Home page logo
/

basics logo Security Basics mailing list archives

Re: Running AV via SSH? (Was: Re: Bad Antivirus)
From: "Rob" <synja () synfulvisions com>
Date: Mon, 4 Feb 2013 14:40:22 +0000

One step forward, two back?

1. You lose behavior based heuristics and the ability to scan/affect local memory/processes.
2. This requires sharing files that should not be shared even if it is via SSH.
3. Hella network load.
4. The permissions required for a proper scan/fix are a bad idea for a share of any sort.


Too much effort for too little reward. The gateway/IDS idea is good for some things, but can get very expensive in 
terms of both CPU time/money and throughput limitations.

Just my .02
Rob

Sent on the Sprint® Now Network from my BlackBerry®

-----Original Message-----
From: Michael Peppard <mpeppard () impole com>
Sender: listbounce () securityfocus com
Date: Mon, 04 Feb 2013 09:13:37 
To: <security-basics () securityfocus com>
Subject: Re: Running AV via SSH? (Was: Re: Bad Antivirus)

By running the antivirus program remotely you have the antivirus in a 
memory space which the virus can't corrupt.  You can map the remote 
drive either through ssh2 as local administrator or using drive mapping 
as network admin.  Most viruses will shut down or lie to an antivirus 
program running locally. Running the AV remotely isn't perfect and 
should not be your only defence as it will not stop a virus from 
infecting a computer in the first place, but it's better for cleaning a 
known infection and it may catch some viruses on the network that had 
shut down the local antivirus as part of the infection. Scanning 
profiles and network drives will point you to an infection that local 
anitviruses may have missed.

It is also a good idea to have antivirus running as an appliance at the 
edge of networks alongside the firewall. If the antiviruses you have 
chosen for your network don't update at least daily when needed, you may 
want to look for a new antivirus.

On 02/02/2013 03:21 PM, Alois Mahdal wrote:
Hello,

On Wed, 30 Jan 2013 10:50:26 -0500
Michael Peppard <mpeppard () impole com> wrote:

To be honest I usually run (or tell someone to) the antivirus on an
infected machine through a remote connection such as ssh2, or as
Windows network administrator. That takes care of several issues.
What does it take care of?  Isn't running av.exe via sshd the same?

Thanks,
aL.



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]