Slashdot Mirror
University IT Departments and Viruses?
"[It should be noted that] the Norton server allows you to view the entire directory structure of someone's machine and allows you to see the files it is scanning as if it were your own machine. We realize this was designed more for companies and businesses, but we have found that viruses have become a major problem and give us a huge headache when we try to support all the students connected to the university network.
My question is what do other university IT departments do in response to the increase in viruses over the past 2 years. I know there are a lot of university IT employees in the Slashdot community and I look forward to getting some feedback as to how they go about doing this without causing too many privacy problems. The way we are looking at it, and we are very privacy concerned and wouldn't do anything malicious with it, is that the students are using our network under our regulations and as long as we don't use the software to 'check up on' the contents of someone's hard drive (except obviously for viruses), then what we are doing is completely legit.
Any feedback would be greatly appreciated."
A guy goes to the doctor complaining of eye pain. "Doctor, it hurts when I stick my finger in my eye like this...Ouch!" The doc says "Ah hah! I see the problem. Don't stick your finger in your eye." "I'm cured!" says the patient. He heads home feeling much better. The very next day while sitting at his computer the patient, once again, (sigh) sticks his finger in his eye. "Ouch!" A guy goes to the doctor complaining of eye.....
I work with the mail systems for a major ISP, and 6 months ago I installed TrendMicro's VirusWall for our Business System. I have two Compaq DL 360's running RedHat 6.2 scanning inbound and outbound emails for our largest customer, 20,000 mail accounts. And I must say it works great! Anna was stopped dead in it's tracks-- which is more than I can say for our Corporate servers, which they had to shutdown. To date, I haven't had any problems and/or issues. And I don't have any manintenane concerns at all (stopping and starting services, checking memory, high loads, and the oh so critical updating of virus patterns,etc.). Trend has solutions for Web, FTP, and Sendmail. You might want to look into it. It's one system I'm happy to SA for.
If you are concerned about platform support, or the users turning off their software; scan before the data gets to their desktop.
;-) if you do that use Trend).
I wouldn't recommend Norton for this though; Norton was designed for the desktop and their server products are "lacking" compared to competitors. The two I've had the best experiece with are Trend Micro's Interscan Virus Wall or Aladdin's eSafe. My personal preference is for Aladdin's eSafe (as long as you don't tie it into Checkpoint's firewall
From what I've seen Aladdin's product holds up best under high stress using the same hardware; they don't have to operate as a proxy like Trend. Both of these companies started at the gateway, so their desktop product generally sucks compared to Norton.
Trend's desktop is the usual anti-virus scanning program; Aladdin's is a personal firewall and content checking program (uses SurfCONTROL for the URL list).
If you have any questions about the two drop me a line at "wpierce at athenasecurity dot com".
Wayne
--
Each machine, may it be Mac, NT, or Sun, on boot connects up either with an AFS server (NT/Sun) or AppleTalk server, and pulls a Makefile (the process is similar on the Macs). The Makefile is checked/run and files are replaced as need be. This includes McAffee Virus Shield patterns!!!
--
WolfSkunks for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.keenspace.com";
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Our company filters emails on content and doesn't allow any HTML type messages that look like they contain scripting.
It's kind of annoying, though. I subscribe to a number of development email lists and a large portion of the content is whacked by the anti-virus software.
I basically have to get around it by using a different mail account like hotmail.com.
Since everyone seems to be beating the dead horse of installing software on student boxes, I figured I'd interject some real-life experience with NAV Corporate.
.NET and features people don't need/want, never focus on fixing bugs that are already there.
Ah, good ol' NAV Corporate. I just rolled out a hundred user license of that thing at my employer, only had three hiccups so far which are solved by an update. Unfortunately two of those three have fscked up their systems so badly not only will the update fail but the old version won't uninstall. That's right Bill, keep blathering about
One thing to remember is that the product isn't a modified version of Symantec's NAV codebase, it's really Intel's LANDesk virus protection software. Intel sold it a while back to Symantec, and they modified it and released it as their own. Sounds like a bastard child but with 7.5 it's pretty close to NAV in terms of problems/solutions. Registry keys are still listed as Intel LANDesk, heh.
Highs are the virus definitions coming to a central server and getting pushed out to secondary servers and all clients automatically, usually within minutes of the update being downloaded. AND without the users ability to cancel the update.
Lows are program updates. First, LiveUpdate doesn't grab program updates, not on the central server, and not on the client boxes.This means you have to call Symantec for updates, which while free for one person does take time (sitting on hold for 1hr). Second, there doesn't appear to be a LiveUpdate-ish method for rolling out program updates. Granted you can use login scripts, etc. for rolling them out but that, to some extent, involves user interaction. When some users reboot several times each week in a vain attempt to avoid the weekly administrative scan ("But I want to use MY system!" It's not your system, it's the company's system, and if you didn't think a coworker loved you that mess a few months ago might've been avoided. Go have some more coffee, it only takes 15 minutes, if you left it alone it'd be DONE by now), even though reboots just start the process over, keeping them out of the picture is a good thing.
Client support is limited to 9x/NT/2000, with NT/2000/Netware support for servers. A Mac client is in the box with 7.5.1 but it won't talk to the central server so it's back the end-user conundrum of the software asking to run LiveUpdate and the user declining to run LiveUpdate ("I just ran that there update three weeks ago! I don't need none of them updates for a while!").
I wouldn't hold your breath for any un*x tie-ins. Then again, my experience with colleges has been that un*x has a small foothold outside of the CIS & technical arenas (at the very least I've met few fresh-from-college marketing/management/legal/etc majors with any lasting un*x experiences)
Moof!
Just remove Outlook from all the machines. That's what will happen soon at my university.
Not a 100% cure but it will eliminate most of the worms going around.
-- Ed Avis ed@membled.com
It's not possible to force people unless you compel them to install something like NAV and then locking it down with scheduled run they are powerless to control. Barring that you should be concerned with blocking the propagation of the malware. Put in mailscanning and mailblocking gateways assuming you support the same mail systems they support. And then put ingress/egree filters on your switches and routers to prevent unknown crud from flowing through whatever ports it wants. Disable the obvious like tftp, r* commands, limit the use of X, limit the use to nfs, udp traffic generally and stamp out fake dns servers. But of course none of this is entirely possible either.
I'm not crazy about viruses spread via Outlook and the rest of MS office either, but between desktop antivirus software with forced updates and antivirus software on the mail servers and, heck, the school's net gateways would trap damn near everything. The little that makes it in via, say, encrypted e-mail on CompSci students' machines, wouldn't get too far as long as students and staff didn't tamper with their desktops' software.
As for "cross-platform", what's missing? The antivirus scanners on the net gateways would trap any worms targeting your Linux box, as long as you aren't receiving it via an encrypted protocol. Windows antivirus software--especially the server stuff--carries pattern files covering not just the zillions of Windows viruses and such, but also the far fewer Mac ones and the dozen or so Unix/Linux ones. And the two targeting PalmOS.
If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network. Do transfers with floppies and Zip disks. It's not your network, and you have no "rights" with regard to it.
One of the most overhyped issues of IT today is virii. I have downloaded countless programs from the internet and only once had a virus install.
Until we installed a virus checker at my old workplace, we were inundated with macroviruses in Word documents - many of them from our clients (large, hopefully professional companies who shall remain nameless).
We were lucky. All these tended to corrupt were new documents we were writing. This person may not be so lucky.
Also, we all know that half of the students will be installing their own entertainment applications. It's not beyond reason to think that one may pick up a bug. Heck, if it's anything like my undergrad days, the students will have already be storing pirated games in secret locations, possibly with the help of moles in the sysadmin office.
Word macro viruses would be my main worry, though. These are _endemic_ to all Windows environments I've run across that exchange documents with the outside world.
