Is AntiVirus appropriate for servers any more?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Is AntiVirus appropriate for servers any more?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Is AntiVirus appropriate for servers any more?

    While reading this thread a thought occured to me. Rather than derail the thread and take it off topic I thought I'd start a new one.

    Premise:

    Are AntiVirus solutions appropriate in a server environment or are they becoming a "warm, fuzzy feeling" issue for those that implement them? What follows is a discourse aimed at the "professional" world not the home user market.

    Viruses and Worms:

    The threat today and in the future is from two beasts that are quite distinctly different, (let's not start on "blended threats"), in the way they function and their target "audience". The differences seem to be, (Yes, there are generalizations...):-

    1. Viruses, by definition require human interaction where worms do not.

    2. While viruses can spread very quickly, worms can spread even faster and in the future are expected to move worldwide in fifteen minutes or less.

    3. Worms rely upon exploits in functioning, publicly available services while viruses rely upon user "stupidity"(?)

    4. The defense against a worm is to patch the vulnerability it exploits or to close the service until a patch is available... (Yeah, we could packet capture the worm and use a Snort rule to reset the connection at both ends.... But that's another story... and if it polymorphic it won't work).

    5. The defense against viruses is to recognize a signature and act accordingly per the user configuration.

    The problem as I see it.

    There's a reason you need Firewalls, The Cleaner for trojans, Ad-Aware/SpyBot/CWShredder/HiJack This for ASMware and your favorite AV program to keep your precious computer safe from viruses and worms. No single solution can keep up, effectively, with the volume and variations of everything as a whole. Why? Because they are based on different delivery methods, signatures etc. etc.

    The Issue

    Since the appropriate defense against worms differs from that for the defense against viruses why do the AV companies waste their time working on worms for their "professional" grade products?

    My Reasoning

    At the server level, (one that is publicly available), the AntiVirus program "protecting" you usually reacts "post" exploit by a worm. But with worms moving through publicly available services the AntiVirus won't be aware of the worm's signature because the signature may not yet be available. Furthermore, with the trend in "attacking" the AV software to disable it, it isn't inconceivable that a worm could disable the AV, alter the signature file to ignore itself, and restart the AV to make the administrator believe he has a good, updated AV and therefore be safe from the very worm he is hosting.

    Worms that exploit publicly available servers are best protected against by effective firewalls that block all access to services that are not essential and timely patching of vulnerable services by the administrator.

    Viruses aren't generally aimed at the server... They are aimed at the user and the most common form of transmission to the user is email. The mail store can be protected as can the client. But unless you are a totally inadequate administrator a worm should never reach your clients. Should it?

    The Question

    Is it time for AntiVirus vendors to accept that they cannot properly defend servers with publicly available services from fast moving worms and concentrate on the common vectors of attack used by viruses specifically? Thus, improving their reaction speed to the rapidly mutating viruses that have become all too common.

    Thoughts.... Comments.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Nice article Tiger. Are you turning off your virus scanner on the mail servers this weekend?

    I do agree that virus defenders have a tough time, but regardless of delivery methods a worm modifies the server environment in a way that could be detected, sure one could hypothesize a virus that will shut down the scan engine, modify files, and restart the scan engine, but how does one "design" a worm engine for the unkown? Especially with so many software products capable of remote communication and processing.

    AntiVirus companies do focus on these variable already. For instance as long as the "overlord" isn't attacked in a multitiered virus defense system, then this PC will see what could be described as an "outbreak" and disable network communications to disrupt spread. Alas I do see your point, if a worm can spread across the internet in say 15 minutes there is no defence - outside - a network of PCs monitoring one another that are "smart" enough to detect something wrong. In that case, worm defense is level 1. Business resumptions is level 2. Expect level 2 from time to time

    In essence I answer yes to your questions but think the possibility of success is small if any kind of public access is available.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Yes in answer to your question.

    I have worked with several clients who do not use AV on their servers, the boxes are hardened and have strict firewall rules in place. So the Admins of these systems feel there is no need to have antivirus running as there is no way anything is every going to get in there. They also perform regular vulnerability assessments and apply patches in a prompt fashion.

    The problem is thought that offering defenses against worms is a nice selling point, the reality is, as you say, that with the speed of proliferation ever increasing there really is no way they can act as a defensive measure.

    So then we can suggest that everyone harden their boxes, apply patches, use strong firewall ruleset etc.. However if you harden a Windows or NIX box to the extreme levels provided by folks such as the NSA you end up with a box where no one can do anything and half the apps you need to run to support your app don`t work. Patches tend to appear post worm release, and strong firewall rulesets seem to be seen by many as a hinderance.

