Re: Antivirus software on web server
On Friday 17 Oct 2003 16:49 pm, Jochem van Dieten wrote: DNS poisioning when you downloaded the patch file, for instance. On UNIX boxes, a local attacker could have altered an alias for a common command to fetch, compile and insert a Nasty kernel module and then waited for you to run that command. That is what checksums are for. Doesn't help - where did you get the checksums from ? Can you gurantee your checksum checker is correctly functioning (would make a great place to trojan...) ? -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton wrote: On Friday 17 Oct 2003 16:49 pm, Jochem van Dieten wrote: DNS poisioning when you downloaded the patch file, for instance. On UNIX boxes, a local attacker could have altered an alias for a common command to fetch, compile and insert a Nasty kernel module and then waited for you to run that command. That is what checksums are for. Doesn't help - where did you get the checksums from ? From a different machine of course. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Monday 20 Oct 2003 11:24 am, Jochem van Dieten wrote: Doesn't help - where did you get the checksums from ? From a different machine of course. Which you have to trust. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton wrote: On Monday 20 Oct 2003 11:24 am, Jochem van Dieten wrote: Doesn't help - where did you get the checksums from ? From a different machine of course. Which you have to trust. If there is anyone who is going to trojan an OpenBSD bastion host, to modify the OpenSSL MD5 checker, so that he can inject code into a patch to trojan a webserver, he is welcome to try. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Monday 20 Oct 2003 12:02 pm, Jochem van Dieten wrote: If there is anyone who is going to trojan an OpenBSD bastion host, to modify the OpenSSL MD5 checker, so that he can inject code into a patch to trojan a webserver, he is welcome to try. Because it's not like there isn't a precedent for the odd open source package being trojaned, oh no. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Thursday 16 Oct 2003 17:17 pm, Jochem van Dieten wrote: No account, not even LocalSystem, should have permission to patch core OS files. How would you distribute security updates then ? -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton said: On Thursday 16 Oct 2003 17:17 pm, Jochem van Dieten wrote: No account, not even LocalSystem, should have permission to patch core OS files. How would you distribute security updates then ? Log in, assign yourself the apropriate rights, update, revoke rights. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Friday 17 Oct 2003 12:09 pm, Jochem van Dieten wrote: Thomas Chiverton said: On Thursday 16 Oct 2003 17:17 pm, Jochem van Dieten wrote: No account, not even LocalSystem, should have permission to patch core OS files. How would you distribute security updates then ? Log in, assign yourself the apropriate rights, update, revoke rights. And then the attacker has a window to run in... -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton said: On Friday 17 Oct 2003 12:09 pm, Jochem van Dieten wrote: Thomas Chiverton said: On Thursday 16 Oct 2003 17:17 pm, Jochem van Dieten wrote: No account, not even LocalSystem, should have permission to patch core OS files. How would you distribute security updates then ? Log in, assign yourself the apropriate rights, update, revoke rights. And then the attacker has a window to run in... Administrators are only allowed to do an interactive login. How many of those can there be at the same time? Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Friday 17 Oct 2003 14:32 pm, Jochem van Dieten wrote: Administrators are only allowed to do an interactive login. How many of those can there be at the same time? But any programs they run are now running as admin... you only solve some problems by enforcing this. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton said: On Friday 17 Oct 2003 14:32 pm, Jochem van Dieten wrote: Administrators are only allowed to do an interactive login. How many of those can there be at the same time? But any programs they run are now running as admin... you only solve someproblems by enforcing this. Who is running what as admin? If I log in as Admin and I do something stupid that gives problems. But how is somebody else going to run anything as admin that can replace kernel files? Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Friday 17 Oct 2003 15:15 pm, Jochem van Dieten wrote: Who is running what as admin? If I log in as Admin and I do something stupid that gives problems. But how is somebody else going to run anything as admin that can replace kernel files? You don't have to be doing something stupid to trigger a trojon. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
You don't have to be doing something stupid to trigger a trojon. I would classify unnecessary use of Administrator privileges as something stupid. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton said: On Friday 17 Oct 2003 15:15 pm, Jochem van Dieten wrote: Who is running what as admin? If I log in as Admin and I do something stupid that gives problems. But how is somebody else going to run anything as admin that can replace kernel files? You don't have to be doing something stupid to trigger a trojon. What would be a non-stupid way for an admin to trigger a trojan on his server? Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Friday 17 Oct 2003 15:58 pm, Dave Watts wrote: You don't have to be doing something stupid to trigger a trojon. I would classify unnecessary use of Administrator privileges as something stupid. But you don't have be doing something stupid (like unnecessary use of Administrator privileges) to be caught out. At some point you have to trust (say) your external DNS to really give you the real patch file you asked for, as oppsoed to Something Nasty. