Virus Info Reviews Basics FAQs Lists Submit Papers Other Sites Main

A Multi-Layered AV Strategy


The Citadel Model

So what's a citadel? Well, it's a fancy word for fort. What does a fort have to do with anything? It's going to be the central analogy here.

The multi-layered AV strategy is widely regarded as the superior method for putting AV tools to work to protect your data. This is an attempt to give you an idea of what those tools can do and how they work together to cover each others weaknesses.


Think of a fort, a real one with soldiers and guns and walls and the like. People have to get into this fort, don't they? So there are entrances, usually a main gate. This gate is, of course, guarded by heavily armed soldiers (it wouldn't be much of a fort otherwise). These soldiers take a good look at everyone who wants to come in and doesn't allow any bad people to come into the fort.

Your computer also has entrances, ways in which things can be put on your computer. Floppy disks, downloaded files, email attachments, CD-ROMs, that sort of thing. You can guard these entrances against viruses and some other types of bad software by scanning incomming materials like floppy disks, downloaded files, email attachments, CD-ROMs, and the like. This is done with a scanner, it can be a Windows scanner or a DOS scanner, and it's probably a good idea if it's installed on your computer (it's faster than if it's on a floppy).


Now soldiers guarding the main gate to a fort may not catch all the bad people, some might be well disguised, and some the soldiers may simply not know how to recognize yet (and sometimes the soldiers will just be snoozing). They'll catch most of the bad people though (or they'll be replaced by someone who can). One of the ways to catch those who slip through the cracks is to put video cameras in the fort. That way if a well disguised bad guy reveals himself he'll be caught by the camera and several armed guards will be dispatched to deal with him appropriately.

The same is true for your scanner. Sometimes a virus will be really well hidden in a dropper program and the scanner can't find it. Sometimes the virus will be so new that the people who made your scanner haven't even seen it yet (and sometimes you'll forget to scan some new incoming material). To deal with the well hidden viruses (and those that slipped by when you forgot to scan) you can use a background (or on-access) scanner that will monitor everything you execute and stop viruses before they have a chance to execute.


Another way to catch bad people who slip through the main gate of a fort is to have soldiers go into each and every room in the fort once in a while to make sure no one is in there doing something they shouldn't be and also to make sure that things in those rooms are just they way they should be. Assuming the bad guy hasn't managed to leave just yet he'll get caught even if the soldiers didn't recognize he was a bad guy, the fact that he's doing bad things gives him away. The soldiers can also identify what damage has been done so that it can be fixed. Just in case the bad guy released some chemical or biological weapon, it would probably be good for the soldiers to come from some protected area and have protective gear so that the bad guy doesn't get an upper hand.

On your computer something similar can be done by performing a full integrity check of the computer every once in a while (like once a week or something). A full integrity check detects changes in every file and system area on the hard drive. If there are changes then you know the file or system area has changed. If the file was not supposed to change (and it may take some knowledge to figure that out) then you know something bad has happened. Programs aren't supposed to change unless you upgrade them (usually). If programs change, especially if they get bigger, and you didn't upgrade them then there's a good chance you have a virus. Bootsectors and/or MBRs aren't supposed to change unless you've upgraded the operating system (OS) or perhaps installed some sort of boot manager. If the bootsector and/or MBR changes without you installing a new OS or boot manager then you may have a bootsector virus. Data changes fairly frequently, and it's changed by you working on it, you should probably try to keep track of what you worked on. If data changes without your having worked on it (and without it being modified legitimately by some application on your system - which may not be easy to know) then it may be corrupted. Locating these problems is the first step in fixing them. Because of stealth capabilities and other protective mechanisms, a full integrity check should be performed from a floppy disk after a verified clean boot from a known clean, bootable, write protected floppy disk so that any possible virus can't interfere with detection.

Viruses aren't quite as smart as your average bad guy, though, they usually don't try to leave. Spread, yes, but not leave.


If a fort has a lot of rooms then checking out each and every one is going to be a difficult task. It may not be something you want to do (or are even able to do) very often. For that reason you may wish to check just the most important rooms (like the one with the guns, the one with the gold, the one with the fuse box) on a regular basis because they're the most likely targets and check all the other rooms less frequently because they aren't quite as vital and so don't need constant supervision.

On a computer, especially one with a large hard drive, a full integrity check is also a lot of work and it can take time that you'd rather not spend (at least not on a frequent basis). Generic system monitoring will check only the critical system areas and other likely targets for viruses and other assorted mal-ware. This will mean that the most likely targets will be watched by a directed integrity checker (which should catch most changes) so that less critical objects can be checked on a less frequent basis. To maximize the convenience, however, it would be necessary to have the directed integrity checker on the hard disk and to be run without the benefit of a clean boot (thus leaving it somewhat open to attack and susceptible to stealth techniques).


Now lets say the fort just got a new batch of soldiers and they've been trained using some new technique and they have more up-to-date information on who the bad guys are. Alternatively, lets say you just started occupying the fort and your existing soldiers have more up-to-date information than the people who were guarding the fort (ie. nobody) before. Are you going to let that more up-to-date knowledge go to waste? No, of course not. You're going to have those soldiers go through each and every room of that fort looking for people they know are bad guys.

On your computer, should you get a newer version of your scanner or should trouble sneak by your possibly lax defenses, you should scan your entire system for known viruses. This should be done with the DOS version of the scanner on a floppy disk (or disks if necessary) after performing a verified clean boot from a known clean, bootable, write protected floppy disk.


Once a bad guy has done damage to your fort and you've dealt with him you have to deal with the damage that he caused. You're probably going to have soldiers, and technicians if necessary, going in to the damaged rooms, cleaning up the mess, fixing what's been broken as best they can and replacing that which can't be fixed. The idea is to get the fort back to the way it was before the attack when everything was operating smoothly.

The same goes for your computer. Once a virus has started infecting files you have to disinfect infected files and replace corrupted data. Except wait, if you have backups (which are relatively easy to make) then replacing things is cheap and easy (which is good for your data) and it also happens to do as good (if not better) a job as disinfection so why not replace infected files with clean backups too, if you can. The idea is, again, to get your system back to the way it was before the virus outbrake, when everything was running smoothly.


Thus scanners are used to detect known viruses when filtering software and when you think your system is infected. Background scanners help in case software filtering wasn't complete or a known virus was obscured at the software filtering stage. Full integrity checking detects changes (viral or otherwise) to help you identify when and where you have a potential viral problem. Generic system monitoring with directed integrity checkers allows you to apply change detection methods to critical areas frequently without the high computational cost of a full integrity check, in turn allowing full integrity checking to be performed less frequently without a great loss of security. And finally, well maintained backups allow the system to be restored to it's exact pre-infection condition whether the virus is disinfectable or not.



last modified june 8 2000 : this page hand crafted by kurt wismer