Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-disclosure Anti virus installations on Windows servers
From: T Biehn <tbiehn () gmail com>
Date: Mon, 4 May 2009 22:51:09 -0400

What are you trying to protect against?
This is of value for targeting 'advice.'

As a server you should be most worried about people popping your box,
now you can eliminate 99.9% of attackers by following a regular patch
schedule. The other .1 is made up of .05 target and .05 known &
unpatched.
.1 might be skewed one way or the other depending on your value as a
target, but I think you get the point.

A/V is worthless in most targeted attacks, the only worthwhile a/v in
these are those that have good heuristic analysis and/or prevent
against rootkits. Their value is dubious at best.
In this case (and why i suggested it in the first place) something
like eEye Blink is the only TYPE OF beneficial product you can get. It
logically analyzes whatever protocols it understands and looks for
'out of bound' type patterns. Has a library of known shellcode that it
matches against. Claims to prevent rootkit / exploits via some API
hooking voodoo, and a bunch of other bull you can only get from
reading the marketing boilerplate on their homepage.

As with *nix / BSD you're only as good as your sysadmin, you should
read through the various security settings you have available. Maybe
you want to read NSA's secure XP scripts? Try to implement a solid EFS
policy on your windows box to enforce read permissions against SYSTEM
and other admin accounts, this will reduce any damage possible from a
compromised box (however you cannot trust the security of EFS if
there's any attacker on your OS w/ admin privs because they have
access to your memory bits).

Check this wacky scenario: Set up nix inside a VM running inside your
windows server. Use the nix box as a reverse proxy to your windows
box. This should give you some lead time, and will piss off (once they
get to the container OS)\scare off(holy shit it's a vmware honeypot)
whomever is attacking you.

The absolute worst thing you can do is ask a bunch of people on FD what to do.

-Travis

On Mon, May 4, 2009 at 9:15 AM, mbs <mbs () mistrealm com> wrote:
This debate has been interesting, if light on practical advice.

Let me clarify my question.

First, I do not own the server in question. I did not install the operating
system in question. I did not make that business decision.

According to http://news.netcraft.com/

Apache 104,178,852 46.35% 106,368,727 45.95% -0.41
Microsoft 66,229,250 29.47% 67,767,928 29.27% -0.20
Thirty percent of servers run windows.

Some of you will laugh at someone who has to protect a windows server, and
would suggest rebuilding from the ground up. Obviously my client would
disagree.

One person suggested Kaspersky, and I have it running at the moment, it
seems to be working as intended.

Am I missing the point?



T Biehn wrote:

The example provides an easy to concoct scenario where perhaps
anti-virus software might be employed to great benefit where the


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault