full-disclosure-uk May 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Full-disclosure Anti v

Re: [Full-disclosure] Full-disclosure Anti virus installations on Windows servers

From: T Biehn <tbiehn_at_nospam>
Date: Tue May 05 2009 - 02:51:09 GMT
To: mbs <mbs@mistrealm.com>

What are you trying to protect against?
This is of value for targeting 'advice.'

As a server you should be most worried about people popping your box, now you can eliminate 99.9% of attackers by following a regular patch schedule. The other .1 is made up of .05 target and .05 known & unpatched.
.1 might be skewed one way or the other depending on your value as a target, but I think you get the point.

A/V is worthless in most targeted attacks, the only worthwhile a/v in these are those that have good heuristic analysis and/or prevent against rootkits. Their value is dubious at best. In this case (and why i suggested it in the first place) something like eEye Blink is the only TYPE OF beneficial product you can get. It logically analyzes whatever protocols it understands and looks for 'out of bound' type patterns. Has a library of known shellcode that it matches against. Claims to prevent rootkit / exploits via some API hooking voodoo, and a bunch of other bull you can only get from reading the marketing boilerplate on their homepage.

As with *nix / BSD you're only as good as your sysadmin, you should read through the various security settings you have available. Maybe you want to read NSA's secure XP scripts? Try to implement a solid EFS policy on your windows box to enforce read permissions against SYSTEM and other admin accounts, this will reduce any damage possible from a compromised box (however you cannot trust the security of EFS if there's any attacker on your OS w/ admin privs because they have access to your memory bits).

Check this wacky scenario: Set up nix inside a VM running inside your windows server. Use the nix box as a reverse proxy to your windows box. This should give you some lead time, and will piss off (once they get to the container OS)\scare off(holy shit it's a vmware honeypot) whomever is attacking you.

The absolute worst thing you can do is ask a bunch of people on FD what to do.


On Mon, May 4, 2009 at 9:15 AM, mbs <mbs@mistrealm.com> wrote:
> This debate has been interesting, if light on practical advice.
> Let me clarify my question.
> First, I do not own the server in question. I did not install the operating
> system in question. I did not make that business decision.
> According to http://news.netcraft.com/
> Apache 104,178,852 46.35% 106,368,727 45.95% -0.41
> Microsoft 66,229,250 29.47% 67,767,928 29.27% -0.20
> Thirty percent of servers run windows.
> Some of you will laugh at someone who has to protect a windows server, and
> would suggest rebuilding from the ground up. Obviously my client would
> disagree.
> One person suggested Kaspersky, and I have it running at the moment, it
> seems to be working as intended.
> Am I missing the point?
> T Biehn wrote:
> The example provides an easy to concoct scenario where perhaps
> anti-virus software might be employed to great benefit where the
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/