I'm assuming that your first priority is protecting machines administered by the university. Students' personal machines are probably beyond the coverage of university site licenses, and 90% or more of the students will either ignore administrative requests, or spend 5 minutes trying to figure out how to follow them and then give up.
For the Windows network, my best suggestion would be a combination of virus scanning and regular, automated reinstall.
Put virus scanners on all of the machines, as part of their standard installation. If it's Nav, tell it to check incoming file attachments and documents - this is very, very helpful (my old workplace had a problem with macro viruses). You can probably get away with telling it to scan only local drives.
Put another virus scanner on a machine with direct access to all directories on the fileserver. It'll do your sweep of the network drives. You can either create a special NT profile for it that gives it access to all drives, or (failing that) you can run it on the fileserver itself at 4am Sunday morning (not Monday morning, because students will pull all-nighters on Sunday to finish projects due on Monday - I've TAd courses where they regularly did this).
Next, set up the user machines with one of the third-party bootstraps that compares all system files to copies on the network server, removes anything that shouldn't be there, and fixes anything that's changed. This is the only way I know of to really bulletproof Windows, and as far as I can tell, it does work. The version installed on the PCs at my university also wiped the local drives and did a full reinstall weekly. Either tell the users to power off the PCs at the end of the day, or send an admin around to do it at the end of every week.
Needless to say, you should enable boot virus protection in the BIOS. While you're there, you should also force booting from the hard drive first and then password the BIOS, to prevent student shennanigans. This is standard practice at most shared PC installations I've seen.
Re. Macs, you're on your own. This is outside of my experience.
Re. Linux, *BSD, Solaris, etc, you probably don't have much to worry about to the first order. The vast majority of viruses run under Windows. Anything malignant in the user's files should be caught by the sweep of the fileserver. I don't really see what could go wrong in an environment like this, given that the user doesn't have root access.
To make *sure* the user doesn't have root access, set the machine to boot off of the hard drive first and lock down the BIOS, for any *nix-on-PC machines. If you're paranoid, set up a cron job to refresh the machine's configuration from a CVS server nightly or weekly, just in case something goes strange or is tampered with.
If you're really feeling paranoid about *nix terminals, make them all netboot off of the file server, with the local hard drive just being swap space. Keep a close eye on the server's configuration, and you should be fine.
In summary, with a bit of planning, you should be fine under most conditions. Virus-hardening merges naturally with hardening against bit-rot and active attacks by the users.
This is true at VCU (Virginia Commonwealth University) as well -- basically a site license that can be used on any system, be it university or personal student/employee.
Unfortunately, you have to know its there, which many people don't. And it has to be setup properly to auto-scan, and of course with IMAP the email scanning doesn't work...
---------------------------------------------
Recursive: Adj. See Recursive.
Er... why are you asking Slashdot rather than some, er, University IT Departments?
Here at Oxford, things are very decentralised. We have a crack team at the Computing Services (and our own version of CERT, OxCERT) who put emergency blocks on incoming mail if an email virus is doing the rounds (e.g. Kournikova) and manage the firewall between us and JANET, where some well-known and dangerous ports are firewalled out.
However, although we may have a site license for something (Sophos, I think) no-one's forced to use it. People are responsible for their own machines.
Why not just have a policy: "if your machine gets trashed by a virus and you didn't have this installed, we won't help you fix it." but not make it compulsory?
Gerv
Scanmail for Exchange or whatever else it is you people use for uni email (I like the other 70-odd percent of corporate america use MS exchange, and it does it's job relatively well.) if you use something else like basic sendmail/smtp stuff they have products for those as well.
Trend Micro's desktop scanning software, no client required; you can either have it scan fileshares (ala NT c$ etc) or have the end user do it from a web page that starts a little java app and scans.