    I`m not even sure how useful the AV companies could be by focusing on viruses, so many of them require human interaction, something for which they can have no influence on. So user awareness becomes the key issue.

    In fact, people are the problem throughout, if you enforce strict firewall rulse for outbound traffic someone inevitably complains to the CFO etc.. who then goes over the head of the network admin and insists on ports being open up so people can use itunes, etc... I have seen this many times, especially in financial instituions where you have lots of traders sitting around, who tend to have egos the size of china and want what they want now! So open up that firewall to ports XY &Z, oh, and then open it up to AB & C, eventually the admin gets so fed up he just allows everything outbound and then hopes for the best.

    These same people are the ones who receive an .exe labelled "britney spears sex orgy" and doubleclick it.

    The underlying problem is that the bottom line is what drives so many security decision. Ideally everyone would have super hardened B level OS app servers with strict firewalls in place and a completely isolated user environment, but this is expensive so instead lets run those banking apps on a couple of IIS boxes and apply a few patches, stick AV on hope for the best.

    May have gone of on a tangent there, but yes Tiger I agree, I just don`t know what the solution is in the long run. I guess some kind of IPS/AV hybrid might be a useful thing, in fact making all the security systems one interconnected structure, which we are starting to see, is the way to go I think.
    Quis custodiet ipsos custodes

  4. #4
    Viruses aren't generally aimed at the server...
    Scob got onto IIS servers through the mail, (MS04-013), Infected and appended malicious script onto its pages. The bad administrator that opens the email gets exploited through outlook, and ends up infecting the footer of every html on the server. (but who checks their email on the webserver anyway?). I don't know if stripping attachments would have held back, scob. I would guess plain texting your emails would stop it (if not thats pretty bad on MS's part).

    I would guess that would be one reason for having AV, if you need an automated solution. I guess the future of heuristics is our solution. Take hydan for example... it will make any scanner it's bitch when polymorphism like that is incorporated into malware.

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I'd have to say that AV is pretty crucial on a server. Running a samba server with clam av can protect your client machines. Running SAVCE on a windows server, can protect users profiles and home directories where their attachments get stored..
    I am at the point right now where I am fed up with AV companies not standardizing names, and using crappy heuristics.

    The concept of a worm that disables and enables AV to prevent itself from being detected is an interesting one. Typically they just hide themselves by sleeping, when they start modifying the detection engine..expect trouble.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well lets see I do run AV on 4 of 8 servers I have the last remaining Win servers. I nixed Exchange about 2 weeks ago. Anyway the reason for the AV on the servers are in fact that there is nothing to prevent a user from downloading an attachment of the web via thire hotmail, yahoo or other type of web email. The only two email infections I have had in the last 7 years were caused by a user downloading and attachment via their webmail accounts. The firewall takes care of most all kinds of pif, scr, com, exe, etc type files and the new open source email server nixed the latest version of Beagle virus with it's AV in the zip file, not to mention clearing out about 90% of the spam arriving daily. I really have to say that to implement Linux across 4 servers soon to be another 4 was not expensive, true it is not really point and click but I started before M$ had their market share. So yes I run AV on servers and the firewall blocks most unwanted attachments but I cannot block lame users that ignore the emails that state whats is what go off to their web email and download it oops the download was one of the triggers I sent out in that network advisory. It protects the servers from the lame users!
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I think Palemoon is hinting at a good point............what about the "enemy within"?

    It is users who connect to the server who are as big a risk as the server being connected to the internet.

    Sure, AVs are reactive rather than proactive, but some are better than others in the heuristic detection/behavioural analysis department.

    I have a sort of optimistic view that AV and other anti-malware products shorten the life-cycle of the "bad guys", but user awareness is your strongest defence (yeah, yeah.....dream on nihil..... )

    Seriously though, folks..............how many of you run any sort of user awareness, security consciousness programmes?

    We are always the first to criticise the user, but there IS a diference between ignorance and stupidity, is there not?

    I think Tiger~ has hit on another aspect, in that the AV companies are now trying to be "jack of all trades" and are possibly ending up as "masters of none"?

    I think that the future will bring better integrated solutions, but for the moment I will vote for leaving the server AV turned on.

    Just my thoughts

    Interesting topic Tiger~

    Cheers

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok.... Sorry for the long time away.... I found a small piece of life behind the fridge and thought I'd better use it before it went entirely green and fuzzy.....

    Ok, so what I glean from the conversation to date.......

    1. Administatrors using the server as a workstation..... Well, can we all say "dumbass" together please. Public facing servers should never have anything run on them that isn't essential to their function. Checking email and surfing the net simply don't qualify I'm afraid.... Shoot the admin.... Put him out of his misery.....

