Changing Thoughts on Virus Protection For Show Machines
In Chapter 4 of my book, on page 49, I advise people building computers for show applications to "Disable Automatic Virus Checking" in a section called "Ensuring Maximum Computer Reliability." I wrote:
If your network is off the internet, and your operators are following good practices, there should be no way for a virus to "infect" your machine in the first place. Virus checkers often operate in an automatic mode, and you really don't want them deciding that it's a good time to check out your hard disk while in the middle of the most demanding cue of the show. If you have cause for concern, run a virus checker manually between shows.
Well, that was long, long ago--2007, the world has changed, and so has my opinion on this issue. I now think that you have to either be exceptionally careful, or you should have virus checking software available on your show machines. What has changed? The widespread usage of the USB flash or "thumb" drive.
I personally never had a virus on any of my many computers from 1986 through about 2009, when I got "trojan" malware via a USB "thumb drive" used by one of my students. Whatever cracked software or free porn sites our students go to are apparently full of these incredibly virulent, annoying and possibly damaging viruses and other types of malware (worms, etc). Below is a screen capture from a virus scan on lab machine at school, which we we let the students use for a class project for a few days with outdated virus definitions. The result? 31 infections in a very short period of time:
If you had stuck your own USB drive into this machine, you would have almost certainly gotten this virus, and I can tell you from personal experience that this can lead to losing access to the data on the drive. I've had to format a number of these drives, which, fortunately, I generally use only for transport and redundant backup. And I don't feel that bad that I didn't see this coming--in 2008 the defense department got hit by USB drive attacks so badly that they banned the use of all removable media. They partially lifted that ban this year, but that's something that could change again considering that removable media is reported to be the tool that Bradley Manning allegedly used to copy military secrets (see my Next Hope write up for more details on this complex situation).
Of course, if you can guarantee that you are the only person who ever touches your show machine, and you never need to get new media or cue files off another machine, then you can probably run without any virus protection software. But for everyone else, the reasons that I now recommend some sort of virus projection when using consumer operating systems for show purposes (of course, using dedicated "hardware" systems can alleviate this problem) are:
- A new threat has emerged in recent years.
- The amazing utility of USB drives (if properly used and managed) outweighs the risks of trojans and other malware.
- Computers now have a lot more available horsepower and can run with less interference with show software.
Issues that need further thought (feel free to comment below):
How to get the virus definitions updated?
To keep virus definitions up to date, you need (typically) to connect your machine to the internet, or manually download and install the virus definitions file (a pain in the butt). Connecting to the internet is something I generally have recommended against for show machines unless absolutely necessary (see page 50 of my book). But the issues involved in connecting to the internet (firewalls, routers, etc) are something we're going to have to address anyway as we move forward with modern protocols like ACN, so we might as well start addressing them now. (My current favorite way to do this is to have two physical Ethernet adapters in the machine, one on your closed, private show network, and one on the internet.)
Will the virus checker interfere with your show software?
The best thing to do, of course, is consult your software vendor about this issue, and (as always) test, test and retest. My current recommended strategy on this is to run the virus checking software in automatic mode during tech rehearsals and the cuing period. And then, when you shift over to show running mode, disconnect the machine from the internet (best to just literally unplug the machine) and then switch the virus protection to manual mode. And then I'd probably tape over the USB ports on the machine, or use something like L-Com USB Protective Port Covers. I wish they would make these in bright orange with a little tether (like you see on the maintenance ports on an airplane). Or if you're in an environment with students or something and have a really important machine, you could use these Kensington USB physical port locks:
(If anyone has experience with these locks, please post a comment.)
In any case, it's a brave new world, with lots of exciting aspects, good and bad. Let's be careful out there!
John Huntington
I came across this post on Breaking Murphy's Law that also addresses this issue; the symptoms they describe (drive turning into a folder and becoming inaccessible) is exactly what I've seen.
John Huntington
Be sure and read the comments on this post--they contain a couple good suggestions by industry experts.
John Huntington
On the Show Control Mailing List, Kevin Gross posted an excellent point regarding this issue:
What is your opinion about software/OS patches? You generally need to
connect to the internet to get those and an internet connection brings in a
whole other set of risks. How do you figure the risks associated with not
patching compare to the risks associated with an internet connection and
running without virus protection?
This is an excellent question and one for which I guess I no longer have a clear answer. My general approach to updates has been to update the system before the tech process starts, and then don't update again until after the show run is over. It seems to me that once something's stable, you want to leave it alone. I guess that's going to continue to be my strategy for the short run, since I would still disconnect any system I can from the internet in general. But for the future, who knows... Thoughts? Please post a comment here!
John Huntington
This post inspired a very interesting discussion on the Show Control Mailing list, which included Scott George of Autograph sound in the UK who details a very interesting approach they use on their show machines: running Windows XP embedded. You can see the whole thread here.
Reader Comments (2)
At Scharff Weisberg we are now sending out Mac Powerbook machines with most media server systems, where client files are likely to be added during show programming. All storage media is scanned on the Powerbook using anti-virus software before putting any files on the media server network. We have seen infected USB thumbs and removable disk drives on show site and it is a real issue.
Good virus software is fairly configurable as to what it scans and when.
Disruptive actions which you should be able to turn off at critical times include:
- automated scanning of executables before they are opened - this includes lots of file types which you may not think of as executables like zips and jpegs which can suddenly take ages to open.
- background system scans which mean a potentially CPU hungry process may suddenly decide to examine a large nested zip file at a critical moment.
- "heuristic" algorithms which do not scan files but look for activity which might be viral - certain registry changes, changes to executable files, actvivty in system folders etc.
Auto-scanning new volumes when mounted and newly downloaded files is much more predictable and should also not usually be happening during a show so you may choose to leave it on. However, beware if you need to do a panic restore from a USB stick during a show!
A systematic full system scan is powerful but time consuming and should certainly be a middle of the night job - or perhaps after disconnecting from the outside world an hour or two before the show - but be aware that legitimate removable volumes need to be mounted and scanned too.
Also look at the details of how infections work - if you keep your OS updated with security patches, true viruses are less common than trojans and similar malware which needs some sort of careless or misguided action on the part of the user.
And turn off all auto-run features of the OS - having your system auto-run potentially unknown code off CDs and other removable media as soon as they are inserted is pretty obviously undesirable. So are "simple networking" and some other brain damaged "features" which are configured on by default and take quite a lot of digging to find and turn off.
Which all points to the fact that the modern theatre needs true IT and networking experts more and more and that simply being able to solder and troubleshoot DMX or MIDI installations is yesterdays expertise.
Note this is a cross post of a response I sent to the Show Control mailing list. Philip