|
-
May 13th, 2005, 08:13 PM
#61
Senior Member
Catch,
Ok, will answer your question, and hopefully you will answer my last question? 
Don't know what AIX is, but assume it is some sort of UNIX system?
From your reasoning it sounds like you are trying to say UNIX is secure, NT/2000 can be as secure too, if you configure it right.
I think that is almost a little too simple comparison. Windows is a much bigger target than UNIX is. Way more viruses for Windows. However, if Windows didn't exist, and UNIX was the biggest one out there, I would imagine all the virus writers concentrating all their effort on UNIX instead of Windows, and they would most surely come up with a whole bunch of successful viruses for UNIX as well.
So "why not"? I guess because there are hardly any viruses for UNIX. UNIX is just not a big target.
-
May 13th, 2005, 08:16 PM
#62
I think AV..all depends on the enviroment.
We had a consultant come in with an infected laptop...it wasnt the AV that stopped the virus...it was my security settings..as the machine tried (and failed) to access network shares.
Because the consultant...wasnt an "Authenticated user" none of the shares were available and I was alerted by failures in my security logs.
Anyway...some enviroments you need to scan every machine, email file...then there are others where email is only scanned....depending on the users.
Some users like to visit inappropriate sites, download anything they can...open every damn piece of email...and there are the more cautious ones.
Patch your machines, remove the "Everyone Group", filter mail at the server, teach your users,...call them in on their internet habits and warn them...etc
No viruses for a couple of years...still have it running though...
It was handy when we got Nimda through an unpatched machine and it found an open share (user created..everyone full control  ) The AV helped isolate and then rid the beast...from a central point.
Just my .02 cdn
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 13th, 2005, 08:45 PM
#63
From your reasoning it sounds like you are trying to say UNIX is secure, NT/2000 can be as secure too, if you configure it right.
You're new here, so you have no idea how funny this is. 
So "why not"? I guess because there are hardly any viruses for UNIX. UNIX is just not a big target.
But suffice to say, this doesn't make UN*X 100% secure against viruses... so why not run an AV?
Psst. I am answering your question, but I find that if I just tell someone somehing they didn't know, it tends to never stick, better toask a few questions and then draw a parallel.
cheers,
catch
-
May 14th, 2005, 06:24 PM
#64
Senior Member
Originally posted here by catch
You're new here, so you have no idea how funny this is.
Well.. yeah, kinda new I guess, but no, what's so funny, have to fill me in on that one.. heh!?
But suffice to say, this doesn't make UN*X 100% secure against viruses... so why not run an AV?
The only UNIX box I have, I don't mess with much, it's a Big-IP load balancer. It does its thing, and it would never be used as a "workstation".
The difference would be, again, much more viruses directed against Windows, and in my case, nobody uses UNIX as a "workstation". Under these circumstances I don't see a need for A/V for UNIX, but I do for Windows.
And your answer?! :P
-
May 14th, 2005, 06:44 PM
#65
Senior Member
Originally posted here by morganlefay
It was handy when we got Nimda through an unpatched machine and it found an open share (user created..everyone full control ) The AV helped isolate and then rid the beast...from a central point.
Just my .02 cdn
MLF
That's exactly in the line I'm thinking. Unless you have it so tied down, nobody can hardly do anything, not even giving any room for the "human error", you do need an A/V solution to make up for the small percentage a virus can enter your network.
If you have it really secure and all, but no A/V to detect a virus, MLF could have gone forever with a virus without knowing it, and it could have caused some damage and maybe even propagation...
-
May 14th, 2005, 08:22 PM
#66
Well.. yeah, kinda new I guess, but no, what's so funny, have to fill me in on that one.. heh!?
I am arguably the biggst advocate of NT security on this site. I freely and frequently state that that NT security is superior to UN*X security. People like to take one of two aruments back:
1. Counting exploits.
2. Claiming exotic configurations and major architectual modifications in UN*X/Linux should be just considered the norm.
Do to this fact, I've stopped arguing the point for a while now... still unny that you'd think I meant UN*X to be more secure. My point was in fact that AV solutions for UN*X (excluding proxying services) essentially don't exist. Odd considering that the NT security is in fact superior to UN*X at the commercial level (**** all this lab stuff).
So why is AV not needed on UN*X? Even the argument that less viruses efect UN*X... well no AV software, wouldn't every virus that does exist effectively be a 0-day since no AV countermeasures exist?
As I stated before, in low assurance environments, AV is a good thing... but once you lock the systems down to providing exactly the rights your users require... which in my experience has NEVER included things like creating new shares by the way.
Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.
Many of the client applications can only be launched as reduced privilege processes, permissions are tightly controlled, again with the point of only allowing users access to the applications they need as defined by their role and to the internal data as defined by that same role definition.
This is the real problem, most security teams have no clue what their users need, and how to effectively support business needs... consequently to avoid calls to to tech support they give their users way too much rope. This would be a low assurance environment, and prime for AV controls.
Now Saw, back to your questions:
You are trying to tell me that every single box is so locked down that if a virus actually ends up on one of the boxes, it won't be able to do anything.. ?
Yup, as I said above, every single user system is configured in the same manner. Centralized configuration control, it's a good thing. And then user accounts are restricted via permissions ad user right assignments that only meet the role requirements.
With all the tens of thousands viruses, that compromises a system in so many different ways, you are telling me that you have covered all the "holes" to 100%, so not one single virus can get through your "architecture" to cause damage or propagate? That's a pretty bold statement.
The number of viruses makes no difference, and I never said that it will prevent every single virus ever from causing harm. I said it will outright stop most and dramatically limit the damage possible by others. To the point where the costs saved by an AV are less than the cost of using one plus the new vulnerabilities introduced by the AV itself.
Security isn't about being 100% safe, it is about cost avoidance.
It probably makes a big difference depending on what kind of company/environment you have... but at a College where I work for example, I don't see how you possibly could make it that secure without an A/V solution.
And would you consider your environment to be a low or high assurance one?
cheers,
catch
-
May 15th, 2005, 03:50 PM
#67
And would you consider your environment to be a low or high assurance one?
I believe that is a key statement. It all depends on the environment. Certainly in a single user scenario Win9x/ME you would consider AV, if only because the OS does not give you the controls you would otherwise need.
Having said that I know a number of people who do not use any AV. Basically they have no need for one, as their equipment is physically secure, and they are only using it as a glorified word processor/accounting machine. As there is no connectivity, there really isn't a vector by which they could be infected.
Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.
Exactly!, although over here they can change the screen resolution as that is a health & safety legal requirement. This can be a pain when they select a combo ouside of the vid card/monitor capabilities.
To the point where the costs saved by an AV are less than the cost of using one plus the new vulnerabilities introduced by the AV itself
Whilst I can see this point, I personally put more emphasis on potential instability and resource wasting, which have been what I have personally experienced.
catch has already mentioned special cases such as proxies and mailservers. The only other one I would tentatively suggest is the "sheep dip". This is a machine used to scan media etc. that are brought into the environment. Typically, lecture rooms, conference rooms, training rooms etc................almost by definition, these are low assurance environments, and physically somewhat insecure.
I must admit that I find AV useful for identifying stuff, so you only have to do the new ones by hand...........but I guess that is just me being lazy 
Here is a little (true) story that may amuse.
It was January 2000 and I am called to look at a friend's kid's machine. A German box about 4 years old with the Thunderbyte AV package (anyone remember that?). This AV had not been updated since the box was bought. Turned out it was doing a background scan and finding Y2K file dates that it could not understand, it tried to "clean" them, couldn't so deleted them 
That was the only "true" Y2K problem I encountered. The amusing thing was that this box was not at risk, and did not need an AV................the only problem it ever had was from an AV product
-
May 15th, 2005, 04:58 PM
#68
Microsoft will release antivirus protection for PC's soon, so it means that antivirus is nessesery.
Simple saide every one need some kind of protection and question is just "HOW MUCH?".
http://www.betanews.com/article/MS_t...ore/1115998818
http://www.microsoft.com/windows/onecare/default.mspx
// too far away outside of limit
-
May 15th, 2005, 05:46 PM
#69
Microsoft will release antivirus protection for PC's soon, so it means that antivirus is nessesery.
Is that meant, in the same vain as, you have a windows opperating system. Therefore you have to need Microsoft office?
Bollocks.................................I can't be assed, to argue, any further.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
May 15th, 2005, 06:53 PM
#70
Hmmm,
Just looks like more marketing hype to me. Remember back in the old days when you had McAfee, Norton and Thunderbyte, MS and IBM both supplied AV products. This is long before the internet as we know it today, so there wasn't the multi-billion$ industry that there is today.
M$ and IBM dropped off the radar, and now it looks as if Microsoft are getting back into the market.
In a way, I think that they are flying in the face of what catch has been saying..............bringing in third party/more complex solutions.
Hey catch what do you think?..............a dumbing down exercise?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
