RE: Should servers have anti--virus installed on them?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 07/21/05

  • Next message: Joe Marsh: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?" 
    Date: Thu, 21 Jul 2005 09:26:19 -0700 (PDT)
To: focus-ms@securityfocus.com

    Greg,

    > > And I choose to take an educated approach,
    > > understanding the purpose of the system, it's
    > > exposures, and what I can do to protect it.
    >
    > I wholeheartedly agree, Harlan. I believe that
    > this above comment is
    > one of the points you have been making throughout
    > this thread.
    >
    > So, can you state that without a doubt, a true web
    > server, or server in
    > general, set up properly, maintained properly, would
    > be immune from a virus?

    Of course not...I would never say that. I do not deal
    in absolutes in that way. I have seen systems with
    updated A/V software running get infected with
    viruses/worms, b/c the stuff that hit it was new and
    relatively unknown to *any* of the A/V vendors.

    Also, I don't know if I need to point this out or not,
    but:
    http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#wheeler

    > Maybe, but you cannot state that the machine
    > will always be
    > maintained properly. No one can. Why? Because
    > accidents happen.

    True. But I believe that this is a result of the
    security process, and as such, the process itself
    should be addressed. Breathing a heavy sigh of relief
    b/c A/V software caught Code Red, for example, when
    the .ida/.idq script mapping should never have been
    enabled in the first place is, well, just wrong. It
    shows that the _process_ is broken, and that A/V
    software is just a band-aid.

    > Why does one carry auto insurance

    These analogies never work, sorry.

    > A good line of defense in a computer infrastructure
    > should do the same.
    > Attempt to protect not just from weaknesses, but
    > also from accidents and the unknown.

    Agreed. However, I have yet to see anything pass in
    this thread where someone can describe to me how, if a
    worm is unknown, by the sysadmin and the A/V
    companies, A/V software is going to help. Yes, I know
    about heuristic-based software, but even these can be
    bypassed by something "unknown".

    Also, I keep seeing people talk about Code Red, Nimda,
    SQL Spida and Slammer. This shows a nearly complete
    lack of understanding with regards to how these things
    propogate. So, I guess, these qualify as "unknown" in
    some manner, as well.

    > Of course a business case can be made
    > for every line of
    > defense weighing the cost with the benefits. But at
    > the minimal cost
    > for AV software, I believe any benefit, including
    > just piece of mind, would be worth that cost.

    Cost constitutes much more than simply money. There's
    the additional time it takes for maintenance, the
    additional knowledge required b/c new, (un)trusted
    code is introduced to a system and must be included
    and considered for any testing and troubleshooting
    procedure.

    Harlan

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Joe Marsh: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"