Matthew,
Great comments, thanks.
When this discussion began, I started thinking about
if there were any scenarios where I would want to
run a Windows server without AV software. After
giving it much thought, I decided that I would not
want a conventional server (providing a standard
TCP/IP service), ever, without AV software.
Okay, since the discussion has moved specifically from
_web servers_ to servers in general, I have taken the
liberty of modifying the subject line accordingly, so
as not to confuse the readers (and most especially,
the moderator).
There is no doubt there have been many security
holes in Windows. Some of them have been
remotely-exploitable without user intervention (RPC
vulnerabilities, for example).
With respect to web servers, if the system is running
RPC/DCOM, then it is no longer *just* a web server.
This is a point I've been making all along. If you
install IIS 6.0 on a stock installation of Win2K3,
without any modifications, then there exists a flaw in
the security process, for which the installation of
A/V software is a poor band-aid.
WRT servers in general, I would have to wonder why
these servers are being treated in isolation. Do
companies (or any other organization) really put
sensitive information on systems that are simply
plugged into the Internet, with no surrounding
infrastructure at all? If that's the case, then I say
again, A/V software is a poor band-aid b/c something
in the security process is broken. Such breakdowns
cannot be resovled with the installation of software
packages...the process itself must be fixed.
Without AV software,
I have no chance of catching anything that comes
into my server through unexpected means.
If the means are unexpected, then how do they get
caught? IMHO, part of the security process is to
reduce the attack surface, limiting those resources
that are exposed, and securing those that are.
With AV
software, the odds improve that I will find the
virus or worm around the time it is trying to get
in. The odds may not be 100%, especially for a
0-day.
Interesting. If the malware is not 0-day, is it then
known? What's the timeframe? Are we talking about a
scale of weeks or months? If that's the case, then it
is known, and understood...perhaps not by the person
who administers the machine, though.
However, I have a slim chance that
heuristics may catch it. I will take a slim chance
over no chance.
And I choose to take an educated approach,
understanding the purpose of the system, it's
exposures, and what I can do to protect it.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
