Brady,
What are "known good pages"?
Perhaps another way of saying it is "web pages that
are supposed to be there."
Heck, you my not even be the only admin!
Sounds like more of a procedural issue, not one that
is going to be solved with by installing another
software package.
I had to jointly administer
one once with another guy and I didn't even trust
him!
And what good is A/V software going to do when the
other admin can log in and disable it?
Even if you are
they only one, there's no harm in protect yourself.
From? What threat are you protecting ourself from?
Look at it like
this, the Tour de France has the best cyclists in
the world, surely the
know the proper way to ride bike, but yet they all
wear helmets. Why?
Because no one is infallible. If you think you
are... Well, ignorance is bliss I guess.
Okay, so you're resorting to cheap shots now? Wow,
and here I was thinking that we could discuss this
like fellow professionals. Sorry to waste your time.
The Code Red example is good, but just because AV
wouldn't have helped
in one case, doesn't mean it wouldn't in another.
It was just one example...
I saw it save someone
from a SQLSpida worm infection.
Oh, good. Maybe you can explain, then, why the
attacked machine had the ports exposed to the
Internet, and a blank 'sa' password. According to the
write-up at the F-Secure site
(http://www.f-secure.com/v-descs/sqlspida.shtml), this
worm infected systems with a blank 'sa' account.
They patched, but apparently not
properly, or applied patches out of order down the
road, or who knows,
so they were still vulnerable. Worm got dropped in
through the exploit,
Exploit? Here's another site that explains the
"exploit":
http://www.securiteam.com/windowsntfocus/5WP0N0K75U.html
but the AV grabbed the file with the payload the
second it hit the
drive. Sure, you could blame it on the sys admin.
but we all make
mistakes so I could happen to anyone.
That's a pretty big mistake.
Now I pose a question. If "servers need to be
patched, firewalled,
isolated, and locked down. Additionally, code
should be audited for
vulnerability to XSS and SQL injection." is "all
part of good
administration." Then why isn't an AV client? None
are infallible and
make your web server impervious to compromise, they
only minimize risk.
They're just a layered defense. Why balk at another
layer?
So b/c an admin doesn't have the time and/or skills to
properly administer a web server and ensure that the
content itself doesn't expose it, you're going to
install an anti-virus application? Sounds like a
band-aid approach, one that won't serve you in good
stead when a bit of malcode that the client doesn't
have a signature for hits the system.
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
