Educause Security Discussion mailing list archives
Re: viruses that have been cleaned or quarantined
From: "Belford, Jason C. (jcb3zr)" <jason.belford () VIRGINIA EDU>
Date: Thu, 22 Jun 2017 00:04:36 +0000
Sounds like we are revisiting this 2013 ShmooCon presentation (still relevant): https://www.youtube.com/watch?v=lb1XDMbQOiM&ab_channel=Christiaan008 It shows where stuff can hide that cannot be detected that can later be used to re-infect the machine. File hashes nor traditional AV are not going to help you. Just wipe the drive! --J — Jason C. Belford, CISSP Chief Information Security Officer E jason.belford () virginia edu P 434.924.4165 University of Virginia www.virginia.edu On 6/21/17, 5:02 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ken Connelly" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of ken.connelly () UNI EDU> wrote: On 6/21/17 3:52 PM, Kevin Wilcox wrote: > On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote: > >> If your virus scanner has cleaned or quarantined a virus/malware/etc., do >> you do any additional scanning or followup on the endpoint? I know virus >> definitions, though up to date, may potentially just be catching a virus >> that have lived on the machine for several months and had only been recently >> identified. Do you trust that "cleaned" means it took care of any damage >> that had been done, if any? > Chelsie - > > I see no difference between AV and IDS. The idea that AV can "clean" a > system is one that I'd like to see eradicated. > > That's not to say that it's impossible - just that it takes known-good > cryptographic hash values for every file on the system, a trusted > off-system scanning agent and good alerting when something changes. > That's before having the same thing in place for registry hives, the > ability to detect/audit ADSs, etc. > > If AV alerts on anything, and I can't otherwise determine it's a false > positive, it's a re-image of the system. Again, AV alerts are treated > the same as IDS alerts. There are some exceptions where it's profile > removal/recreation but generally speaking that's insufficient for most > of our environment. > > One massive hole to that approach - we backup data, re-image and > restore. If something is hiding in one of the backed-up files, it > comes back on the newly-built system. > > It's certainly not perfect and needs some work but I've done too many > forensic examinations of systems to trust that AV can do anything > beyond alerting on 25% of the stuff that's out there. > > kmw 25% is being overly kind and generous. Otherwise, I'm with Kevin on this one. "Cleaning" is not an option. Wipe, reformat, and reinstall/reimage is the only way to go. That might seem like overkill, but it saves time, headache, and gnashing of teeth in the long run. -ken -- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
- Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
- Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
- Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)