RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
From: Gareth Humphries (ghumphries_at_linz.govt.nz)
Date: 07/21/05
- Previous message: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 12:24:58 +1200 To: <focus-ms@securityfocus.com>
Harlan, et al:
I think the points most people are making here can be summed in a
simple scenario:
- 2 companies install webservers - both use identical OS's and IIs
versions. Both folow all a dilliegent process of securing the box, such
that IIS is the only service running, port 80 is the only port open.
They both follow an identical, very thorough process, except that 1
installs AV software, the other doesn't.
- An exploit is discovered and disclosed in IIS before MS have a
chance to patch. Lets say a buffer overflow in the "content:" tag.
Unlikely and simplistic, but quite suitable for our purposes. (the
point being, you can't trust 3rd party software)
- Some black-hat kiddie finds the exploit code, wraps a stock rootkit
up in it, and sends it into the wild.
- It hits both of our theortical organisations webservers, and
exploits successfully on both of them.
- The webserver with AV software detects the rootkit, and cleans the
file/notifies the admin/whatever.
- What happens to the system without AV software is left as an
exercise for the reader (clue: 0wnAg3)
Not an unlikely scenario, I'm sure you'll agree.
No amount of lock-down can protect you from a vulnerability in the
service you are deliberatey exposing - AV software can. Not all the
time, granted, but sometimes. And sometimes is a hell of a lot better
than never in my books.
Gareth Humphries
IT Specialist
IBM New Zealand Ltd
______________________________________________________________________________________________________
This message contains information, which is confidential and may be subject to legal privilege.
If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message.
If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message.
LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.
Thank you.
______________________________________________________________________________________________________
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Maybe in reply to: Sarbjit Singh Gill: "Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Next in thread: Brady McClenon: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
