RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/20/05

  • Next message: Jim Harrison (ISA): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Tue, 19 Jul 2005 16:43:58 -0700 (PDT)
To: Brady McClenon <BMcClenon@uamail.albany.edu>, focus-ms@securityfocus.com

    Brady,

    > What are "known good pages"?

    Perhaps another way of saying it is "web pages that
    are supposed to be there."

    > Heck, you my not even be the only admin!

    Sounds like more of a procedural issue, not one that
    is going to be solved with by installing another
    software package.

    > I had to jointly administer
    > one once with another guy and I didn't even trust
    > him!

    And what good is A/V software going to do when the
    other admin can log in and disable it?

    > Even if you are
    > they only one, there's no harm in protect yourself.

    From? What threat are you protecting ourself from?
     
    > Look at it like
    > this, the Tour de France has the best cyclists in
    > the world, surely the
    > know the proper way to ride bike, but yet they all
    > wear helmets. Why?
    > Because no one is infallible. If you think you
    > are... Well, ignorance is bliss I guess.

    Okay, so you're resorting to cheap shots now? Wow,
    and here I was thinking that we could discuss this
    like fellow professionals. Sorry to waste your time.

    > The Code Red example is good, but just because AV
    > wouldn't have helped
    > in one case, doesn't mean it wouldn't in another.

    It was just one example...

    > I saw it save someone
    > from a SQLSpida worm infection.

    Oh, good. Maybe you can explain, then, why the
    attacked machine had the ports exposed to the
    Internet, and a blank 'sa' password. According to the
    write-up at the F-Secure site
    (http://www.f-secure.com/v-descs/sqlspida.shtml), this
    worm infected systems with a blank 'sa' account.

    > They patched, but apparently not
    > properly, or applied patches out of order down the
    > road, or who knows,
    > so they were still vulnerable. Worm got dropped in
    > through the exploit,

    Exploit? Here's another site that explains the
    "exploit":
    http://www.securiteam.com/windowsntfocus/5WP0N0K75U.html

    > but the AV grabbed the file with the payload the
    > second it hit the
    > drive. Sure, you could blame it on the sys admin.
    > but we all make
    > mistakes so I could happen to anyone.

    That's a pretty big mistake.

    > Now I pose a question. If "servers need to be
    > patched, firewalled,
    > isolated, and locked down. Additionally, code
    > should be audited for
    > vulnerability to XSS and SQL injection." is "all
    > part of good
    > administration." Then why isn't an AV client? None
    > are infallible and
    > make your web server impervious to compromise, they
    > only minimize risk.
    > They're just a layered defense. Why balk at another
    > layer?

    So b/c an admin doesn't have the time and/or skills to
    properly administer a web server and ensure that the
    content itself doesn't expose it, you're going to
    install an anti-virus application? Sounds like a
    band-aid approach, one that won't serve you in good
    stead when a bit of malcode that the client doesn't
    have a signature for hits the system.

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jim Harrison (ISA): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages
    • Quantcast