RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?

• Previous message: Joe Marsh: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
• Maybe reply: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Jul 2005 13:27:27 -0400
To: "Gareth Humphries" <ghumphries@linz.govt.nz>, <focus-ms@securityfocus.com>

But what happens when the exploit targets the AV? The situation is
reversed.

Furthermore, if both companies were running identically then both were
doing it wrong. A system integrity checker on either system would have
alerted the admin to a potential problem... Apparently neither,
(fictional), company used one.

Potentially and statistically the integrity checker is less likely to be
exploited/able than the AV so if you are going to run any additional
software, (thus reducing the system security), an integrity checker is a
better bet.

-----Original Message-----
From: Gareth Humphries [mailto:ghumphries@linz.govt.nz]
Sent: Wednesday, July 20, 2005 8:25 PM
To: focus-ms@securityfocus.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed
onthem?

Harlan, et al:

I think the points most people are making here can be summed in a
simple scenario:

 - 2 companies install webservers - both use identical OS's and IIs
versions. Both folow all a dilliegent process of securing the box, such
that IIS is the only service running, port 80 is the only port open.
They both follow an identical, very thorough process, except that 1
installs AV software, the other doesn't.
 - An exploit is discovered and disclosed in IIS before MS have a
chance to patch. Lets say a buffer overflow in the "content:" tag.
Unlikely and simplistic, but quite suitable for our purposes. (the
point being, you can't trust 3rd party software)
 - Some black-hat kiddie finds the exploit code, wraps a stock rootkit
up in it, and sends it into the wild.
 - It hits both of our theortical organisations webservers, and
exploits successfully on both of them.
 - The webserver with AV software detects the rootkit, and cleans the
file/notifies the admin/whatever.
 - What happens to the system without AV software is left as an
exercise for the reader (clue: 0wnAg3)

Not an unlikely scenario, I'm sure you'll agree.

No amount of lock-down can protect you from a vulnerability in the
service you are deliberatey exposing - AV software can. Not all the
time, granted, but sometimes. And sometimes is a hell of a lot better
than never in my books.

Gareth Humphries
IT Specialist
IBM New Zealand Ltd

________________________________________________________________________
______________________________

This message contains information, which is confidential and may be
subject to legal privilege.
If you are not the intended recipient, you must not peruse, use,
disseminate, distribute or copy this message.
If you have received this message in error, please notify us immediately
(Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.
LINZ accepts no responsibility for changes to this email, or for any
attachments, after its transmission from LINZ.

Thank you.

________________________________________________________________________
______________________________

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Joe Marsh: "RE: Should webservers, eg. IIS 6 have anti--virus installed on them?"
• Next in thread: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
• Maybe reply: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]