Re: Should webservers, eg. IIS 6 have anti--virus installed on them?

Do I want A/V as another onion layer skin?  You betcha.

Will I have a heart attack if I see the tale tell sign of Trend's red 
'you have a virus' on a server or workstation?  Oh you bet.  Why?  
Because the goal is that the bad stuff never makes it in that far.  If I 
see anything other than an Eicar test virus up there it means my onion 
layers are broken and I need to trace back what happened and beef up my 
defenses.

The goal is that a/v never kicks in because the bad stuff is all out there.

What's the saying ..... "know thy systems"? 


Wozny, Scott (US - New York) wrote:

> You're absolutely right.  It's part risk analysis, part cost/benefit
> analysis.  You either choose to accept the risk of pushing out defs
> blind because it costs too much in manpower and lost time OR you vet the
> sigs and accept the cost of doing so in manpower and that you'll be
> exposed for longer but reduce the chance of a repeat of that fateful
> Friday, as rare an occurrence as it is, OR you do something in between
> that fits for you.  
>
> However, _all_ the blame is not on the vendor (though it was a massive
> screw-up on their part).  There's nothing in that software suite that
> _requires_ all defs be pushed immediately, and it used to be that no-one
> did.  Most of us have just gotten too comfortable with def updates
> because problems with sigs so rarely happens.  If "other vendors"
> patches didn't have so many unforeseen side effects, more people would
> push them without testing as well because we're all over worked and we
> make those cost / benefit decisions every day.
>
> The concern I had which I wanted to address was with a perceived
> implication that it's best to leave AV off IIS boxes (the question this
> thread is addressing) because it regularly contains new, possibly
> untested code and IMHO that, by itself, does not present a sufficient
> risk offset the numerous other benefits AV provides (no matter how
> _sure_ you're IIS server is locked down).  The event in question had, at
> best, a tenuous cause / effect relationship with mitigating factors
> which could have prevented it that organizations _chose_ to ignore.  It
> doesn't matter that everybody does it.  Everybody got busted.  So we
> dust ourselves off and figure out the best way to deal with it.  In some
> situations, that's to make a conscious choice that enough controls are
> in place that AV adds more hassle than it's worth and in _some_
> situations that's to take at the servers that are administered by
> professionals and put an additional line of defense on them in case
> these administrators turn out to be human and make a mistake that AV
> might be able to catch.  If the term "defense in depth" is unappealing
> and too fuzzily defined for you, think of it as "infosec redundancy".
> :)
>
> Scott
>
> -----Original Message-----
> From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> [mailto:sbradcpa@pacbell.net] 
> Sent: Wednesday, July 20, 2005 7:57 PM
> To: Wozny, Scott (US - New York)
> Cc: Harlan Carvey; focus-ms@securityfocus.com; jeff@shawgo.com
> Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
> them?
>
>
> Can you honestly say that you vet every dat file that comes your way in 
> the same manner that your do security patch testing on all of your 
> systems?  Show of virtual hands on this list... how many honestly have 
> the resources to put the same testbed energy into a/v sig updates as 
> they do patch deployment?  Test it on lab settings/virtual 
> system/canaries in the office and then roll it out... for all your sized
>
> operations?  There are some firms that indeed do this.  There are many, 
> however, that do not.  I personally don't have the resources [nor the 
> a/v deployment set in such a way] that I can do this.  Nor do I feel 
> that the few issues that I have had with allowing a/v to immediately 
> deploy versus the issues I might have if I don't automate the process 
> mean that I'm changing my methods.
>
> But...obviously neither did several railroads in Japan, a few Japanese 
> newspapers and other folks that were also affected and obviously didn't 
> vet the a/v sigs either.
>
> As often as they are updating these days, the risk of not pushing them 
> out as they come in has to be weighed with the potential for issues when
>
> not testing them.  I'm sorry but this was a A/V dat sig update that 
> affected the XP sp2 the hardest of all.  Trend admitted they screwed up.
>
> As fast as that nailed and flatlined my entire network... there's no way