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Friday 17 Oct 2003 15:53 pm, Jochem van Dieten wrote: You don't have to be doing something stupid to trigger a trojon. What would be a non-stupid way for an admin to trigger a trojan on his server? DNS poisioning when you downloaded the patch file, for instance. On UNIX boxes, a local attacker could have altered an alias for a common command to fetch, compile and insert a Nasty kernel module and then waited for you to run that command. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton wrote: On Friday 17 Oct 2003 15:53 pm, Jochem van Dieten wrote: You don't have to be doing something stupid to trigger a trojon. What would be a non-stupid way for an admin to trigger a trojan on his server? DNS poisioning when you downloaded the patch file, for instance. On UNIX boxes, a local attacker could have altered an alias for a common command to fetch, compile and insert a Nasty kernel module and then waited for you to run that command. That is what checksums are for. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Thanks everyone . As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning.My argument to that was if the server is correctly secured that should never be an issue, but, with new exploits being discovered each month the chances go up that the server could be compromised before the patch is applied. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: NATHAN C. SMITH [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 4:44 PM To: CF-Talk Subject: RE: Antivirus software on web server I think it is a necessary evil. People are finding too many neat ways for things to creep across networks. -Nate -Original Message- From: Mark W. Breneman [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:23 PM To: CF-Talk Subject: SOT: Antivirus software on web server I can remember this topic has been hashed over a few different times here, over the years. Has the opinions changed over the last year or so? Do YOU have antivirus software on your servers? Do you recommend it on web servers? If so, what software? I have in the past been on the side of not needing AV software on the server. Now I am, and have been for a few months, sitting on the fence. A few years ago, as a computer tech, I said that AV software is very good to have at home / office but not nessicry. Now, I highly recommend AV software on any computer that is connected to the net in the home / office environment. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning. You see it in the task list. And if it does anything besides being there (like trying to spread), you see that in your network traffic. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 9:41 AM To: CF-Talk Subject: Re: Antivirus software on web server Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning. You see it in the task list. And if it does anything besides being there (like trying to spread), you see that in your network traffic. Jochem _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Mark W. Breneman wrote: True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. 1. You know how many of those you have on your server. 2. tlist will show the application names behind svchost.exe Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Mark, Once get your anti-virus software installed and running on you web server, would you mind sharing with the list what kind of performance impact it creates. Are you planning to run scheduled system scans? Adam Wayne Lehman Web Systems Developer Johns Hopkins Bloomberg School of Public Health Distance Education Division -Original Message- From: Mark W. Breneman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 11:45 AM To: CF-Talk Subject: RE: Antivirus software on web server True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 9:41 AM To: CF-Talk Subject: Re: Antivirus software on web server Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning. You see it in the task list. And if it does anything besides being there (like trying to spread), you see that in your network traffic. Jochem _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Hey, We have installed Anti-Virus on 3 of our web servers (2 simple webservers just serving pages and 1 as an admin/web server). We have not encountered any real performance issues... -Original Message- From: Adam Wayne Lehman [mailto:[EMAIL PROTECTED] Sent: 16 October 2003 16:50 To: CF-Talk Subject: RE: Antivirus software on web server Mark, Once get your anti-virus software installed and running on you web server, would you mind sharing with the list what kind of performance impact it creates. Are you planning to run scheduled system scans? Adam Wayne Lehman Web Systems Developer Johns Hopkins Bloomberg School of Public Health Distance Education Division -Original Message- From: Mark W. Breneman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 11:45 AM To: CF-Talk Subject: RE: Antivirus software on web server True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 9:41 AM To: CF-Talk Subject: Re: Antivirus software on web server Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning. You see it in the task list. And if it does anything besides being there (like trying to spread), you see that in your network traffic. Jochem _ _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
