Full Disclosure mailing list archives
RE: MS Anti Virus?
From: "Dan B. Mann" <DBM () wkkf org>
Date: Thu, 17 Jun 2004 15:11:34 -0400
From my perspective, a place that MS needs to also focus on is the patch scanning technology. SMS, WindowsUpdate, MBSA, all can give different, confusing results even when scanning the same machine! Please, give me a scanner that covers all of your internal products, and gives reliable results. Having one tool contradict another ends up creating a mess, and it is frightening. It's not fun to try and track down a bunch of machines on a weekly basis to really find out whether they are patched or not. Does Microsoft read this list? I will give Kudos to Microsoft for making an effort to IMPROVE themself regarding security though. Dan
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure- admin () lists netsys com] On Behalf Of Steffen Schumacher Sent: Thursday, June 17, 2004 12:51 PM To: joe Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] MS Anti Virus? On 17.06.2004 11:51:46 +0000, joe wrote:However the worms would be blocked if people had patched their
machine
orotherwise properly administrated the machines they were responsible
for.
Allof the worms that I think you are probably referring to all had
patches
wellin advance of the worm that impacted it, blaster, slammer, sasser,
etc.
Agreed. I'm not saying that MS doesn't provide patches - they do. I simply think that the amount of bugs in MS' OS' are to great. If you install windows and attempt to either patch it or install
firewall
afterwards while on the live internet - Your chances of getting
infected
are quite high. The time it takes to install patches or a firewall may
in
some situations be longer then it would take for a user to get
infected.
I picture it a bit like a para trooper which has noo means of defense until he lands and can take cover. Other OS' like FreeBSD take a different approach. All non vital
services
are disabled until the user explicitly installs or enables them. Microsofts products should provide the means to a secure patch before risky services like DCOM are enabled. This should in fact be the case everytime a MS pc starts up. Otherwise a pc which has been offline for a period may become infected while patching. But ultimately MS have to catch more of their serious bugs before releasing their software. Consider how many resources that are spent on
patching.
Could they have been spent revising code in stead? I wonder what the average load on the windows update server park is...Home users never should have been impacted as they should be running firewall software on the internet connections. The fact that they
don't
isn't MS's fault, however MS is stepping up with XP SP2 to help out.
On
topof that they should be patching when necessary. Corporate users shouldn't have been impacted either and were onlybecausethe IT department didn't keep the machines patched properly. Too
many
companies run on a deploy and forget strategy, this doesn't work for
any
OSbe it Windows, *nix, or ios. I am not saying keeping them patched is
an
easytask, I managed 400 servers in a Fortune 5 company that were
distributed
around the world. None of them ran antivirus, none of them got
infected
byeither viruses nor worms, none of them allowed any but only a smallnumberof people to have admin rights to do harm to them. When a patch came
out
that affected those servers, it was on the machines in a rather
quick
fashion, generally within 72 hours depending on testing times. Thinking that there will never be code patches required isn't
realistic.
Itis humans writing the code and even the humans writing the other
Oses
makemistakes and need to release patches. If the people who manage themachinesdon't take the time to apply the patches then the issue isn't an MSissue,it is an admin issue.I know. I just wan't fewer. When you sell these amounts of
functionality
which is reused in multiple future software, then one should *REALLY*
test
it better, or lower the prices.The *real* IT department could then link to the executeable and place it on an intranet server which would be secure.This is an interesting idea but I can't see how one could do it in a feasible manner in a large company that is receiving hundreds ofthousandsof emails from the outside a day. Also you would have to watch forinternalemails and attachments as well because you could get an infected
machine
onthe inside. Now in large companies you are up to millions of emails. My recommendation to the email manager at the time of the last major outbreak where they started just stipping all ZIPs from emails was
that
theystrip ALL attachments that didn't have a specific internally defined extension on them, that way they knew it was a purposeful thing thatthatattachment was there. The extension would be something specific to acompanyand people involved know that extension. Obviously this is just a
crutch
toblock the issue with well known executable file extensions. The file associations are a tough thing to repeal since they are sodeeplyembedded in how things are done on Windows and people have gotten soused tothem; it made life easier for a majority of the users and was a
great
ideaat the time. Now however, if you, for instance, removed the DOCextensionfrom the file associations half the corporate Windows Admins out
there
wouldbe at a complete loss as to why Word wasn't working... Those bad
Windows
Admins are partially MS's fault, but mostly the fault of companies
who
lookfor cheap admins versus good admins. joe -----Original Message----- From: Steffen Schumacher [mailto:ssch () wheel dk] Sent: Thursday, June 17, 2004 10:43 AM To: joe Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] MS Anti Virus? While I have no numbers to back this up, I do think that worms are
far
worsewhen it comes to the extent of which viruses spread, and speed. It is my belief that most worms are based upon MS exploits, rather
then
social engineering. It is my belief that we will simply have to wait untill MS cleans uptheiract, which they should be doing, before the world becomes a better
place
tolive. I realize that this doesn't clear situtations like the one above,
but in
general such situations can't really be solved unless all mails arescannedextensively, and / or the people are educate enough so that they
never
should run executeables recieved from mail (its actually quite
simple to
me). The *real* IT department could then link to the executeable andplaceit on an intranet server which would be secure. /Steffen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MS Anti Virus?, (continued)
- MS Anti Virus? http-equiv () excite com (Jun 16)
- MS Anti Virus? Robert Michael Slade (Jun 16)
- Re: MS Anti Virus? DAN MORRILL (Jun 17)
- Re: MS Anti Virus? Eric Paynter (Jun 17)
- Re: MS Anti Virus? Alfie (Jun 17)
- Re: MS Anti Virus? Joshua Levitsky (Jun 17)
- Re: MS Anti Virus? Gregory A. Gilliss (Jun 17)
- Re: MS Anti Virus? Ron DuFresne (Jun 17)
- RE: MS Anti Virus? Poof (Jun 17)
- RE: MS Anti Virus? joe (Jun 18)
- Re: MS Anti Virus? Eric Paynter (Jun 17)
- RE: MS Anti Virus? Dan B. Mann (Jun 17)
- RE: MS Anti Virus? Ron DuFresne (Jun 17)