There's other stuff out there but honestly speaking, trend micro's stuff is pretty nice. I had a few probs with scanmail to start but got it sorted and it's worked great (ILOVEYOU and other VBS email stuff dropped dead.) We used to use norton AV (corporate edition) but that is just a complete piece of crap. I dumped it entirely and moved to the (cheaper) trend micro stuff once I scored a demo copy.
In terms of handling multi-OS'es, and yadda yadda yadda... that's why students have to meet a code of conduct and follow the rules. make one of those be that they have to comply with virus updates or scanning, or not have network access to the uni's network. Or, if you don't feel like being so heavy handed, you could offer supported AV platforms for different architectures and then support installing and updating them- say, emailing SARC updates instead of pushing them down, or whatever. I suppose that would depend on how fascist you want to be- I personally would lock down all computers that the uni owns, but personal machines would just have to meet the criteria that is set out in the usage policy (properly updated AV software that, if you want, we'll help you to install and keep updated.)
Anyhow, you need to take some hard steps at first to keep it in check, and then that makes it easier later.... good luck!
EOM
Good idea. Few problems (NB I'm not slaggin the whole thing, just picking a few nits)
First, I wouldn't put it past the average university to blame students even if the latest update of the officially proscribed anti-viral software is installed and properly running.
Second, damage deposits are usually the property of the person who makes the deposit. So is the interest.
Despite the obvious signing of waivers, other students could claim that the university is responsible for their computers' safety should various protections be required.
Faculty will never agree to anything that may endanger their funding. No way, no how. University IT dept's are the faculties' collective 'beeyatch'.
Scan my ports, I DoS you. Deal with it. (I don't, but someone would.)
A few things to answer, but not a bad idea.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
I imagine that the University would take care of the Red Hat machines in much the way they would take care of the Mac OS machines: Not on My Network!
Jesus was all right but his disciples were thick and ordinary. -John Lennon
For university networks, the biggest problem are obviously pesky email viruses. The best solution I've seen is to have the university mail servers filter out all executable or .vbs email attachments.
Nortan antivirus is a perk, but I don't think it should be required on everyone's system. (For obvious reasons.)
-Gwizdak.
--
It's trivial to filter for viruses embedded in other formats. All you have to do is process the message in stages. That's what I'm doing right now with a tool that scans NNTP feeds for "hijack" scripts. The walking dead might be using %nn encoding of HTML within uuencoded blocks, but my software peels the layers of the onion and still pulls out their "
As for the inconvenience and extra work, that is not what happens in practice. A standard notice that an attached executable (or HTML containing scripts or whatever) has been deleted suffices. Alternately, some products put the attachments into a "holding area" which requires explicit actions to retrieve, but I don't think they're actually used that much in practice.
I have a very hard time imagining even one user in 1000 preferring to lose internet connectivity once a month or so, as the University struggles with a viral infection, to being forced to use FTP or a different encoding to receive that rare legitimate executable image.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Let's see...
1) Viruses can consume significant network resources as the propogate from machine to machine. Since students will usually have professors and other students high in their address book, you'll have combinatorical explosion. Alice infects Bob. Bob infects Carl. Carl tries to infect Alice. Carl infects Diane. Diane tries to infect Alice.
2) Viruses often contain DDoS code. The university, being responsible netizens, will block the forged IP packets... but a large number of infected systems can still generate enough traffic to take down its network.
3) Viruses often contain code to implement packet sniffing. Universities are notorious for old coo... esteemed professors who don't understand that security issues affect them as well. An infected system may allow access to systems essential to ongoing research.
None of this should be viewed as a concession that the university has the right to inspect the student's computer "at will." It does, however, have a legitimate interest in taking reasonable efforts to ensure that these systems remain uninfected.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If you don't want your school invading, uh, your "privacy", then don't use your equipment on their network."... It's not your network, and you have no "rights" with regard to it."
In the US, there's this little thing known as the ECPA. You *do* have rights, some hefty ones, online. The only reason employers can monitor employee's (work) email is because it's legally addressed to the company but delivered to the person who is acting on behalf of the company. That argument might work with university employees, but not students.
