[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <28167.1241024657@turing-police.cc.vt.edu>
Date: Wed, 29 Apr 2009 13:04:17 -0400
From: Valdis.Kletnieks@...edu
To: don bailey <don.bailey@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Anti virus installations on Windows servers
On Wed, 29 Apr 2009 10:34:55 MDT, don bailey said:
> Please don't speak for all security professionals. "We" do not do the
> same thing(s) you do. Also, it surprises me that you think Linux/OSX/etc
> are not virus capable.
Notice I never actually mentioned an operating system. You're the one that
hopped on the Linux/OSX bandwangon. ;)
I never said Linux/*BSD/Solaris/etc weren't virus capable. What I *said* was
that you want systems that have security designs that *already* include the
things you need to stop viruses and you don't need a separate anti-virus.
For example - if you have something that's creating a new executable in
the /bin directory and you don't know what it is, you have a problem, whether
it's a virus or somebody trying to trojan /bin/login. And once you've done
whatever hardening you want to keep a hacker from trojaning /bin/login, you've
*also* now stopped a virus from scribbling in /bin.
It's a change in mindset - you shouldn't be thinking about "I need to stop
the viruses", you should be thinking about "I need to close off the attack
surfaces so they can't be used by attackers, whether they're viruses or
something else".
This applies to Windows too: Installing anti-virus tools that try to minimize
the damage a virus can do when a user is running as Administrator is just
papering over the issue - the *problem* is that the user is running as
Administrator inappropriately. And lo and behold - once you deal with that
issue, you no longer need a special anti-virus widget for that case.
Don't think "malware types". Think "attack vectors". If you can deal with
the attack vectors, the malware types become irrelevant. And if you *can't*
deal with the attack vector, the malware type is *still* irrelevant - you have
a hole that can be used to pwn you.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists