norton anti-virus unable to scan file(s) due to NTFS acls/permissions
From: Tom Rodman (Use-Author-Address-Header_at_[127.1)
Date: 06/18/03
- Next message: hello: "Re: security question on hard drive"
- Previous message: Nick Bond: "Re: Hotfix 818043"
- Next in thread: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- Reply: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 Jun 2003 11:05:41 -0500
Our norton anti-virus software is unable to thoroughly scan our
server's disks - apparently due to permissions. We require a
fix that does *not* involve changing file permissions or ACLs.
Were running "Norton AntiVirus Corporate Edition" v7.6 on
windows 2000 server. Can any one help?
Example errors in application event log:
030406 00:00:20 Norton AntiVirus Warning None 6 NA C7MKES109 Scan could not
open file C:\aut\cyg\etc\ssh_host_dsa_key [00000003]
<snipped>
030406 00:12:54 Norton AntiVirus Warning None 6 NA C7MKES109 Scan could not
open file D:\Database_Pack_Files\production.cpk [00000003]
--
thanks/regards,
Tom Rodman
pls run for my address:
perl -e 'print unpack("u", "\.\=\$\!T\<F\]D\;6\%N\+F\-O\;0H\`");'
# ====================================================================
# why we do not want to restrict the permissions our end
# users assign to their own objects:
# ====================================================================
o eventually there will be users that violate the rules, and or insist
that they be allowed to do so. This can get
political - you can not / will not always win political skirmishes.
System admins are not always treated like gods by management.
o IMHO users may have a valid reason for *not* granting the administrators
access to an object. Why should they be forced to? Our users are software
developers, perhaps they need to have very strict permissions for code test
cases. End users deserve respect, they pay for us with their work.
o This attitude that user's should not be able to permissions to objects
they own to what ever they want is IMHO arrogant, arrogant consistent
with the worst of "Microsoft culture". In contrast UNIX has no such
constraints - tools exist for "root" to backup all objects to a non-tape
archive regardless of their permissions or acls.
o I can give you a specific example where a production database requires a
all objects below a given directory have an explicit ACL value
that does *not* include system or administrators. If an object is
changed to include either of the above groups, then the application
will not work- at some point it will self repair by resetting all
the permissions on the tree so that these groups are removed.
o another example is cygwin's ssh client, for each ssh end user, their
$HOME/.ssh/ dir should be set for access *only* by the user, no access - not
even read or execute to anyone else. I may not be entirely correct
on this one, but I know the permissions on ~/.ssh/ are quite strict
by design (it's a "secure shell" after all).
o NTFS has an incredibly rich permissions capability - more so than UNIX.
To insist that administrators or system have full control to every object
"dumbs down" this richness and seems to contradict it's design.
- Next message: hello: "Re: security question on hard drive"
- Previous message: Nick Bond: "Re: Hotfix 818043"
- Next in thread: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- Reply: Mark Zbikowski \(MSFT\): "Re: norton anti-virus unable to scan file(s) due to NTFS acls/permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
