This whole debate is kind of silly in my opinion. Saying that you
shouldn't run antivirus protection on a public internet server because
if every admin was doing his/her job, they would have been able to
prevent every exploit before it's even known to the main stream is
absurd. It's like saying that the police wouldn't need a side arm if
they where just good enough at preventing crime. Even the best of us
are caught with our pants down at one time in our careers.
Why on EARTH would someone deny a layer of protection on their server
that very well may save their company a very large sum of money? My
company would fire me in a millisecond if I where to tell them that
antivirus on a web server is useless and I don't believe in its
usefulness. How do you pull that kind of advice off and remain
employed?
I'm sorry, but that's just the most horrible advice I've ever seen
someone that claims to be a security professional shell out.
I don't mean to flame you but I cringe every time that I see something
like this on a list where the lay people believe that the contributors
know what they're talking about. Some poor guy somewhere is probably
going to uninstall his antivirus, get hit by the next big thing, and
find himself unemployed due to horrible advice such as this. I hope that
doesn't happen.
I agree that the antivirus isn't the only line of defense just like the
side arm isn't the police officers only line of action but it's
unarguably a very valuable tool that would be very unwise to go without.
Consider the antivirus software one of your most valuable side arms in
the fight against the unemployment line. :)
Steve Bostedor
http://www.vncscan.com
-----Original Message-----
From: Adrian Marsden [mailto:amarsden@jvsdet.org]
Sent: Thursday, July 21, 2005 1:27 PM
To: Gareth Humphries; focus-ms@securityfocus.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed
onthem?
But what happens when the exploit targets the AV? The situation is
reversed.
Furthermore, if both companies were running identically then both were
doing it wrong. A system integrity checker on either system would have
alerted the admin to a potential problem... Apparently neither,
(fictional), company used one.
Potentially and statistically the integrity checker is less likely to be
exploited/able than the AV so if you are going to run any additional
software, (thus reducing the system security), an integrity checker is a
better bet.
-----Original Message-----
From: Gareth Humphries [mailto:ghumphries@linz.govt.nz]
Sent: Wednesday, July 20, 2005 8:25 PM
To: focus-ms@securityfocus.com
Subject: RE: Should webservers, eg. IIS 6 have anti--virus installed
onthem?
Harlan, et al:
I think the points most people are making here can be summed in a
simple scenario:
- 2 companies install webservers - both use identical OS's and IIs
versions. Both folow all a dilliegent process of securing the box, such
that IIS is the only service running, port 80 is the only port open.
They both follow an identical, very thorough process, except that 1
installs AV software, the other doesn't.
- An exploit is discovered and disclosed in IIS before MS have a
chance to patch. Lets say a buffer overflow in the "content:" tag.
Unlikely and simplistic, but quite suitable for our purposes. (the
point being, you can't trust 3rd party software)
- Some black-hat kiddie finds the exploit code, wraps a stock rootkit
up in it, and sends it into the wild.
- It hits both of our theortical organisations webservers, and
exploits successfully on both of them.
- The webserver with AV software detects the rootkit, and cleans the
file/notifies the admin/whatever.
- What happens to the system without AV software is left as an
exercise for the reader (clue: 0wnAg3)
Not an unlikely scenario, I'm sure you'll agree.
No amount of lock-down can protect you from a vulnerability in the
service you are deliberatey exposing - AV software can. Not all the
time, granted, but sometimes. And sometimes is a hell of a lot better
than never in my books.
Gareth Humphries
IT Specialist
IBM New Zealand Ltd
________________________________________________________________________
______________________________
This message contains information, which is confidential and may be
subject to legal privilege.
If you are not the intended recipient, you must not peruse, use,
disseminate, distribute or copy this message.
If you have received this message in error, please notify us immediately
(Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.
LINZ accepts no responsibility for changes to this email, or for any
attachments, after its transmission from LINZ.
Thank you.
________________________________________________________________________
______________________________
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
