Customer Case Study Number 2

January 2001 European Based International Company

This report was written by the customer who is using the product. CyberSoft's only edits to the document were to remove the company name (at their request) and improve formatting for ease of reading.

A brief history of VFind

We came across VFind about four years ago while looking for a virus scanner that would work on UNIX. As far as we could determine at the time, CyberSoft was the only manufacturer of such a product world wide. What other products we could find were DOS based and aimed primarily at the desktop.

We installed VFind on a server that took all our mail from the Internet fed by a 64Kbps line. It used to find a virus every week or so, nostalgic times!

Nowadays we have four Dedicated Email Firewalls taking mail from the Internet, two in the UK, one in the US and one in Sweden. Another is planned for Australia. Each is a Sun 400 series with 4 processors - we get a lot of mail. The line has increased a little too, of the four the biggest line is 38Mbps and the smallest 8Mbps.

About two years ago we had external consultants draw up an anti-virus strategy document. This said, in summary:

Use more than one AV product, but definitely keep VFind on the Firewalls. Most of the document was about selecting an AV for the desktop, but essentially said that this decision could be made on cost grounds, so long as VFind remained on the boundary.

In practice the desktops rarely see a virus as they are effectively screened by VFind on the Email Firewalls

Sometimes a brand new Virus will get through before we get a signature. Melissa did, so did Iloveyou. In four years we have had two incidents where the desktop picked up a virus before CyberSoft released a signature. We don't know how many times we pick up a virus on the Firewalls that would have passed the desktops, there were three incidents of this in the early days, when we used to check out each Virus we detected, but the hit rate is so high now that we don't have the time to do this. In the last week or so VFind on the Firewalls has stopped the following:

today so far: 31
yesterday: 58
Tuesday: 64
Monday: 38
Sunday: 71
Saturday: 73
Friday: 103
Thursday: 353
Wednesday: 66

Note Thursday, with a tail-off into Friday. Every so often some company we know gets hit and we get flooded. I guess they don't use VFind.

There are two incidents worth special mention:

One

We merged with another company two years ago, who had no Firewall scanning, they were †relying on the Desktop †. When Melissa hit, both halves of the company were infected and disconnected from the Internet. The day after the outbreak we had a signature from CyberSoft and had isolated our infected PCs so we could reconnect our half of the company to the Internet. The other half of the company remained off-air for most of the week - it turned out that 1) few desktops had the latest signature file, 2) some whole departments did not have the latest scanner, 3) not all PCs with the latest scanner had an auto-update for the signature file working. Although we had a similar patchy response on the desktop, we only had to update three systems to make our half of the company safe behind VFind on the Firewalls. We could re-connect to the Internet and update the desktops away from the crisis. It was this incident which triggered the †whole company † AV strategy study, and to the new Email Firewall in Sweden.

Two

The whole world was hit by the “Iloveyou” virus, us included. But we had two advantages:

First, the “Virus Description Language” used by VFind is well documented and easy to use, so, as we had a sample of the virus ( in fact around 8000 samples as I recall! ) we were able to install our own signature within an hour and bring the systems back on-line. Later we got a more precise signature from CyberSoft and we replaced the “home grown” one. But using the VFind VDL and at the risk of a few false positives caused by an amateur signature, we were back within the hour. Remember that Iloveyou broke out in Asia, so we were hit in Europe six hours before anyone in the States (including all the AV labs) were even awake, leave alone working on a signature. The desktop AV people got their first signature late afternoon. (Mind you, it didn't work, the third one did, but that included an update of the scanner so it took hours to distribute.)

Second, VFind uses two processes, one to separate the mail into its individual pieces and then another to scan them. We were able to use the output from the separation process to identify any mail containing “vbs” script attachments. So when the second, third, fourth etc., variants of “Iloveyou” started to arrive we blocked them without scanning and sat quietly watching our competitors go off the air. Needless to say, this was popular with Senior Management.