Security Basics
Bad Antivirus Jan 29 2013 03:30PM
sec melis gmail com (3 replies)
Re: Bad Antivirus Jan 30 2013 03:50PM
Michael Peppard (mpeppard impole com) (2 replies)
Running AV via SSH? (Was: Re: Bad Antivirus) Feb 02 2013 08:21PM
Alois Mahdal (alois mahdal 1-ndmail zxcvb cz) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 04 2013 02:13PM
Michael Peppard (mpeppard impole com) (3 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 09 2013 12:41AM
Alois Mahdal (alois mahdal 1-ndmail zxcvb cz) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 09 2013 10:07PM
Terrence O'Connor (terrence oconnor gmail com) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 11 2013 08:08PM
Michael Peppard (mpeppard impole com) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 13 2013 04:31PM
Tracy Reed (treed ultraviolet org) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 14 2013 02:26PM
Michael Peppard (mpeppard impole com) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 16 2013 11:59PM
Tracy Reed (treed ultraviolet org) (1 replies)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 18 2013 08:59PM
Michael Peppard (mpeppard impole com) (1 replies)

On 02/16/2013 06:59 PM, Tracy Reed wrote:
> On Thu, Feb 14, 2013 at 06:26:29AM PST, Michael Peppard spake thusly:
>> The scan is a stopgap for killing the functionality of the virus and to get
>> information on the virus, it's not the first or last line of defence.
> So if the antivirus does not detect anything, what is your next step?
Someone is going to fix the problem, regardless. It's your departments
job to fix computer problems.

They (help support staff) do a root cause analysis. It could be an
enduser installed software your firewall or sniffer is reacting to. It
could be settings that over a phone call could be interpreted as a
virus. It could be a problem with a software update. It could be many
things hardware and software related. The least statistically probable
is a virus that wasn't detected. Least probable and most probable don't
matter to a root cause analysis, except the order you check the causal
tree branches.

If it's a virus or rootkit based on observed behaviour or changes to the
computer or a pattern of problems that indicate spreading on the network
etc etc then you run a backup of the profile from the bootable CD you've
been using and reinstall from a network image. After getting a sample of
the virus for one of the antivirus companies you deal with. You should
have a escalation plan, dependant on your staffs skills, for these types
of issues.

>> If the virus makes it past the antivirus, the antivirus has to be reinstalled
>> at a minimum. If the virus is unknown or has a rootkit which all your
>> antivirus/rootkit tools are incapable of getting rid of then the machine has
>> to be rebuilt off a clone for that type of desktop or server.
> I would say the machine has to be reinstalled. And I always recommend reinstall
> regardless of whether the AV says it has "cleaned" the machine.

There are half a million viruses and variants that your antivirus cleans
just fine. If your desktop antivirus is compromised then there's a very
good chance you will have to spend a thousand dollars or so*. It's a
decision that has to be made after root cause analysis. Some eicar
equivalent isn't going to justify scrubbing a drive.

*2 salaries and benefits for at least half a day plus opportunity costs.
People tend to get cranky when you lose their work, so the backup may
take additional time.

>
>> Why bother trying to save the machine? Because endusers get fussy when they
>> can't get kitten emails from their friends all day.
> What's more important? The end-users kittens or the security of the enterprise?
> If your execs don't understand and support you on this you are sunk anyway.
>

Don't read any of this as being complacent about security. I'm willing
to shut the company down for as long as it takes to fix an infection. I
ban java and flash despite backlashes.

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 18 2013 10:06PM
Jeffrey Walton (noloader gmail com)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 04 2013 05:38PM
!s3grim (persephane gmx eu)
Re: Running AV via SSH? (Was: Re: Bad Antivirus) Feb 04 2013 02:40PM
Rob (synja synfulvisions com)
Re: Bad Antivirus Feb 01 2013 12:09PM
sec milis (sec melis gmail com)
Re: Bad Antivirus Jan 30 2013 07:27AM
Andre Silaghi (andre silaghi googlemail com)
Re: Bad Antivirus Jan 30 2013 06:08AM
iamherevivek gmail com (2 replies)
Re: Bad Antivirus Jan 30 2013 07:24AM
Adam Pal (carpathin wolf gmx net)
Re: Bad Antivirus Jan 30 2013 07:10AM
Melissa Augustine (missy augustine gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus