NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better for an organisation to protect all its devices with an antivirus software upfront.
An antivirus is a software whose main purpose is to detect malware on a device and to remove it. By performing constant scans of devices, files and inserted USB keys, it can make sure that when something goes wrong, remediating actions can be taken.
Even if some organisations or systems may be more vulnerable or targeted by cybercriminals than others, all IT equipment can be potentially infected by a virus at any times.
An antivirus ensures that a computer is not vulnerable to viruses. It is the most important piece of software for protecting an organisation’s computer and data. Although no virus scanner offers 100% protection, installing one is crucial. Cybercriminals are constantly looking for weaknesses to exploit in order to bypass that layer of protection without being detectable. However, using an antivirus can at least protect the devices from the main known viruses. It is one of the most important steps an organisation can take to ensure the IT security of all its assets.
An antivirus software look for viruses everywhere on a device, e.g., memory(s) or hard disk(s), the content of messages (email), the loading of an Internet page, the reading of removable media (USB keys, DVD, etc.), etc. Once it detects an infected file, an alert is sent on the device. Simultaneously, the software places the infected file in containment to make sure the virus cannot spread and eventually, completely removes it.
There are two categories of antivirus, signature- and behaviour-based:
Make sure that the antivirus is installed correctly and activated, and that it regularly updates its program and its signatures. The protection in real time to analyse everything that comes in and goes out should be well configured. In addition, the settings and functioning can be tested to ensure the antivirus answers the needs initially defined. Finally, a thorough scan of the hardware can be performed to ensure that no initially unknown viruses have taken hold between two updates.
An antivirus can potentially slow down a device, since it is constantly running and scanning all actions being performed. This is why it is important to decide on the frequency of scans, depending on the power of the device and the speed of scanning. Most antivirus vendors gives the possibility to schedule the scans choosing a tailored frequency. It can thus be tailored to the organisation’s needs. In addition, two types of scan can be executed: a quick or full scan. The latest is a more in-depth scan that takes more time and resources. However, it doesn’t need to be performed every day. Doing it at least once a week can already ensure a good protection.
Find the right balance to avoid submerging a device with constant scans while making sure you don't miss a possible threat. Don’t wait more than a week between two scans.
The efficiency of the antivirus partly relies on the updates a vendor makes to ensure that the protection can counter newly discovered or modified vulnerabilities. In order to take advantage of those enhancements, the antivirus software needs to be constantly kept up–to date on all the devices on which it is installed.
The update process can usually be automated so make sure to implement a regular update on all devices, at least once a day.
As important as installing and checking an antivirus is, monitoring its alerts is even more. The antivirus can be very efficient in detecting anomalies, but if the alerts aren’t monitored and reacted to, it can’t be of much help. It is important to program all the necessary alerts from the protection for when something is wrong. Setting up a series of alerts to make sure the notifications pop up is an efficient way to handle any anomaly that could come up.
Even without an alert, some warning signs from a device can already indicate that it has been infected:
Those more obvious signs can indicate when a device was infected. As soon as a collaborator suspects that their device might have been compromised, they have to reach out to your IT Responsible. The sooner the attack is dealt with, the less damage it will be able to cause.
In addition to the notification of the antivirus alert, it is important to teach your collaborators how they should react to an alert, the process to follow and who they should reach out to.
First, whenever an alert pops up, it is strongly recommended to disconnect the device from the Internet and perform a scan to ensure that no trace of the virus remains on the equipment. Secondly, a suspicious file can be removed from quarantine only if it is certain that it is not infected. Finally, if a virus cannot be removed, a complete reinstallation of the device and a change of all used passwords should be considered.
When choosing an antivirus, there are multiple things to evaluate:
Which devices and/or systems need protection? Are they all running on the same operating systems or do they have different ones?
File, network and application: everything entering a device should get scanned by the product. In addition, collaborators probably spend a great amount of their time connected to the internet and a network is the fastest way for a virus to spread. Thus make sure that the product chosen can protect from malicious websites and harmful content. Finally, make sure that the protection of all applications and operating systems is also covered by the product.
What other threats does it cover? Look especially for the most common ways to distribute a malware: phishing attempts, USB drives and communication tools.
Find an antivirus that gives the possibility to schedule scans when needed. It is best to do those scans and updates at night or during weekends. It can cause quite the trouble for collaborators if scans and updates are always executed when they are working on their devices.
How much knowledge or expertise about a specific product does the IT Responsible need? Do they have that knowledge and expertise?
Are you working on more affordable, slower devices? Then you might want to pick an antivirus that doesn’t take too much of your systems’ resources and power.
You cannot bypass getting a protection for your devices and systems. This is why it is important to gather the criteria you need your antivirus to have and see which one you can afford. On the other hand, it won’t be useful for an organisation to use all the budget available on a solution that can protect resources it doesn’t have.
Several free antivirus offer basic but limited features. Assess the organisation’s needs and evaluate whether the free antivirus is enough. However, beware of fake antivirus that only aim on spying on a device or steal information. Always download them from official websites.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.