"Harlan Carvey" <keydet89@yahoo.com> 07/19/05 8:11 AM >>>
So far, this is has been an interesting discussion,
but beneath it all, I'm seeing what I think is a
disturbing trend.
Antivirus needs to be part of the overall security
plan for all Windows machines - it's just part of
the cost of doing business - the cost of the
software, maintenance, and CPU overhead.
I'm seeing absolutist statements like the one above,
and it bothers me.
If a web server is just a web server, the content is
served to the client, going outbound...not coming into
the server. If the purpose of the system is to take
known-good pages (from the owner) and make them
available to the public (over ports 80 and 443), then
what is the point of A/V software?
When this discussion began, I started thinking about if there were any
scenarios where I would want to run a Windows server without AV software.
After giving it much thought, I decided that I would not want a conventional
server (providing a standard TCP/IP service), ever, without AV software.
There is no doubt there have been many security holes in Windows. Some of them
have been remotely-exploitable without user intervention (RPC vulnerabilities,
for example). Without AV software, I have no chance of catching anything that
comes into my server through unexpected means. With AV software, the odds
improve that I will find the virus or worm around the time it is trying to get
in. The odds may not be 100%, especially for a 0-day. However, I have a slim
chance that heuristics may catch it. I will take a slim chance over no chance.
There is one exception that I can think of, and that is if I am running a
server that communicates with extremely specialized equipment and works over
unusual (as a relative term) interfaces (i.e. not today's network interfaces
using TCP/IP or other standard protocols). I remember a discussion some time
back (might have been in Full Disclosure) about whether a virus could attack a
Windows machine through a serial port. If the only connection I have to the
outside world is through a serial port or parallel port, and I control the
connection (for example, if I had a modem attached to said serial port that
only made outgoing calls), I might consider not having AV software. It would
also be more difficult to get automatic updates of the definitions onto said
machine, so there would be a practicality issue.
And yes, there would still be ways to get a virus onto said machine, but such
methods would require physical access and could be minimized through other
mechanisms (turn off AutoPlay for CDs, for example).
Matt
---------------------------------------------------------------------------
---------------------------------------------------------------------------
