'Virus-free' declaration?

[Geoff Hart]

Erika Yanovich wonders: <<Customers asked us to declare that the CDs 
accompanying our products (documentation) are virus free. They haven't 
been able to send me an example of declarations from other vendors they 
are happy with, and need no particular wording... The more important 
question is how is one supposed to make sure the CDs are virus free? Is 
there any 'standard'? Should they be checked with an anti-virus app?>>

Since there is usually a delay of several days between the time a new 
virus or trojan is released into the wild and the AV vendors receive a 
copy so they can update their software, you actually can't guarantee 
anything. Ditto for spyware, only more so. What you can do is provide a 
simple statement, such as the one you'll see at the bottom of some 
corporate e-mail, that tells the reader what you actually can guarantee 
and your additional advice:

"This CD has been scanned using the [name] antivirus software and the 
[name] antispyware software before it was shipped. Because no such 
software is perfect, we recommend that you install your own antivirus 
and antispyware software and update them regularly." Because the second 
sentence will alarm some clients, your managers may resist including 
it. However, I think it's the only ethical way to handle the problem of 
modern malware. There are no guarantees, and everyone must share the 
burden of security.

How can you minimize the risk? A reasonable safety procedure would be 
as follows (some of this is also good advice for all Windows 
computers): First, as much as possible, isolate the PC that stores the 
files you'll be burning to CD. This means you'll need to put it behind 
a firewall, disable any Internet connections, uninstall any software 
(active x, scripting hosts, etc.) that you don't actually need to 
operate the computer, and install the top-rated antivirus and 
antispyware software (check the main computer mags for details) and set 
it to update daily. Needless to say, use strong passwords: at least 8 
characters (more is better) representing a mix of letters and numbers 
(and if permitted by your operating system, symbols such as - and &).

Set up separate Administrator and User accounts such that only the 
administrator account can modify anything significant on the hard 
drive, and leave the computer running only using the User account. This 
setup forces you to manually log into the Administrator account for 
things like software updates; that increases your protection because 
the nastiest malware requires Administrator-level access rights to 
install itself. I don't know Windows well enough to tell you whether 
someone must take responsibility for doing software updates manually 
under these circumstances, or whether you can automate it.

Next, obtain and update at least two antivirus and antispyware 
programs; as noted above, no one program is perfect, and having other 
arrows in your quiver is useful if the utmost in security is important. 
Typically, only one program in each category should be running (and it 
should be running at all times*), with the second one available for 
manual scans (or scans scheduled using scheduling software). Although 
you can sometimes run multiple programs simultaneously, this can lead 
to serious conflicts. Unless you can confirm that two programs play 
nicely together, it's not worthwhile running (for example) multiple 
antispyware programs simultaneously.

* I had my work computer seriously infected while I was on vacation. 
Someone "borrowed" it for the day, and managed to log on at the precise 
moment an incompetent network admin had disabled the network's 
antivirus software to do network maintenance. In the 5 or 10 minutes 
before he rebooted the software, something snuck in and whacked my 
computer. Grrr... So if you need to disable the software, disconnect 
the PC from the network until it's running again.

Note that here, you're not just trying to protect your one home 
computer: you're trying to protect potentially hundreds or thousands of 
client computers, operated by people who may sue your ass if they get a 
virus. This means that you have to hold yourself to a nearly paranoid 
standard. It'll serve you well if anything slips through your armor and 
a lawsuit ensues: at least you've shown more due diligence than most, 
so the judge will be more sympathetic.

Last but not least, even if you scan the PC regularly, check the CD 
manually. The software developers can tell you how to confirm that the 
software copied to a CD is actually what it claims to be (usually by 
means of a checksum or a file comparison utility), and there are tons 
of utilities that let you check for invisible or concealed files. Do 
that check too.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Geoff Hart   ghart at videotron.ca
(try geoffhart at mac.com if you don't get a reply)
www.geoff-hart.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -