Re: Server anti-virus software
always_at_not.here
Date: 05/08/03
- Next message: Test: "PestPatrol"
- Previous message: Tom Kaminski [MVP]: "Re: Server anti-virus software"
- In reply to: Keith W. McCammon: "Re: Server anti-virus software"
- Next in thread: Keith W. McCammon: "Re: Server anti-virus software"
- Reply: Keith W. McCammon: "Re: Server anti-virus software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 08 May 2003 14:23:31 -0400
Never made a claim of 100% security.
That would be just plain silly. What
is claimed, is acceptable security
within agreed upon outcomes and
disclosure.
In the face of the unknown, it is
more fruitful to defend injection
paths than it is to defend against
unknown signatures.
You use the scenario of an unknown
injection path. Add to that, an
equally unknown payload. What is
your AV going to do then? Create
a signature file on the fly?
Finally, an informed choice given
due consideration and experience
is not ignorance. One size fits
all is.
^shrug^
"Keith W. McCammon" wrote:
>
> > If the server is virus free at build time,
> > and injection paths are *fully protected at all times*,
> > then running anti-virus products on a
> > dedicated web server is simply a
> > waste of time and resources.
>
> How can you fully protect a system against an unknown set of threats?
>
> How can you puport to be aware of every known and unknown injection path
> into a system. You cannot. Not possible.
>
> > Those claiming that anti-virus software has
> > never interfered with the proper operation of
> > a production web server should search previous
> > posts in microsoft.public.inetserver.iis
> > for indications to the contrary.
>
> Been there for years...
>
> > Without public uploads, running AV on a
> > web server *is* FUD. Unless, of course,
> > the admin in question is *incapable* of
> > locking down the server properly.
>
> Exploits that are the result of flaws within either the web platform or the
> operating system cannot be predicted, nor can they be summarily defended
> against. To suggest that anyone is capable of locking down a system 100% is
> an ignorant and statisticaly impossible suggestion. You cannot defend
> against what 1) you cannot see, or 2) what has yet to be discovered. A
> breif scenario:
>
> A new buffer overflow in a commonly-used ASP component is discovered, and is
> released into the wild. This overflow, like others before it, allows a
> malicious user to upload data of his chosing. He choses one of 1,000 known
> rootkits. You have no AV. Are you now a bad admin because you didn't run a
> firewall? No. You are a bad admin because you're not running AV, which
> would have caught and quarantined your rootkit in a matter of seconds.
>
> This is not FUD. For those of us with a large liability on our hands,
> taking the extra precaution is not an option.
>
> --
> Keith W. McCammon
--
- Next message: Test: "PestPatrol"
- Previous message: Tom Kaminski [MVP]: "Re: Server anti-virus software"
- In reply to: Keith W. McCammon: "Re: Server anti-virus software"
- Next in thread: Keith W. McCammon: "Re: Server anti-virus software"
- Reply: Keith W. McCammon: "Re: Server anti-virus software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