To answer the obvious question, the ECPA allows filtering for technical reasons, if it's something that can be done without exposing the content of the mail to any person. The classic example is rejecting mail that's larger than some acceptable limit, or in an unsupported format. Automatically identifying and stripping blocks of executable code would seem to fall in the same category. Forwarding messages containing "prohibited words" to a human censor is not.
(IANAL, but this has been the law for many years.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
At the university I work at, we use Command AntiVirus for the entire campus. We chose this over Norton's offering mostly for cost reasons (It has basically the same level of protection, but is pretty cheap). We have a site/blanket license where any computer on campus can have the software installed. It was very easy to configure the software to automatically download virus definition updates from our local Linux box rather than from Command, and automate the server to download the updates from Command every week (Our outgoing pipe isn't fat enough to support five thousand software updates every day). We started doing this about two years ago when we got an unexpected rash of Chernobyl infections and spent a week replacing motherboards, and we haven't had any problems at all with the setup.
I am all for sane policies in keeping viruses off of campus networks, but scanning directories for infected files is no longer sufficient in catching virses, especially solutions that are known for their lack of cross platform support, and certain privacy issues as well.
Why is it the job of the University to ensure student machines are virus free? I completely understand using something like this for Department machines, Computer Labs, etc, but a machine in a dorm room is not the property of the school and should not be treated as such. Viruses are part of the computer experience and students should take charge themselves.
TrendMicro has a product that is an email gateway as well as an http proxy type thing and an ftp proxy type thing. These could help you keep the students from getting any viruses by making all students go through these gateways.
Actually the school I attend does this on windows 9x machines fairly well. They use norton ghost, which can make a disk image from one computer, and then the program can "ghost" all (or selected) computers on the network, which basically just loads the disk image onto them. It's a pretty effective solution.
Seeing as how most colleges now mandate that all incoming freshmen must have a computer, the most sensible thing to do would be to mandate a computer security principles course in the first semester. Topics covered should include virusses and how they spread, E-mail hoaxes, physical security and protecting university assets, and miscellaneous other. It would have helped a lot even back when I was in college and the big security breach was the VM Christmas Card program.
You shouldn't stop with education either. Plan on having your lab systems hit because they will be, and have a good backup policy in place. Set them up so you can just ghost or DD a hard drive image off the network. Have your E-Mail servers eat attachments that come from outside campus. Have your servers run in an environment of paranoia. Keep logs on a write-only file system (An old line printer is often enough.) Make security a policy rather than an end-goal and your systems will remain secure enough while also remaining usable.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Another vital part of Safe Hex is education. Now I know this is a controvertial subject among a lot of people (They should learn to do it on their own! They deserve to get a virus if they're doing immoral things like downloading warez or live goat porn!) but if you actually EDUCATE people about what's safe and what's not, you'll see a massive drop in the number of HTDs (Hexidecimally Transmitted Diseases) on your campus.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Kaspersky antivirus (http://www.avp.ru) has unix versions. I'm running one under BSDI 4.0.1 and it works ok, catching everything so far. It works with sendmail, so viruses do not even go into mailbox and cron job fetches daily updates.
Now I wish I was permitted to remove all floppy drives across the company...
What I do, is keep norton on all my (windows)machines -- it has a pop3 mail scanner (that always ends up fucking up, but its better then getting a virus).
Second, Perform weekly scans of machines and nightly scans of home directories ( through a smb share ).
Third, Procmail is your friend. I'll admit I haven't done it yet, but (when I get a free moment) I plan to write a procmail script to delete vbs attachments (*.vbs) and rename exes etc to *.e_xe in users mail ... theres no reason on earth anyone needs to send anyone a vbs attachment -- and by renaming all executables, people must explictly choose to rename the file to be able to run it.
Lastly, you must educate your users ... Tell em, don't open mail from people you don't know, don't run EXE's you didn't compile or I didn't install :) Theres some idiots who think they know stuff who will never follow your directions, but mostly, people will.
