Re: Honeypot and AntiVirus

[J Bailes <jbailes () parasys com>]

In-Reply-To: <3FE0CFE9.2030500 () gawab com>

Thanks for the reply.

I have tried logging in the guest OS/honeypot but IRIS wouldn't function properly.  When I trid to decode the captured 
packets, IRIS would freeze up, so to speak.  The AV is cleaning the logs when I try to view a decoded packet in IRIS; 
e.g. 192.168.1.101 <1433> - when I tried to view the data the AV cleaned it before IRIS had a chance to display it.  I 
don't believe the actual binary ever made to the honeypot as that port was protected.  As far seperating my systems for 
logging and analysis is concerned, that day is coming shortly.  I had to give up my Top Secret Computer Lab with 4 
machines (a.k.a. bedroom #3) to make room for twins. I am currently limited to one PC in another room.  Another person 
mentioned that it would probably be OK to disable the real-time scanning feature of the AV to avoid having my packet 
logs cleaned when I accessed them.

Thanks again!

J.

**************************************************************************

Hi J,

Comments inline......
J Bailes wrote:

> 1) Can I set my AV to prevent this without risking compromise to my host OS where
the analysis will be performed?
>  
If i have understood the question..... your av cleans the logs when you 
access the binary files (i am asuming). the i guess the simplest 
solution to this would be to store the binary file in a directory and 
then configure the av to exempt that directory from scans. or else you 
could dynamically log to a different system or to the native os of 
vmware..... i dont know if i did answer your question.

> 2) Can an analysis be performed with mitigated risk of compromise to the machine
running the analysis?
>  
It works best when the analysis, logging system are physically differnt 
machines. You can easily get rid of these small teething problems......

Hope i got it right ?? write back.

-dev