    2. Providing public access to authorized users for the purpose of accessing their files etc..... Well, I would consider that to be a workstation, a publicly available one at that. In this case AV is clearly warranted since you are allowing "untrusted" users, (who trusts their users), to run a series of programs that are potentially vulnerable. Yep, I would say this is definitely a justification for AV on a public server.

    3. OK, internal users connecting to public servers from the inside.... I can see where you are going. But shouldn't this server provide them with only the same rights as someone accessing from the public network? If it's ftp access so they can update the web site for example the execute right should not be allowed.... So there's not a problem there... If the rights are properly assigned to the server then it's going to require admin access to be able to harm it, isn't it?

    4. Nice selling point..... Well.... yes.... if you don't know or understand the threat I suppose it is.... But then you probably shouldn't be managing the box really, should you?

    I suppose my whole point is that there is a place for AV. IMO, AV belongs where clients that have a certain amount of unfettered access to the places where they might get a virus, (not a worm). As to production servers, other than AV on mail servers, (which is technically protecting the client not the server), there isn't much place for it.

    Couple this with the fact that AV doesn't capably protect against viruses any more in the case of a serious attack like the Netsky, Bagle and whatever recently where the viruses mutated so quickly that the vendors couldn't keep up. In fact, IMO, with the current ability and the future potential for viruses speed, polymorphism etc. the signature model is flawed in the first place.

    Since they can't keep up with a major assault by viruses, (their reason for being there), I am beginning to question the sense of their wasting their time attempting to sell something that anyone who understands the threat knows that they have practically zero chance of protecting against.

    I'm not saying that AV doesn't have it's place.... I am saying that it's life is limited and that, other than the "warm fuzzies" it has no place on production server that doesn't provide access to internal systems for your own clients.....

    Is my thought process becoming clearer on this?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Re: Is AntiVirus appropriate for servers any more?

    Originally posted here by Tiger Shark
    3. Worms rely upon exploits in functioning, publicly available services while viruses rely upon user "stupidity"(?)
    Not necessarily "stupidity". It could be totally legitimate acceptable activity, like passing around .exe files created by their own compiler (or other exe creation software, like .zip self extractors etc)

    4. The defense against a worm is to patch the vulnerability it exploits or to close the service until a patch is available... (Yeah, we could packet capture the worm and use a Snort rule to reset the connection at both ends.... But that's another story... and if it polymorphic it won't work).
    Well, a lot of worms work because people have inadequate firewalls, or because they don't turn off services which are not in use (or in the case of IIS, *parts* of the service)

    5. The defense against viruses is to recognize a signature and act accordingly per the user configuration.
    Yes, of course. But AV software mostly works on files on disc. If a worm never loads itself on to disc (such as Code Red), then it is not recognised by AV.

    I don't know whether the standard on-access scanners actually have a signature for code red at all, as it would be useless (it doesn't save itself). Ditto SQLSlammer (IIRC).

    It is true that defending against high-speed worms is difficult. I would probably not want an auto-update AV or heuristic AV on a production web server because of the danger of it mis-identifying an important file as a virus.

    Some gateway content-filter products might be successful at protecting otherwise vulnerable systems though, by looking for known patterns.

    Is it time for AntiVirus vendors to accept that they cannot properly defend servers with publicly available services from fast moving worms and concentrate on the common vectors of attack used by viruses specifically? Thus, improving their reaction speed to the rapidly mutating viruses that have become all too common.
    I think server AV are totally valid, even if the server is running a different OS or architecture from the machines you want to protect.

    For actual *viruses*, it is possible for a machine to be a carrier without being vulnerable itself (for instance by having an incompatible OS, lacking necessary software to run the virus, different arch etc).

    So you think your PPC Linux box is safe from Windows viruses - yes it is - but that doesn't mean they can't spread via it. An on-access scanner would ensure that viruses cannot propogate via the machine even if it isn't vulnerable.

    Slarty

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    In this discussion I think we need to realise we are talking about a Server, not a client access machine or workstation. as commented by TS the method of attack is different.
    One relies on software vulnerabilities and the other on the end user's (read here Stupidity, Id-10-T, social engineering), the other relies on the weaknesses in the server's OS, its Applications, the admins configuration or a combination of the above.

    Consumer Box users want All in one and expect it to automaticly do everything for them.. commercial boxes are a different story.. unfortunatly the Powers that be have exactly the same expectations.. and the AV cos pander to that expectation..

    Hi have more to say.. just have a routing problem between my server and the data output ports..

    BBL
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •