Should servers have anti--virus installed on them?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/20/05

Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

Previous message: Brunner, Mark: "RE: Should webservers, eg. IIS 6 have anti--virus installed on th em?"
Next in thread: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
Maybe reply: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
Maybe reply: Greg Kelley: "RE: Should servers have anti--virus installed on them?"
Maybe reply: Brady McClenon: "RE: Should servers have anti--virus installed on them?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Jul 2005 10:55:18 -0700 (PDT)
To: focus-ms@securityfocus.com

Matthew,

Great comments, thanks.

> When this discussion began, I started thinking about
> if there were any scenarios where I would want to
> run a Windows server without AV software. After
> giving it much thought, I decided that I would not
> want a conventional server (providing a standard
> TCP/IP service), ever, without AV software.

Okay, since the discussion has moved specifically from
_web servers_ to servers in general, I have taken the
liberty of modifying the subject line accordingly, so
as not to confuse the readers (and most especially,
the moderator).

> There is no doubt there have been many security
> holes in Windows. Some of them have been
> remotely-exploitable without user intervention (RPC
> vulnerabilities, for example).

With respect to web servers, if the system is running
RPC/DCOM, then it is no longer *just* a web server.
This is a point I've been making all along. If you
install IIS 6.0 on a stock installation of Win2K3,
without any modifications, then there exists a flaw in
the security process, for which the installation of
A/V software is a poor band-aid.

WRT servers in general, I would have to wonder why
these servers are being treated in isolation. Do
companies (or any other organization) really put
sensitive information on systems that are simply
plugged into the Internet, with no surrounding
infrastructure at all? If that's the case, then I say
again, A/V software is a poor band-aid b/c something
in the security process is broken. Such breakdowns
cannot be resovled with the installation of software
packages...the process itself must be fixed.

> Without AV software,
> I have no chance of catching anything that comes
> into my server through unexpected means.

If the means are unexpected, then how do they get
caught? IMHO, part of the security process is to
reduce the attack surface, limiting those resources
that are exposed, and securing those that are.

> With AV
> software, the odds improve that I will find the
> virus or worm around the time it is trying to get
> in. The odds may not be 100%, especially for a
> 0-day.

Interesting. If the malware is not 0-day, is it then
known? What's the timeframe? Are we talking about a
scale of weeks or months? If that's the case, then it
is known, and understood...perhaps not by the person
who administers the machine, though.

> However, I have a slim chance that
> heuristics may catch it. I will take a slim chance
> over no chance.

And I choose to take an educated approach,
understanding the purpose of the system, it's
exposures, and what I can do to protect it.

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Harlan Carvey: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"

Previous message: Brunner, Mark: "RE: Should webservers, eg. IIS 6 have anti--virus installed on th em?"
Next in thread: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
Maybe reply: Matthew Farrenkopf: "Re: Should servers have anti--virus installed on them?"
Maybe reply: Greg Kelley: "RE: Should servers have anti--virus installed on them?"
Maybe reply: Brady McClenon: "RE: Should servers have anti--virus installed on them?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

VPN connection deleted
... Servers are Windows 2000 Server or Windows Server 2003 both Standard Edition ISA Servers are installed on Windows 2003 All on last patch level ... From time to time the VPN connection on the external Computers are deleted. ... Before we had a ISA 2000 installation with the same setup and such a thing never happened. ...
(microsoft.public.isa.vpn)
Re: Win 2008 Activation problem
... This posting is provided "AS IS" with no warranties, and confers no rights. ... For 2008 you will not be asked during installation, ... properties and scroll down to Windows activation "Change product ... licensing site and installed it on 2 VMWare virtual servers. ...
(microsoft.public.windows.server.general)
Re: Win 2008 Activation problem
... I now get an error code of 0x80072F8F. ... For 2008 you will not be asked during installation, ... properties and scroll down to Windows activation "Change product ... licensing site and installed it on 2 VMWare virtual servers. ...
(microsoft.public.windows.server.general)
Re: Win 2008 Activation problem
... This posting is provided "AS IS" with no warranties, ... For 2008 you will not be asked during installation, ... properties and scroll down to Windows activation "Change product ... licensing site and installed it on 2 VMWare virtual servers. ...
(microsoft.public.windows.server.general)
From Tracker....
... Remember, we're talking about Windows Platforms 95,98 ... provided with Cable/DSL dial-up accounts. ... Wrong IP no news. ... We aren't talking about News Servers here (at the ...
(comp.security.firewalls)