-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Wednesday, July 20, 2005 1:38 PM
To: focus-ms@securityfocus.com
Cc: jeff@shawgo.com; Brady McClenon
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed on
them?
Brady,
As for the rest, It's obvious we disagree because the logic that we
don't know what the next threat may be holds with me, or that we could
have missed something when securing the server (again that
infallibility thing) holds with me.
IMHO, it's not a matter of infallibility at all. What I am saying is
that new threats won't necessarily be covered by A/V software. Also, if
something was missed in the configuration of the web server, then
there's a problem with the security process that needs to be fixed, and
when the problem lies in the process, installing an additional software
package is a poor band-aid, at best.
[Brady] - I agree it's a security process that needs to be fixed, and
one should remedy that, but still mistakes can happen, and I'd rather
have AV there to save me and point out my mistake then be compromised.
I also agree that new threats won't necessarily be covered by A/V
software, but they won't necessarily be covered by any proactive
measures you take. I wouldn't suggest discarding them all for that
reason.
And correct that an A/V product without a definition for a virus is
useless, unless you use one like I do that has heuristic scanning
adding some level of protection.
That's fine. How many alerts to you get on a
daily/weekly/monthly basis from your A/V package,
specifically the one installed on your web server?
[Brady] - Define Alerts. That a virus was found? Can't remember one.
Like to keep it that way too. If you mean any log entry. A few a week
saying the definition files were updated.
Also, many AV vendors now have definition
for well-known "hacker tools" (I hate term, but
can't think of a better
one). Many worms and script-kiddies use the
vulnerability to drop in
files that do the real damage. Drop in an FTP
server (reason for
firewall), backdoor (reason for firewall),
keylogger, whatever, and execute as SYSTEM.
If an attacker or worm is able to gain SYSTEM access
to your system, no amount of A/V is going to help.
Many worms are actively seeking out A/V processes and
attempting to disable them.
[Brady] - and some don't. That is a new hurdle for AV companies though,
I admit. Does this suggest we shouldn't bother with AV on any computer?
If there was no patch for the vulnerability,
wouldn't it be nice to an AV product to grab those?
Again, if the attacker (person, kiddie, worm,
whatever) is executing as SYSTEM...what's the point?
[Brady] because script-kiddies and worms only know what their code says.
If it fails, it fails. A determined hacker, no it probably will only
slow them down, true. I don't think that makes it pointless though.
And lastly if you state that AV or whatever is not
needed if you
properly secure your systems, that is an attitude of
infallibility, and
therefore I caution. You can not guarantee
security! You may not need
AV, but not for that reason.
Okay, I'll bite...for what reason?
[Brady] I don't know. I've yet to here a good reason not to install an
AV client. There may be one though.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