>
> that should have left Trend's doorstep and been pushed to boxes.  It was
>
> an immediate CPU freeze up that had me booting into safe mode to get my 
> machines back in working mode.
>
> Even Microsoft has expanded their patch testing process to include 
> external more real life testers.  Sorry, but I do not accept that this 
> dat file freeze up was in any way an acceptable screw up ...and 
> obviously and unfortunately neither does Wall Street and analysts
> ...etc....
>
> All I'm saying is we've [I've?] grown complacent and many of us forget 
> that potentially every hour on the hour new untested code is on our 
> boxes.  Add that to your risk factors and decide accordingly.
>
> Show me an a/v software and this year few of them haven't had their own 
> security issues as well. 
>
> It's called a bit of risk analysis... what's the benefit....what's the 
> risk.  And no matter what size of firm you are... we all play the game, 
> we just come to different conclusions.  Ergo this thread which asked... 
> what's the risk of webservers having a/v on them?
>
> I think the answer is.. it depends.  There may not be a best practice 
> and instead each one of us needs to perform our own risk analysis and 
> decide accordingly [I really don't like 'best practices' as a concept 
> anyway - what's best for me... won't be best for the guy down the
> street]
>
> Nah... Dos 5, Wordstar and Lotus 123.  Now those were killer apps... I 
> still have a Compaq Portable luggable in our museum that boots if you 
> want to try it.  In the meantime, excuse me while I go update my 
> Firefox..again and ensure my Greasemonkey is on whatever version that 
> isn't vulnerable.
>
> Wozny, Scott (US - New York) wrote:
>
>  
>
> > Are you actually condemning AV because administrators blindly trusted
> > the AV sig updates they received and pushed them to live systems
> >    
> without
>  
>
> > testing them at all?  Who, precisely, wasn't doing their due diligence?
> >
> >
> > Computing is complicated.  If one isn't implementing and following
> > procedures to protect oneself from screw-ups in other organizations one
> > depends upon, then we all really ought to roll back to DOS 6.22 and
> >    
> stay
>  
>
> > there.
> >
> > If I misunderstood your implication, please correct me.  Otherwise, I
> > intend to keep AV in my bag of tricks.
> >
> > Scott
> >
> > -----Original Message-----
> > From: focus-ms-return-8320-swozny=deloitte.com@securityfocus.com
> > [mailto:focus-ms-return-8320-swozny=deloitte.com@securityfocus.com] On
> > Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > Sent: Wednesday, July 20, 2005 3:32 AM
> > To: Harlan Carvey
> > Cc: focus-ms@securityfocus.com; jeff@shawgo.com
> > Subject: Re: Should webservers, eg. IIS 6 have anti--virus installed on
> > them?
> >
> >
> > Not to mention ..if you were anywhere near a live system at 3:45 p.m 
> > Pacific time on a certain Friday when someone didn't do their due 
> > diligence and flatlined every single one of my workstations and even 
> > nailed my server....you might make you look at antivirus in a new
> > light....
> >
> > A/V is just introduction of new... possibly untested code on a machine 
> > .... possibly every hour on the hour....
> >
> > http://silverstr.ufies.org/blog/archives/000844.html
> >
> > Harlan Carvey wrote:
> >
> >
> >
> >    
> >
> > > So far, this is has been an interesting discussion,
> > > but beneath it all, I'm seeing what I think is a
> > > disturbing trend.
> > >
> > >
> > >
> > >   
> > >
> > >      
> > >
> > > > Antivirus needs to be part of the overall security
> > > > plan for all Windows machines - it's just part of
> > > > the cost of doing business - the cost of the
> > > > software, maintenance, and CPU overhead.
> > > >  
> > > >
> > > >     
> > > >
> > > >        
> > > I'm seeing absolutist statements like the one above,
> > > and it bothers me.  
> > >
> > > If a web server is just a web server, the content is
> > > served to the client, going outbound...not coming into
> > > the server.  If the purpose of the system is to take
> > > known-good pages (from the owner) and make them
> > > available to the public (over ports 80 and 443), then
> > > what is the point of A/V software?
> > >
> > > I'm seeing a lot of people say that A/V software is
> > > necessary, and that it's part of a 'holistic' or
> > > 'defense in depth' approach, but this really sounds
> > > more like Dilbert's "buzz word bingo" than anything
> > > else.
> > >
> > >
> > >
> > >   
> > >
> > >      
> > >
> > > > Certainly, servers need to be patched, firewalled,
