RE: Should webservers, eg. IIS 6 have anti--virus installed on them?

From: Brady McClenon (BMcClenon_at_uamail.albany.edu)
Date: 07/20/05

  • Next message: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Wed, 20 Jul 2005 13:59:33 -0400
To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Wednesday, July 20, 2005 1:38 PM
    To: focus-ms@securityfocus.com
    Cc: jeff@shawgo.com; Brady McClenon
    Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
    them?

    Brady,
     
    > As for the rest, It's obvious we disagree because the logic that we
    > don't know what the next threat may be holds with me, or that we could

    > have missed something when securing the server (again that
    > infallibility thing) holds with me.

    IMHO, it's not a matter of infallibility at all. What I am saying is
    that new threats won't necessarily be covered by A/V software. Also, if
    something was missed in the configuration of the web server, then
    there's a problem with the security process that needs to be fixed, and
    when the problem lies in the process, installing an additional software
    package is a poor band-aid, at best.

    [Brady] - I agree it's a security process that needs to be fixed, and
    one should remedy that, but still mistakes can happen, and I'd rather
    have AV there to save me and point out my mistake then be compromised.
    I also agree that new threats won't necessarily be covered by A/V
    software, but they won't necessarily be covered by any proactive
    measures you take. I wouldn't suggest discarding them all for that
    reason.

    > And correct that an A/V product without a definition for a virus is
    > useless, unless you use one like I do that has heuristic scanning
    > adding some level of protection.

    That's fine. How many alerts to you get on a
    daily/weekly/monthly basis from your A/V package,
    specifically the one installed on your web server?

    [Brady] - Define Alerts. That a virus was found? Can't remember one.
    Like to keep it that way too. If you mean any log entry. A few a week
    saying the definition files were updated.

    > Also, many AV vendors now have definition
    > for well-known "hacker tools" (I hate term, but
    > can't think of a better
    > one). Many worms and script-kiddies use the
    > vulnerability to drop in
    > files that do the real damage. Drop in an FTP
    > server (reason for
    > firewall), backdoor (reason for firewall),
    > keylogger, whatever, and execute as SYSTEM.

    If an attacker or worm is able to gain SYSTEM access
    to your system, no amount of A/V is going to help.
    Many worms are actively seeking out A/V processes and
    attempting to disable them.

    [Brady] - and some don't. That is a new hurdle for AV companies though,
    I admit. Does this suggest we shouldn't bother with AV on any computer?

    > If there was no patch for the vulnerability,
    > wouldn't it be nice to an AV product to grab those?

    Again, if the attacker (person, kiddie, worm,
    whatever) is executing as SYSTEM...what's the point?

    [Brady] because script-kiddies and worms only know what their code says.
    If it fails, it fails. A determined hacker, no it probably will only
    slow them down, true. I don't think that makes it pointless though.

    > And lastly if you state that AV or whatever is not
    > needed if you
    > properly secure your systems, that is an attitude of
    > infallibility, and
    > therefore I caution. You can not guarantee
    > security! You may not need
    > AV, but not for that reason.

    Okay, I'll bite...for what reason?

    [Brady] I don't know. I've yet to here a good reason not to install an
    AV client. There may be one though.

    Harlan

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Wozny, Scott (US - New York): "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

    Relevant Pages

    • Re: Belichick is a prick
      ... Brady for no good reason. ... If Tom Brady ... and lemmings like yourself who listen/watch the mainstream leftwing ...
      (alt.sports.football.pro.ne-patriots)
    • Re: Belichick is a prick
      ... Brady for no good reason. ... If Tom Brady ... and lemmings like yourself who listen/watch the mainstream leftwing ...
      (alt.sports.football.pro.ne-patriots)
    • Re: Belichick is a prick
      ... watching Belichick risk the health and well being of Tom Brady for no ... quarter there is absolutely no reason for Brady to be out there at ... Brady pulled in the 2nd half if the game appears to ... Considering that the Pats WRs are all new except Gaffney ...
      (alt.sports.football.pro.ne-patriots)
    • Re: Last nights show ? (Nov.30th)
      ... Is there a reason why the synposis have not been ... >>>>Would anyone like an NFL promotional ref hankie, ... >>>>Brady ...
      (alt.fan.letterman)
    • Quantcast