oi Jochem!! tlist? -- Thursday, October 16, 2003, 11:45:11 AM, you wrote: JvD Mark W. Breneman wrote: True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. JvD 1. You know how many of those you have on your server. JvD 2. tlist will show the application names behind svchost.exe JvD Jochem JvD [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Hey that is kinda handy.tlistI learn something each day.(Now that I have learned it, too bad I can't go back to bed :-) Thanks! Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:45 AM To: CF-Talk Subject: Re: Antivirus software on web server Mark W. Breneman wrote: True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. 1. You know how many of those you have on your server. 2. tlist will show the application names behind svchost.exe Jochem _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
On Thursday 16 Oct 2003 16:45 pm, Jochem van Dieten wrote: Mark W. Breneman wrote: True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. 1. You know how many of those you have on your server. 2. tlist will show the application names behind svchost.exe If I was writing a worm/Trojan, I'd have it patch the relavent system calls and therefore hide from the Tasklist. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: [EMAIL PROTECTED] BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.*** [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Minion Critter wrote: tlist? http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q250/3/20.ASPNoWebContent=1 Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
oi Jochem!! Ha! ta -- Thursday, October 16, 2003, 12:08:52 PM, you wrote: JvD Minion Critter wrote: tlist? JvD http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q250/3/20.ASPNoWebContent=1 JvD Jochem JvD [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Antivirus software on web server
Thomas Chiverton wrote: On Thursday 16 Oct 2003 16:45 pm, Jochem van Dieten wrote: Mark W. Breneman wrote: True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. 1. You know how many of those you have on your server. 2. tlist will show the application names behind svchost.exe If I was writing a worm/Trojan, I'd have it patch the relavent system calls and therefore hide from the Tasklist. No account, not even LocalSystem, should have permission to patch core OS files. Jochem [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Adam, If I install NAV, I'll be glad to post back to the list the results. I am not planning on running scheduled system scans. I am not too worried about file based viruses (boot sector, Trojan or email/scr), what I am hoping to prevent is worms that prey on security holes like slammer, blaster or Code Red. I am 99% sure that my servers are secure, my software firewall and hardware firewall are configed correctly and all relevant patches are applied, but if I miss one, I could spend my weekend rebuilding a server. It would be nice if there was a web server version of NAV.Or something that is ultra light on CPU time and system resources. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Adam Wayne Lehman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 10:50 AM To: CF-Talk Subject: RE: Antivirus software on web server Mark, Once get your anti-virus software installed and running on you web server, would you mind sharing with the list what kind of performance impact it creates. Are you planning to run scheduled system scans? Adam Wayne Lehman Web Systems Developer Johns Hopkins Bloomberg School of Public Health Distance Education Division -Original Message- From: Mark W. Breneman [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 11:45 AM To: CF-Talk Subject: RE: Antivirus software on web server True it probably would show in the task or process lists, but if I were to write a worm/Trojan, I would make it show up in the task list as SVCHOST.exe, the generic name of a DLL process. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 9:41 AM To: CF-Talk Subject: Re: Antivirus software on web server Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your server was infected without some software scanning. You see it in the task list. And if it does anything besides being there (like trying to spread), you see that in your network traffic. Jochem _ _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
The question was brought up, that how would you ever know if your server was infected without some software scanning. My argument to that was if the server is correctly secured that should never be an issue, but, with new exploits being discovered each month the chances go up that the server could be compromised before the patch is applied. If you're concerned about server exploits, a virus scanner probably isn't going to help you very much, if at all. You're much better off using a host-based firewall to limit inbound and outbound traffic appropriately, and use something wherever possible to examine that traffic (stateful packet inspection at your host-based firewall, or a web server input filter, for example). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
