Security Basics mailing list archives
Re: Anti-Virus Updates - How?
From: "Eric C. Lukens" <eric.lukens () uni edu>
Date: Mon, 13 Jul 2009 14:19:32 -0500
Unfortunately, there probably is not a good answer. The more recent your virus definitions are, the better job the anti-virus will do, but the more risk you encounter from a bad update. We've found ourselves having to deploy so-called "rapid release" definitions from time to time to stop malware from spreading around campus. I think the following things need to be part of your considerations: 1) Do all or most of your users have admin rights? If so, av becomes more important as a tool to stop malware. A recent study said that some 90% of malware was completely non-functional under limited-user accounts and those that ran with limited user rights were fairly easily cleaned. If your users can be limited users, you might not have to be as recent on definitions, so you can do more testing. 2) Do you or can you implement other security measure to limit malware? For example, see http://mechbgon.com/srp/ where the author uses group policy to limit executables to those that reside only in pre-defined folders, typically Program Files and Windows, but you can specify others. If malware can't run, it probably doesn't matter so much if you detect it. 3) Do you have virus scanning on your email server or spam appliance that can remove malicious code from emails? Email is still a huge way for malicious code to get around, so if you have alternative scanners in place, you will not have to rely on local anti-virus for email scanning (assuming your users only use your email servers or others that have scanning as well). 4) Do you or can you block known malicious sites and sites where malware makers are wanting to target (myspace, twitter, etc) 5) Do you have procedures or policies in place that allows someone to discipline users who violate policies and then infect their computers and/or the other machines as well? Basically, the more risk factors you have for getting malware on the machines, the more you're going to need bleeding edge anti-virus definitions. That said, so many attacks are not caught by anti-virus software anyway, so there is a decent argument that you just as well test updates every so often since anti-virus isn't going to catch everything anyway. We have had bad updates from anti-virus do some nasty things as well, but at least in our situation, the thought of not running anti-virus software is much worse then the potential for damage from a bad update. You probably know your own users best, so look at the logs and see how many detections your anti-virus software has. If yours is anything like what I see, you'll have a small subset of users that account for most of your infections. You could put them in their own group that got frequent updates and put the rest of your users into a tested definitions group. -Eric -------- Original Message -------- Subject: Anti-Virus Updates - How? From: Ian Bradshaw <ian () ianbradshaw net> To: security-basics () securityfocus com Date: 7/10/09 9:49 AM
Hi, Just wondering if anyone has a plan for deployment of AV updates? There have been a couple of AV updates that have trashed systems recently (one from CA and one from McAfee). Neither of these have affected me (fortunately) but we do have all our systems set to update to the latest definitions - so guess it will happen at some point. The problem is, in a small IT department (4 staff with ~5,000 pcs/laptops over 10 geographic locations - we don't have much spare time!), what is the best way to deploy AV updates? Given the number of updates sent out, it's not feasible to test them all when they are released. So, leave auto-update on or hold back and test say once a week and update then, or what? Any thoughts? / how do people do it at the moment? Cheers I.
-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Anti-Virus Updates - How? Ian Bradshaw (Jul 13)
- Re: Anti-Virus Updates - How? Francois Yang (Jul 13)
- Re: Anti-Virus Updates - How? Adam Mooz (Jul 13)
- Re: Anti-Virus Updates - How? Miguel TubĂa (Jul 14)
- Re: Anti-Virus Updates - How? Adam Mooz (Jul 13)
- Re: Anti-Virus Updates - How? Mike Hale (Jul 13)
- Re: Anti-Virus Updates - How? Sandeep Cheema (Jul 13)
- Re: Anti-Virus Updates - How? Kurt Buff (Jul 13)
- Re: Anti-Virus Updates - How? Eric C. Lukens (Jul 13)
- RE: Anti-Virus Updates - How? Ramki B Ramakrishnan (Jul 20)
- Re: Anti-Virus Updates - How? Francois Yang (Jul 13)