Security Basics mailing list archives
Re: Running AV via SSH? (Was: Re: Bad Antivirus)
From: Alois Mahdal <alois.mahdal.1-ndmail () zxcvb cz>
Date: Sat, 9 Feb 2013 01:41:43 +0100
On Mon, 04 Feb 2013 09:13:37 -0500 Michael Peppard <mpeppard () impole com> wrote:
[...] You can map the remote drive either through ssh2 as local administrator or using drive mapping as network admin. Most viruses will shut down or lie to an antivirus program running locally.
I actually thought that you mean logging in to the box via ssh, and then running an AV *there* under sshd, just like you would run anything else. In case of normal Joe's workstation, that would of course hardly help with more than the distance you need to walk. Now I see that what you suggest is just sharing the files via network (e.g. SSH/SFTP) and scanning them remotely. But as others have pointed out, if that was to work, you would probably need to share like "root access to /", which seems like a very crazy idea. What I'd suggest is: * if you can access the machine physically 1. grab a couple of bootable AV CDs from different vendors 2. with each of them, reboot and scan and research 3. decide what to do. * otherwise restoring from backup is probably the only option In many cases this might be safer or even easier solution (congrats if you *do* have easily restorable backups), but you need to be sure that the *backup* is not infected as well. So probably combination of both methods could be in place.
It is also a good idea to have antivirus running as an appliance at the edge of networks alongside the firewall. If the antiviruses you have chosen for your network don't update at least daily when needed, you may want to look for a new antivirus.
Definitely scanning files on regular paths to/aroud your net (file servers, e-mail servers) is a good idea. It does not, however protect you 100%: * flash drives * HTTP: e.g. if you needed to check virus.exe being downloaded,you would need to get the *whole* file. But in reality the stream can come in many pieces, and can be even interrupted in the middle and restored days later. Can't imagine tracking infection via HTTP this way * encrypted streams, encrypted ZIPs Sometimes you can, however, forbid these things strictly, (e.g. throw away all attachments, seal off USB connectors...) without hindering the business. Not sure about HTTP though... Thanks, aL. -- Alois Mahdal ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Running AV via SSH? (Was: Re: Bad Antivirus) Alois Mahdal (Feb 04)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Michael Peppard (Feb 04)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Rob (Feb 04)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) !s3grim (Feb 04)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Alois Mahdal (Feb 09)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Terrence O'Connor (Feb 11)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Michael Peppard (Feb 12)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Tracy Reed (Feb 13)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Michael Peppard (Feb 14)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Tracy Reed (Feb 18)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Michael Peppard (Feb 18)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Jeffrey Walton (Feb 18)
- Re: Running AV via SSH? (Was: Re: Bad Antivirus) Michael Peppard (Feb 04)