There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better for an organisation to protect all its devices with an antivirus software upfront.

What is an antivirus?

An antivirus is a software whose main purpose is to detect malware on a device and to remove it. By performing constant scans of devices, files and inserted USB keys, it can make sure that when something goes wrong, remediating actions can be taken.

Who needs an antivirus?

Even if some organisations or systems may be more vulnerable or targeted by cybercriminals than others, all IT equipment can be potentially infected by a virus at any times.
An antivirus ensures that a computer is not vulnerable to viruses. It is the most important piece of software for protecting an organisation’s computer and data. Although no virus scanner offers 100% protection, installing one is crucial. Cybercriminals are constantly looking for weaknesses to exploit in order to bypass that layer of protection without being detectable. However, using an antivirus can at least protect the devices from the main known viruses. It is one of the most important steps an organisation can take to ensure the IT security of all its assets.

How does an antivirus work?

An antivirus software look for viruses everywhere on a device, e.g., memory(s) or hard disk(s), the content of messages (email), the loading of an Internet page, the reading of removable media (USB keys, DVD, etc.), etc. Once it detects an infected file, an alert is sent on the device. Simultaneously, the software places the infected file in containment to make sure the virus cannot spread and eventually, completely removes it.

Types of antivirus

There are two categories of antivirus, signature- and behaviour-based:

  • Signature-based: every malware has a unique signature, a kind of fingerprint, that helps identify it. A signature-based antivirus uses that distinctive identification to detect a malware and block it.
  • Behaviour-based: cybercriminals make slight changes to antivirus signatures to make them undetectable. To counter those changes, the behaviour-based antivirus analyses every line of code and anticipate all the actions that could be taken. If something malicious is detected, such as access to a critical system, it can block it.

How to manage an antivirus?

1. Make sure the antivirus is activated and configured

Make sure that the antivirus is installed correctly and activated, and that it regularly updates its program and its signatures. The protection in real time to analyse everything that comes in and goes out should be well configured. In addition, the settings and functioning can be tested to ensure the antivirus answers the needs initially defined. Finally, a thorough scan of the hardware can be performed to ensure that no initially unknown viruses have taken hold between two updates.

2. Define the frequency of the scans

An antivirus can potentially slow down a device, since it is constantly running and scanning all actions being performed. This is why it is important to decide on the frequency of scans, depending on the power of the device and the speed of scanning. Most antivirus vendors gives the possibility to schedule the scans choosing a tailored frequency. It can thus be tailored to the organisation’s needs. In addition, two types of scan can be executed: a quick or full scan. The latest is a more in-depth scan that takes more time and resources. However, it doesn’t need to be performed every day. Doing it at least once a week can already ensure a good protection.

Find the right balance to avoid submerging a device with constant scans while making sure you don't miss a possible threat. Don’t wait more than a week between two scans.

3. Keep your antivirus up to date

The efficiency of the antivirus partly relies on the updates a vendor makes to ensure that the protection can counter newly discovered or modified vulnerabilities. In order to take advantage of those enhancements, the antivirus software needs to be constantly kept up–to date on all the devices on which it is installed.

The update process can usually be automated so make sure to implement a regular update on all devices, at least once a day.

How to identify and react to antivirus detections?

1. Monitor the alerts

As important as installing and checking an antivirus is, monitoring its alerts is even more. The antivirus can be very efficient in detecting anomalies, but if the alerts aren’t monitored and reacted to, it can’t be of much help. It is important to program all the necessary alerts from the protection for when something is wrong. Setting up a series of alerts to make sure the notifications pop up is an efficient way to handle any anomaly that could come up.

2. Watch out for signs that can indicate an infection

Even without an alert, some warning signs from a device can already indicate that it has been infected:

  • The device has become noticeably slower, freezes or crashes often.
  • You have been locked out of your device, account, or certain files.
  • You get unusual errors.
  • You are spammed with annoying pop-up messages.
  • Your browser’s home page has changed, bookmarks have been added or new extensions have been installed without your permission.
  • Your contacts are getting strange messages from you.
  • Icons or programmes that you do not recognise appear.
  • Your device switches itself off and then restarts.
  • Your antivirus software repeatedly warns you that it has been disabled.
  • Your access to system tools such as the Control Panel has been disabled.

Those more obvious signs can indicate when a device was infected. As soon as a collaborator suspects that their device might have been compromised, they have to reach out to your IT Responsible. The sooner the attack is dealt with, the less damage it will be able to cause.

3. Make sure collaborators know how to report an incident

In addition to the notification of the antivirus alert, it is important to teach your collaborators how they should react to an alert, the process to follow and who they should reach out to.

4. Take action when an alert comes up

First, whenever an alert pops up, it is strongly recommended to disconnect the device from the Internet and perform a scan to ensure that no trace of the virus remains on the equipment. Secondly, a suspicious file can be removed from quarantine only if it is certain that it is not infected. Finally, if a virus cannot be removed, a complete reinstallation of the device and a change of all used passwords should be considered.

Tips to help an organisation pick the antivirus fitted to its needs

When choosing an antivirus, there are multiple things to evaluate:

  • Assess what you need to protect

Which devices and/or systems need protection? Are they all running on the same operating systems or do they have different ones?

  • Make sure your antivirus covers the basics

File, network and application: everything entering a device should get scanned by the product. In addition, collaborators probably spend a great amount of their time connected to the internet and a network is the fastest way for a virus to spread. Thus make sure that the product chosen can protect from malicious websites and harmful content. Finally, make sure that the protection of all applications and operating systems is also covered by the product.

  • Make sure your antivirus covers the extra’s you need

What other threats does it cover? Look especially for the most common ways to distribute a malware: phishing attempts, USB drives and communication tools.

  • Assess how flexible the antivirus is

Find an antivirus that gives the possibility to schedule scans when needed. It is best to do those scans and updates at night or during weekends. It can cause quite the trouble for collaborators if scans and updates are always executed when they are working on their devices.

  • Assess the expertise required to manage the antivirus

How much knowledge or expertise about a specific product does the IT Responsible need? Do they have that knowledge and expertise?

  • Assess the power your resources can handle

Are you working on more affordable, slower devices? Then you might want to pick an antivirus that doesn’t take too much of your systems’ resources and power.

  • Assess the budget

You cannot bypass getting a protection for your devices and systems. This is why it is important to gather the criteria you need your antivirus to have and see which one you can afford. On the other hand, it won’t be useful for an organisation to use all the budget available on a solution that can protect resources it doesn’t have.

Watch out for free antivirus

Several free antivirus offer basic but limited features. Assess the organisation’s needs and evaluate whether the free antivirus is enough. However, beware of fake antivirus that only aim on spying on a device or steal information. Always download them from official websites.

 

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.