Don’t bother to quarantine

In his enterprise anti-virus review, Dan Morton mentions that the Symantec solution does not include the software needed to quarantine a virus found entering your enterprise. The software has the capability of repairing a virus, and it can delete files containing a virus — but that’s it. The quarantine function resides on a separate server that stores virus-laden files until you decide what to do with them. The software for that quarantine server is optional.

The idea behind quarantined files comes from the early days of personal computers when viruses were also new, and it wasn’t always clear how to repair them. So you’d stash a potential virus into a special place where normal users couldn’t gain access, and store it until a method of recovering the file might be found.

Things have changed. AV (anti-virus) software has dramatically improved, and AV vendors can come up with solutions to the virus du jour in minutes or hours rather than days. Virus writers have become prolific indeed, and they have begun using worms or spam to spread their malicious creations. Having a virus sent to you, finding one on a Web site, or loading one from a hand-carried disk is now more than just commonplace — it happens several times a day.

Worse, today’s viruses are vastly more destructive than those of yesteryear. They can subvert your AV software, sneak past your firewalls, and allow someone else to take over your computers from afar.

So the question becomes, Why save these quarantined files? What’s the point in devoting a special place on your hard disk or having a special server — just hanging on to virus-laden files? Are you saving them in hopes that they might be recovered later? Or are you just reluctant to throw out someone else’s e-mail?

There’s simply no reason to preserve virus-infected files in the enterprise environment. If the file can’t be repaired when it’s first discovered, it’s unlikely you’ll ever have the time to fix it later. It’s even less likely that your AV vendor is going to stumble across a magical fix if you wait long enough. So why keep it?

The directory (or the server, in some cases) where these quarantined files are kept is a huge potential danger. All AV products, whether for the enterprise or for individual computers, save their infected files in a location that’s well protected against casual access. But the fact that these files exist at all means there’s always a way to reach them. And really: If access is prevented entirely, what’s the difference between that and deleting the files?

The best solution is to both simplify your life and to take the safest approach. Tell your AV software at whatever level to delete virus-infected files and to let you know each time that occurs. This accomplishes two things: First, it ensures that files containing viruses never make it into your network. Second, it lets you know whether one of your business partners has been infected, so you can alert them and request noninfected files.

But the real key is to delete these files before they’re ever seen. Then you don’t have to worry about viruses from that source again.