RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

• Previous message: S_Dorn/CIB_at_BANKCIB.COM: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Jul 2005 09:38:37 -0700
To: focus-ms@securityfocus.com, keydet89@yahoo.com

>>> "Harlan Carvey" <keydet89@yahoo.com> 07/19/05 8:11 AM >>>

>So far, this is has been an interesting discussion,
>but beneath it all, I'm seeing what I think is a
>disturbing trend.

>> Antivirus needs to be part of the overall security
>> plan for all Windows machines - it's just part of
>> the cost of doing business - the cost of the
>> software, maintenance, and CPU overhead.

>I'm seeing absolutist statements like the one above,
>and it bothers me.

>If a web server is just a web server, the content is
>served to the client, going outbound...not coming into
>the server. If the purpose of the system is to take
>known-good pages (from the owner) and make them
>available to the public (over ports 80 and 443), then
>what is the point of A/V software?

When this discussion began, I started thinking about if there were any scenarios where I would want to run a Windows server without AV software. After giving it much thought, I decided that I would not want a conventional server (providing a standard TCP/IP service), ever, without AV software.

There is no doubt there have been many security holes in Windows. Some of them have been remotely-exploitable without user intervention (RPC vulnerabilities, for example). Without AV software, I have no chance of catching anything that comes into my server through unexpected means. With AV software, the odds improve that I will find the virus or worm around the time it is trying to get in. The odds may not be 100%, especially for a 0-day. However, I have a slim chance that heuristics may catch it. I will take a slim chance over no chance.

There is one exception that I can think of, and that is if I am running a server that communicates with extremely specialized equipment and works over unusual (as a relative term) interfaces (i.e. not today's network interfaces using TCP/IP or other standard protocols). I remember a discussion some time back (might have been in Full Disclosure) about whether a virus could attack a Windows machine through a serial port. If the only connection I have to the outside world is through a serial port or parallel port, and I control the connection (for example, if I had a modem attached to said serial port that only made outgoing calls), I might consider not having AV software. It would also be more difficult to get automatic updates of the definitions onto said machine, so there would be a practicality issue.

And yes, there would still be ways to get a virus onto said machine, but such methods would require physical access and could be minimized through other mechanisms (turn off AutoPlay for CDs, for example).

Matt

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: S_Dorn/CIB_at_BANKCIB.COM: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]