These steps will keep you from getting 99.9% of viruses ... now you have to figure out how to keep your users from installing that f***ing comet cursor :)
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
This sounds like an ideal place to do what everyone here likes to complain about: Support Windows, and only Windows.
In other words, draw up a list of software (Windows 2000, Office 2000, Norton Antivirus, etc.) which constitutes the "standard university computer"; if you're running a "standard university computer", you'll get (limited) support with it. If you install something like Linux, FreeBSD, or Mach-running-under-VMware-under-OpenBSD, *you are assumed to be able to take care of yourself*.
Tarsnap: Online backups for the truly paranoid
Vintage computer games and RPG books available. Email me if you're interested.
The only thing worse than having no virus protection is having inadequate virus protection that gives users a false sense of security. Besides, if there's no updates, traffic will be minimal. :-)
I'd say every week at a minimum. Find out when your provider puts out their 'scheduled' releases (Trend, for example, is every Tuesday, IIRC) and do it then.
Vintage computer games and RPG books available. Email me if you're interested.
--
--
You nah, me nah. Screw you guys, I'm going home.
In a cross platform world about the only thing you can do limit exposure is to provide students with a good non-Outlook mail client. That'll eliminate a lot of virus exposure. In terms of the software, the University of Michigan has a licenses for McAfee and on PC and Mac. The strategy they use with students and staff is education and encouragement. I dunno how well this works tho. Ironically, staff gets bitten by Outlook propagated virus more than the students do because the student accounts rely on pine over telnet for email access.
Yeah I'm sick of those programs that keep messing with my settings. Like linuxconf, ifconfig, ipchains, netconfig and vi. Does anyone have a virus scanner that can get rid of these damnable programs?
Enigma
Enigma
Due to a fear of virii and 'hackers' (and the fact that this was a "trained-monkey" MS admin), there was to be no remote ftp access to the server - not even for professors! Basically, I had to build the Db and front end, then burn it onto a CD and walk it across campus to the Biology building, and hand it to the admin.
Of course, there were some small bugs to be squashed. At least he let me email him the fixes.
I'd rather have someone respond than be modded up.
Part of your message, software being able to ruin hardware got to me. I was thinking about the easiest hardware to screw up in a machine, and the DVD drive came to mind - changing the region. Anyone heard of a virus that changes your region to something useless, like 6 or 7, repeatedly, until it locks? How many people would be whining about DVDs not playing?
funny munging
Back in the day when I was in college (mainframes and dumb terminals), it was required for each student to fund a breakage account. The funds in the account would be refunded to the student upon graduation (transfer, leaving, etc.) MINUS any damages caused by the students (holes in the dorm room walls, broken windows, etc.) In other words, students were held financially accountable for their actions. In effect, there was something like self-insurance by each student for damages they might cause.
What if a similar approach were taken with student (and faculty) systems? (The following is off the top of my head and likely has some holes in it, but I would hope it would provide a starting point; add or adjust as you see fit.)
Ultimately, nothing is bulletproof, but make the protection readily and easily available, and impose penalties (sticks) on those who choose to not make use of them and provide benefits (carrots) for those who DO use the protection. Some viruses may get through, but the ones you DO catch are that much less to worry about.
Okay, now I'm going to step back and let the /.'ers blow holes in this. :)
It's nice to see the school do this as a "perk" for us, and to help everyone stop the spreak of viruses.
antivirus.vt.edu
I'm not terribly up on my av solutions, but considering that 95+ percent of what's on a college student's machine is either a) from a trusted binary (os and 'productivity suite' binaries don't need virus scans) or b) downloaded unencrypted through the u.'s network, wouldn't you think there would be a server-side solution that scans any files being downloaded through it, and which the university could install on a large server (cluster) essentially right before the raw-net connection hits the university network? It's not as good as client-side solutions, esp. with college students compiling downloaded source these days, but it's a helluvalot better than nothing, no? Or am I way off-base?
