Are you actually condemning AV because administrators blindly trusted
the AV sig updates they received and pushed them to live systems without
testing them at all? Who, precisely, wasn't doing their due diligence?
Computing is complicated. If one isn't implementing and following
procedures to protect oneself from screw-ups in other organizations one
depends upon, then we all really ought to roll back to DOS 6.22 and stay
there.
If I misunderstood your implication, please correct me. Otherwise, I
intend to keep AV in my bag of tricks.
Scott
-----Original Message-----
From: focus-ms-return-8320-swozny=deloitte.com@securityfocus.com
[mailto:focus-ms-return-8320-swozny=deloitte.com@securityfocus.com] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, July 20, 2005 3:32 AM
To: Harlan Carvey
Cc: focus-ms@securityfocus.com; jeff@shawgo.com
Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
them?
Not to mention ..if you were anywhere near a live system at 3:45 p.m
Pacific time on a certain Friday when someone didn't do their due
diligence and flatlined every single one of my workstations and even
nailed my server....you might make you look at antivirus in a new
light....
A/V is just introduction of new... possibly untested code on a machine
.... possibly every hour on the hour....
http://silverstr.ufies.org/blog/archives/000844.html
Harlan Carvey wrote:
So far, this is has been an interesting discussion,
but beneath it all, I'm seeing what I think is a
disturbing trend.
Antivirus needs to be part of the overall security
plan for all Windows machines - it's just part of
the cost of doing business - the cost of the
software, maintenance, and CPU overhead.
I'm seeing absolutist statements like the one above,
and it bothers me.
If a web server is just a web server, the content is
served to the client, going outbound...not coming into
the server. If the purpose of the system is to take
known-good pages (from the owner) and make them
available to the public (over ports 80 and 443), then
what is the point of A/V software?
I'm seeing a lot of people say that A/V software is
necessary, and that it's part of a 'holistic' or
'defense in depth' approach, but this really sounds
more like Dilbert's "buzz word bingo" than anything
else.
Certainly, servers need to be patched, firewalled,
isolated, and locked down. Additionally, code
should be audited for vulnerability to XSS and SQL
injection.
Yes, without a doubt. This is all part of good
administration.
None of these things are perfect. Not that AV is
perfect, but it is another layer of defense - making
it part of that "Defense in Depth" strategy.
But, defense against what?
AV has grown into more than just defense against
viruses. It is often effective against worm code,
and some AV has identified common hacking tools
(e.g. - NetCat) as something that doesn't belong on
most systems. You can argue the viability of this
move, but most companies - if they have a security
team - have less that 0.1% of their machines which
maybe should have it there.
"something that doesn't belong on most systems"? How
does it get there? If a web server is properly
configured and managed, then perhaps the most likely
means of infection is from the administrator
himself...and in such cases, A/V software is useless.
AV needs to be part of the cost of running Windows -
for better or for worse.
Again, I'm seeing this as an approach that's being
parrotted, rather than thought out. I'm not saying
that MS products are perfect...not at all. But what I
am saying is that using proper administration
principles, those that have been espoused for well
beyond the past decade, paying additional money to add
yet another software package to a web server simply
doesn't make good business sense.
Why pay more money for another application to
maintain, and another set of logs that you're not
reviewing anyway?
Several years ago, Dave LeBlanc set up an IIS 4.0
server in accordance with simple common sense, and it
was not vulnerable to Code Red...a full year before
Code Red was launched.
When Code Red was launched, A/V software would not
have helped. However, if the .hta script mapping had
been disabled the day before Code Red came out, then
guess what? No problems.
Should systems have A/V software in place?
Maybe...depending upon the function and purpose of the
system. Does it make sense? Does it make good
business sense? What's the business
reason/justification for installing another software
package (for $$) over disabling current functionality
(which doesn't cost anything)?
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited. [v.E.1]
---------------------------------------------------------------------------
---------------------------------------------------------------------------
