One vendor that specializes in helping enterprises patch Windows has developed a method to do just that. It's called "cratering."
How Cratering Works
Cratering takes advantage of the fact that Windows NT, 2000, XP, and 2003 support a feature known as Access Control Lists (ACLs). These lists, which reside on PCs and control which files can be accessed, can be modified by network adminstrators at a distance. With the proper software tools, an admin can remotely change the ACLs on hundreds or thousands of PCs in a corporate network without leaving his or her desk.
Using ACLs to halt virus activity has best been described by Leiberman & Associates, a Beverly Hills, Calif., company that sells enterprise-level PC management software to do the job. But the technique can also be performed using free software programs.
How ACLs Can Control Virus Infections
Before we consider those software alternatives, let's first look at the basic steps in controlling a virus infection using ACLs:
• Virus detection. If your help desk receives a call that a PC is constantly rebooting or that some program is consuming 100 percent of its CPU time, a new virus that wasn't caught by your antivirus software may be the cause. This was true of the recent MyDoom worm. It was launched by someone on Jan. 26 and quickly became the fastest-speading infection of all time, comprising as many as 1 out of every 12 e-mails at its peak, as measured by e-mail consulting firm MessageLabs. The worm circulated for about two days before updates that recognized it were available for various antivirus programs, according to eEye Digital Security.
• File access denial. Viruses work by executing a specific file, which is usually launched automatically from one of the Run lines in the Windows Registry. When an infected machine is examined for programs that are running (using the built-in Windows Task Manager or a similar tool), the virus file can be identified.
• Set ACLs to "Deny." Using Cacls.exe, a command-line utility built into Windows, or other tools that are described below, set the ACL for the virus executable to Deny for all users. This prevents any user, or even the operating system itself, from running the executable again. To stop the instance that's already running, reboot the PC. The virus won't start again, even if it's listed in a Run line of the Registry, because access to the file has been denied. In a word, the virus has been "cratered."
With network-management tools, the process of setting ACLs on infected machines and then rebooting them can be automated and run by an administrator from any location on a network.
Inoculating PCs Against Future Virus Infections
The president of Lieberman & Associates, Phil Lieberman, says he came up with the idea of cratering when the infamous MSBlaster worm was wreaking havok with networks around the world last August. The virus made it impossible for one of the infected machines he examined to download a patch.
"The network bandwidth it was using was so high that you literally couldn't get out," Lieberman explains.
He hit upon the idea of preventing the virus executable from running by denying access to it through ACLs. Once this was done and the PC was rebooted, the virus couldn't start and the machine could be upgraded by normal means.
The ACL technique, to be sure, is not a substitute for a rigorous regime of updating Windows and your anti-virus signature files regularly. Nor would it work on a mass basis against a specialized class of viruses that generates new file names at random.
But it does lend itself to crisis situations in which a new virus threatens to overwhelm a corporate network. When your alternatives are (1) disconnecting your entire company from the Internet, or (2) simply prohibiting a file with a certain name from running, the latter option is sure to be less disruptive to your workplace.
Besides the built-in Calcs.exe program mentioned above, Microsoft also provides Xcalcs, a program that's included with copies of the Microsoft Windows Resource Kit. Third-party tools such as SetACL are also available.
More sophisticated network-management suites can automate the setting of ACLs on PCs across entire domains, along with numerous other tasks. Lieberman & Associates' User Manager Pro software has offered such features since version 4.66, which was released last August.
To promote this use of ACLs, Lieberman released on Jan. 27 a white paper on how to defeat the MyDoom virus, along with an older paper entitled Cratering. Both are available in HTML and PDF form at the LANICU white paper page.