~
Considering that most school communications now rely on email and other electronic means, I think our department is doing an outstanding job. We have a help center too. A good friend of mine says the largest portion of issues they get is how to use MS productivity tools, although I'd bet they got quite a bit of calls when the IRC server (which USED to be connected to DALnet) got DDoS'd. If you really want to get people to fight virii, forcing them won't help. Just put out some Press Release type emails about how you want to help, and write up some guidelines, instructions on how to forward mail, etc. Rather than force people to use Norton and "sanctioned hardware" , maybe get a site liscence and encourage people to download it. If your server allows it, write a tutorial on how to filter email, especially things that have .vbs or .exe attachments. Instead of telling people what not to do, help them do things on their own.
I Browse at +4 Flamebait
Open Source Sysadmin
Why are you hard pressed on making students run virus scanners? Most viri only hurt the local machine, and the rest can be solved with a good firewall and e-mail filtering.
;)
But you do not have a right to force students to use any anti virus products, and you also do not have a right to grant/deny network access on the basis of usage of such products.
It's good to want your network to have high uptimes, but, frankly, most network failures are due to failed routers. Also in many University networks there are frequent cable problems. When I was at OSU, it was every other day an intra-campus cable had failed. Now that they're using fiber, it's probably more severe. But seriously, viruses only cause harm in mass, and although an e-mail virus can quickly spread to every person in the school (and their parents, grandparents, etc.) via Outlook, if you have e-mail filters the above said is no problem.
You should by all means encourage students to run virus scanners, because most support requests are local problems. As to the capabilities of the scanners, most do little than perform filename searches and occasionally search a bit of the file. Today's up-start global virus is usually polymorphic, embedding itself in rundll.exe or systray or constantly chuking itself up.
However, for catching things like Sub7, these scanners do work well. That being said, I have never used a commercial virus scanning product and have never had a virus. The only reason commercial virus products are so popular for their limited (null?) functionality is because of hype much associated with blaming something YOU did on an invisible gremlin 'virus' that 'must' be screwing things up.
But for the reckless who fancy accepting file transfers from haxor3llt in IRC, those who frequent warez sites, and those who infect themselves with sub7, they should by all means be forced to use any University-controlled virus software. Unfortunatly, I've just described virturall all college students so it fits perfectly
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
Given that I have worked for a university that faced this very same issue, I know that this kind of power will lead to abuses. The problem this type of policy causes is that it results in an erosion of trust by faculty, students and staff and the actions they take in response to that loss. I have found most people get upset when they actually learned what was happening. Just wait to a dean or an already upset student finds out they are being watched and it actually processes in their minds. Even file names give away private information. If you have not seen it happen yet, then chances are they have not figured it out yet. One big lawsuit and you will have a whole new problem. Furthermore, I know for a fact that Norton's responses to its server can be faked; many people where I used to work did not want the very abusive IT staff to see anything on their hard drives. They started downloading various hacks for just this purpose not to mention several trojans. You may be creating a greater nightmare by having people willingly installing gateways for hackers. The university was in fact hacked this way when someone the IT center let a keyboard monitoring trojan infect their computer that sent the root password for our servers to them. I left that job because these type of issues began erode every ones' happiness. Do not go down that road. I would suggest that you mandate that in order to connect to the university's system that students must prove that they have a recent anti-virus program or that they use the university's system with a privacy warning. Since all modern anti-virus programs by default offer an Auto-Update feature that should help you problem. As for faculty and staff, I have found that telling them exactly what his happening, why it is necessary and doing it in on the weekend worked fine. They took off anything they did not want looked at and the IT department got to do their scans. Also, I found that asking them to bring me their license of anything special they wanted to have installed that was personal. This allowed them greater flexibility, gave me a proof of their ownership and more assurance it was legit software. Remember, trust is a lot more valuable than hardware or software and a good back-up policy protects information.