Home page logo
/

basics logo Security Basics mailing list archives

Re: Running AV via SSH? (Was: Re: Bad Antivirus)
From: Alois Mahdal <alois.mahdal.1-ndmail () zxcvb cz>
Date: Sat, 9 Feb 2013 01:41:43 +0100

On Mon, 04 Feb 2013 09:13:37 -0500
Michael Peppard <mpeppard () impole com> wrote:

[...]  You can map the remote drive either through ssh2 as local
administrator or using drive mapping as network admin.  Most
viruses will shut down or lie to an antivirus program running
locally. 

I actually thought that you mean logging in to the box via ssh, and
then running an AV *there* under sshd, just like you would run anything
else.  In case of normal Joe's workstation, that would of course hardly
help with more than the distance you need to walk.

Now I see that what you suggest is just sharing the files via network
(e.g. SSH/SFTP) and scanning them remotely.  But as others have pointed
out, if that was to work, you would probably need to share like "root
access to /", which seems like a very crazy idea.

What I'd suggest is:

*   if you can access the machine physically

    1.   grab a couple of bootable AV CDs from different vendors

    2.   with each of them, reboot and scan and research

    3.   decide what to do.

*   otherwise restoring from backup is probably the only option

    In many cases this might be safer or even easier solution
    (congrats if you *do* have easily restorable backups), but you need
    to be sure that the *backup* is not infected as well.

So probably combination of both methods could be in place.


It is also a good idea to have antivirus running as an appliance at
the edge of networks alongside the firewall. If the antiviruses you
have chosen for your network don't update at least daily when needed,
you may want to look for a new antivirus.

Definitely scanning files on regular paths to/aroud your net (file
servers, e-mail servers) is a good idea.  It does not, however protect
you 100%:

*   flash drives

*   HTTP: e.g. if you needed to check virus.exe being downloaded,you
    would need to get the *whole* file.  But in reality the stream can
    come in many pieces, and can be even interrupted in the middle and
    restored days later.  Can't imagine tracking infection via HTTP
    this way 

*   encrypted streams, encrypted ZIPs

Sometimes you can, however, forbid these things strictly, (e.g. throw
away all attachments, seal off USB connectors...) without hindering the
business.  Not sure about HTTP though...


Thanks,
aL.

-- 
Alois Mahdal

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]