To add to the comment below, Nimda had several attack modes.
In addition to e-mail attachments to readme.exe files and mass mailing
itself by searching html files for addresses in address books, which the
network manager says in is not vulnerable to since it does not receive
e-mail, NIMDA could locate infect web servers by exploiting security
holes due to patch levels not being up to date. Anyone surfing that web
site could be infected. Therefore, servers on your network could either
infect someone else, or if a network manager surfs to a infected web
site from one of his network servers to for instance load an update his
server can become infected. Code Red didn't even have that capability.
NIMDA also had the ability to search for files shares on in a local
network on servers or end user machines. So if for some reason a single
network server became infected, NIMDA could infect network machines with
open files shares by dropping a hidden .DLL file to a directory having
DOC or EML files.
Therefore, I would not want to run the risk of not having AV on my
servers since there are worms and virus that can infect in ways far
beyond e-mail exploits. Take it from someone who had to clean up the
mess NIMDA left behind.
Ted 973-886-6260
-----Original Message-----
From: Mark P. Larios [mailto:mark.larios@calumetlubricants.com]
Sent: Monday, February 06, 2006 10:11 AM
To: Erdahl, Larry E; focus-virus@securityfocus.com
Subject: RE: What should be protected with anti-virus software?
Has the operations manager ever heard of an old friend called nimda
perhaps?
There are a vew nasty viruses which spread across networks via open
ports.
Does he keep his servers patched and up to date on service packs?
Having an AV on a server is usually considered a good practice.
Mark
-----Original Message-----
From: Erdahl, Larry E [mailto:Larry.Erdahl@allina.com]
Sent: Thursday, February 02, 2006 8:06 AM
To: focus-virus@securityfocus.com
Subject: What should be protected with anti-virus software?
Long time reader, but first time poster, so please be gentle ;-).
I am in the middle of a risk assessment of our current anti-virus
practice and need a little help.
I am finding servers without any anti-virus software installed and
others that are only configured as on-access detection. I am not sure if
the reasoning for not having anti-virus installed or only running
on-access holds water or is sufficient for today's needs.
The operations manager believes that not all servers need anti-virus
software. He believes his application servers are safe because they
don't receive e-mails and they don't have files that would become
infected. He also feels his Novell file and print servers are
sufficiently protect by using on-access detection only.
Can anyone give me a "best business practice" recommendation or point me
to documentation on what should be protected with anti-virus software
and why?
Any help will be greatly appreciated!
Thanks....
Larry
This message contains information that may be confidential and
privileged. Unless you are the addressee (or authorized to receive for
the addressee), you may not use, copy or disclose to anyone the message
or any information contained in the message. If you have received the
message in error, please advise the sender by reply e-mail and delete
the message.