At 11:26 AM 10/16/03 -0500, Mark W. Breneman wrote: It would be nice if there was a web server version of NAV.Or something that is ultra light on CPU time and system resources. I'd use Sophos (www.sophos.com) T Tired of your bookmarks/favourites being limited to one computer?Move them to the Net! www.stuffbythane.com/webfavourites makes it easy to keep all your favourites in one place and access them from any computer that's attached to the Internet. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Dave, as always, true. Maybe I should be asking if there is worm scanning software out there that has auto-up-dating worm defs.And maybe I should do my homework and 2x check that Norton Anti Virus does scan and prevent worms from infecting a computer. Thanks Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 11:38 AM To: CF-Talk Subject: RE: Antivirus software on web server The question was brought up, that how would you ever know if your server was infected without some software scanning. My argument to that was if the server is correctly secured that should never be an issue, but, with new exploits being discovered each month the chances go up that the server could be compromised before the patch is applied. If you're concerned about server exploits, a virus scanner probably isn't going to help you very much, if at all. You're much better off using a host-based firewall to limit inbound and outbound traffic appropriately, and use something wherever possible to examine that traffic (stateful packet inspection at your host-based firewall, or a web server input filter, for example). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re[2]: Antivirus software on web server
First we tried Norton Anti Virus 2 years ago. It produced horrible CPU-load. We switched to F-Prot on WIN NT 4 Server. That went fine. The reason we installed it on our WWW-Server is, that people can upload files. (and these might be infected). But even plain HTML-File can be carrying virusses too. So I would recommend doing it. Uwe Thursday, October 16, 2003, 5:50:07 PM, you wrote: AWL Mark, AWL Once get your anti-virus software installed and running on you web AWL server, would you mind sharing with the list what kind of performance AWL impact it creates. Are you planning to run scheduled system scans? AWL Adam Wayne Lehman AWL Web Systems Developer AWL Johns Hopkins Bloomberg School of Public Health AWL Distance Education Division AWL -Original Message- AWL From: Mark W. Breneman [mailto:[EMAIL PROTECTED] AWL Sent: Thursday, October 16, 2003 11:45 AM AWL To: CF-Talk AWL Subject: RE: Antivirus software on web server AWL True it probably would show in the task or process lists, but if I were AWL to write a worm/Trojan, I would make it show up in the task list as AWL SVCHOST.exe, the generic name of a DLL process. AWL Mark W. Breneman AWL -Cold Fusion Developer AWL -Network Administrator AWLVivid Media AWL[EMAIL PROTECTED] AWLwww.vividmedia.com AWL608.270.9770 AWL -Original Message- AWL From: Jochem van Dieten [mailto:[EMAIL PROTECTED] AWL Sent: Thursday, October 16, 2003 9:41 AM AWL To: CF-Talk AWL Subject: Re: Antivirus software on web server AWL Mark W. Breneman wrote: As much as I am opposed to the idea, I am leaning towards installing Norton Antivirus Corporate on all of my web servers. The question was brought up, that how would you ever know if your AWL server was infected without some software scanning. AWL You see it in the task list. And if it does anything besides AWL being there (like trying to spread), you see that in your network AWL traffic. AWL Jochem AWL_ AWL_ AWL [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
SOT: Antivirus software on web server
I can remember this topic has been hashed over a few different times here, over the years.Has the opinions changed over the last year or so? Do YOU have antivirus software on your servers? Do you recommend it on web servers? If so, what software? I have in the past been on the side of not needing AV software on the server. Now I am, and have been for a few months, sitting on the fence. A few years ago, as a computer tech, I said that AV software is very good to have at home / office but not nessicry. Now, I highly recommend AV software on any computer that is connected to the net in the home / office environment. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
Do YOU have antivirus software on your servers? Generally, not on web servers, no. Do you recommend it on web servers? Generally, no, unless you allow file uploads and those uploaded files could possibly be executable. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
I think it is a necessary evil. People are finding too many neat ways for things to creep across networks. -Nate -Original Message- From: Mark W. Breneman [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:23 PM To: CF-Talk Subject: SOT: Antivirus software on web server I can remember this topic has been hashed over a few different times here, over the years.Has the opinions changed over the last year or so? Do YOU have antivirus software on your servers? Do you recommend it on web servers? If so, what software? I have in the past been on the side of not needing AV software on the server. Now I am, and have been for a few months, sitting on the fence. A few years ago, as a computer tech, I said that AV software is very good to have at home / office but not nessicry. Now, I highly recommend AV software on any computer that is connected to the net in the home / office environment. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Antivirus software on web server
I have a main web server with a seperate mail server, and a 3rd box for smaller clients thats a combined mail and web server. ON THAT box and the Mail server I run Norton Antivirus COrporate.I do this from the main network server where Norton's Console is installed.All of the boxes have the client Norton doing Live Updates that grab their def. files from the main server.THe main server gets its def. files from Symantec's intelligent Updater files, which we pull daily. (Yes, we do allow client uploads for some sites) At 04:34 PM 10/15/03, you wrote: Do YOU have antivirus software on your servers? Generally, not on web servers, no. Do you recommend it on web servers? Generally, no, unless you allow file uploads and those uploaded files could possibly be executable. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 -- [ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
