or better than the large name-brand competition (the others of whom shall remain nameless).