Greg,
And I choose to take an educated approach,
understanding the purpose of the system, it's
exposures, and what I can do to protect it.
I wholeheartedly agree, Harlan. I believe that
this above comment is
one of the points you have been making throughout
this thread.
So, can you state that without a doubt, a true web
server, or server in
general, set up properly, maintained properly, would
be immune from a virus?
Of course not...I would never say that. I do not deal
in absolutes in that way. I have seen systems with
updated A/V software running get infected with
viruses/worms, b/c the stuff that hit it was new and
relatively unknown to *any* of the A/V vendors.
Also, I don't know if I need to point this out or not,
but:
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#wheeler
Maybe, but you cannot state that the machine
will always be
maintained properly. No one can. Why? Because
accidents happen.
True. But I believe that this is a result of the
security process, and as such, the process itself
should be addressed. Breathing a heavy sigh of relief
b/c A/V software caught Code Red, for example, when
the .ida/.idq script mapping should never have been
enabled in the first place is, well, just wrong. It
shows that the _process_ is broken, and that A/V
software is just a band-aid.
Why does one carry auto insurance
These analogies never work, sorry.
A good line of defense in a computer infrastructure
should do the same.
Attempt to protect not just from weaknesses, but
also from accidents and the unknown.
Agreed. However, I have yet to see anything pass in
this thread where someone can describe to me how, if a
worm is unknown, by the sysadmin and the A/V
companies, A/V software is going to help. Yes, I know
about heuristic-based software, but even these can be
bypassed by something "unknown".
Also, I keep seeing people talk about Code Red, Nimda,
SQL Spida and Slammer. This shows a nearly complete
lack of understanding with regards to how these things
propogate. So, I guess, these qualify as "unknown" in
some manner, as well.
Of course a business case can be made
for every line of
defense weighing the cost with the benefits. But at
the minimal cost
for AV software, I believe any benefit, including
just piece of mind, would be worth that cost.
Cost constitutes much more than simply money. There's
the additional time it takes for maintenance, the
additional knowledge required b/c new, (un)trusted
code is introduced to a system and must be included
and considered for any testing and troubleshooting
procedure.
Harlan
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