> > > > isolated, and locked down.  Additionally, code
> > > > should be audited for vulnerability to XSS and SQL
> > > > injection.
> > > >  
> > > >
> > > >     
> > > >
> > > >        
> > > Yes, without a doubt.  This is all part of good
> > > administration.
> > >
> > >
> > >
> > >   
> > >
> > >      
> > >
> > > > None of these things are perfect.  Not that AV is
> > > > perfect, but it is another layer of defense - making
> > > > it part of that "Defense in Depth" strategy.
> > > >  
> > > >
> > > >     
> > > >
> > > >        
> > > But, defense against what?
> > >
> > >
> > >
> > >   
> > >
> > >      
> > >
> > > > AV has grown into more than just defense against
> > > > viruses.  It is often effective against worm code,
> > > > and some AV has identified common hacking tools
> > > > (e.g. - NetCat) as something that doesn't belong on
> > > > most systems.  You can argue the viability of this
> > > > move, but most companies - if they have a security
> > > > team - have less that 0.1% of their machines which
> > > > maybe should have it there.
> > > >  
> > > >
> > > >     
> > > >
> > > >        
> > > "something that doesn't belong on most systems"?  How
> > > does it get there?  If a web server is properly
> > > configured and managed, then perhaps the most likely
> > > means of infection is from the administrator
> > > himself...and in such cases, A/V software is useless.
> > >
> > >
> > >
> > >   
> > >
> > >      
> > >
> > > > AV needs to be part of the cost of running Windows -
> > > > for better or for worse.
> > > >  
> > > >
> > > >     
> > > >
> > > >        
> > > Again, I'm seeing this as an approach that's being
> > > parrotted, rather than thought out.  I'm not saying
> > > that MS products are perfect...not at all.  But what I
> > > am saying is that using proper administration
> > > principles, those that have been espoused for well
> > > beyond the past decade, paying additional money to add
> > > yet another software package to a web server simply
> > > doesn't make good business sense.
> > >
> > > Why pay more money for another application to
> > > maintain, and another set of logs that you're not
> > > reviewing anyway?
> > >
> > > Several years ago, Dave LeBlanc set up an IIS 4.0
> > > server in accordance with simple common sense, and it
> > > was not vulnerable to Code Red...a full year before
> > > Code Red was launched.
> > >
> > > When Code Red was launched, A/V software would not
> > > have helped.  However, if the .hta script mapping had
> > > been disabled the day before Code Red came out, then
> > > guess what?  No problems.
> > >
> > > Should systems have A/V software in place? 
> > > Maybe...depending upon the function and purpose of the
> > > system.  Does it make sense?  Does it make good
> > > business sense?  What's the business
> > > reason/justification for installing another software
> > > package (for $$) over disabling current functionality
> > > (which doesn't cost anything)?
> > >
> > > Harlan
> > >
> > >
> > >
> > > ------------------------------------------
> > > Harlan Carvey, CISSP
> > > "Windows Forensics and Incident Recovery"
> > > http://www.windows-ir.com
> > > http://windowsir.blogspot.com
> > > ------------------------------------------
> > >
> > > ----------------------------------------------------------------------
> > >      
> -
>  
>
> > >   
> > >
> > >      
> > ----
> >
> >
> >    
> >
> > > ----------------------------------------------------------------------
> > >      
> -
>  
>
> > >   
> > >
> > >      
> > ----
> >
> >
> >    
> >
> > >   
> > >
> > >      
> > -----------------------------------------------------------------------
> >    
> -
>  
>
> > ---
> > -----------------------------------------------------------------------
> >    
> -
>  
>
> > --- 
> >
> >
> > This message (including any attachments) contains confidential
> >    
> information intended for a specific individual and purpose, and is
> protected by law.  If you are not the intended recipient, you should
> delete this message. Any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, is strictly
> prohibited. [v.E.1]
>  
>
> > -----------------------------------------------------------------------
> >    
> ----
>  
>
> > -----------------------------------------------------------------------
> >    
> ----
>  
>
> >    
>
>  

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


---------------------------------------------------------------------------
---------------------------------------------------------------------------