RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/20/05
- Previous message: Harlan Carvey: "Should servers have anti--virus installed on them?"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Gareth Humphries: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Jul 2005 10:37:54 -0700 (PDT) To: focus-ms@securityfocus.com
Brady,
> As for the rest, It's obvious we disagree because
> the logic that we
> don't know what the next threat may be holds with
> me, or that we could
> have missed something when securing the server
> (again that infallibility thing) holds with me.
IMHO, it's not a matter of infallibility at all. What
I am saying is that new threats won't necessarily be
covered by A/V software. Also, if something was
missed in the configuration of the web server, then
there's a problem with the security process that needs
to be fixed, and when the problem lies in the process,
installing an additional software package is a poor
band-aid, at best.
> And correct that an A/V product without a definition
> for a virus is
> useless, unless you use one like I do that has
> heuristic scanning adding some level of protection.
That's fine. How many alerts to you get on a
daily/weekly/monthly basis from your A/V package,
specifically the one installed on your web server?
> Also, many AV vendors now have definition
> for well-known "hacker tools" (I hate term, but
> can't think of a better
> one). Many worms and script-kiddies use the
> vulnerability to drop in
> files that do the real damage. Drop in an FTP
> server (reason for
> firewall), backdoor (reason for firewall),
> keylogger, whatever, and execute as SYSTEM.
If an attacker or worm is able to gain SYSTEM access
to your system, no amount of A/V is going to help.
Many worms are actively seeking out A/V processes and
attempting to disable them.
> If there was no patch for the vulnerability,
> wouldn't it be nice to an AV product to grab those?
Again, if the attacker (person, kiddie, worm,
whatever) is executing as SYSTEM...what's the point?
> And lastly if you state that AV or whatever is not
> needed if you
> properly secure your systems, that is an attitude of
> infallibility, and
> therefore I caution. You can not guarantee
> security! You may not need
> AV, but not for that reason.
Okay, I'll bite...for what reason?
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "Should servers have anti--virus installed on them?"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Gareth Humphries: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
