RE: Should servers have anti--virus installed on them?
From: Brady McClenon (BMcClenon_at_uamail.albany.edu)
Date: 07/22/05
- Previous message: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
- Maybe in reply to: Harlan Carvey: "Should servers have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Jul 2005 08:55:45 -0400 To: "Harlan Carvey" <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Thursday, July 21, 2005 12:26 PM
To: focus-ms@securityfocus.com
Cc: Matthew Farrenkopf; Greg Kelley
Subject: RE: Should servers have anti--virus installed on them?
Greg,
> > And I choose to take an educated approach, understanding the purpose
> > of the system, it's exposures, and what I can do to protect it.
>
> I wholeheartedly agree, Harlan. I believe that this above comment is
> one of the points you have been making throughout this thread.
>
> So, can you state that without a doubt, a true web server, or server
> in general, set up properly, maintained properly, would be immune from
> a virus?
Of course not...I would never say that. I do not deal in absolutes in
that way. I have seen systems with updated A/V software running get
infected with viruses/worms, b/c the stuff that hit it was new and
relatively unknown to *any* of the A/V vendors.
[Brady] So have I. I've also seen AV catch virus/worms on systems. No
security measure is perfect. If there was one we would be discussing
AV, firewalls, IDS. We'd all just use that one security measure and
sleep easier. Well, except half of us would lose our jobs due to lack
of need. That half probably wouldn't sleep easier....
Also, I don't know if I need to point this out or not,
but:
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#wheeler
[Brady] - Well, we should here what the guy actually has to say before
we put any stock in to it.
> Maybe, but you cannot state that the machine will always be maintained
> properly. No one can. Why? Because accidents happen.
True. But I believe that this is a result of the security process, and
as such, the process itself should be addressed. Breathing a heavy sigh
of relief b/c A/V software caught Code Red, for example, when the
.ida/.idq script mapping should never have been enabled in the first
place is, well, just wrong. It shows that the _process_ is broken, and
that A/V software is just a band-aid.
[Brady] - no one is arguing the process is broken, but AV was a safety
net, not a band-aid. No one ever wants the safety net to come in to
play, but if it does, it's better then hitting the ground hard. You
thank your lucky stars that the safety net saved you and learn from it,
and make sure it never happens again because it shouldn't have happened
in the first place! No one is suggesting to use AV as an excuse to be
lax on securing your server.
> Why does one carry auto insurance
These analogies never work, sorry.
[Brady] - for some.
> A good line of defense in a computer infrastructure should do the
> same.
> Attempt to protect not just from weaknesses, but also from accidents
> and the unknown.
Agreed. However, I have yet to see anything pass in this thread where
someone can describe to me how, if a worm is unknown, by the sysadmin
and the A/V companies, A/V software is going to help. Yes, I know about
heuristic-based software, but even these can be bypassed by something
"unknown".
[Brady] I think it has been stated be before about hacker tools that can
be dropped in through an exploit. Of course if it's "unknown" by the
def. files for the AV client it will get through. To believe that every
sys admin has enough time to stay up to date at any given time on every
new virus/worm threat that comes about on 0 day is a bit unrealistic.
Even if you can, then you have to weigh your option on how to defend
yourself, determine and possible explain how disabling or reconfiguring
something is going to effect you clients or business.
Also, I keep seeing people talk about Code Red, Nimda, SQL Spida and
Slammer. This shows a nearly complete lack of understanding with
regards to how these things propogate. So, I guess, these qualify as
"unknown" in some manner, as well.
[Brady] - Talking about them shows little understanding? I don't
follow.
> Of course a business case can be made
> for every line of
> defense weighing the cost with the benefits. But at the minimal cost
> for AV software, I believe any benefit, including just piece of mind,
> would be worth that cost.
Cost constitutes much more than simply money. There's the additional
time it takes for maintenance, the additional knowledge required b/c
new, (un)trusted code is introduced to a system and must be included and
considered for any testing and troubleshooting procedure.
[Brady] - still doesn't raise the cost much.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Steve Bostedor: "RE: Should webservers, eg. IIS 6 have anti--virus installed onthem?"
- Maybe in reply to: Harlan Carvey: "Should servers have anti--virus installed on them?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
