Anti Virus software...
 
Notifications
Clear all

Anti Virus software on Forensic Workstation  

  RSS
ludlowboy
(@ludlowboy)
Member

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

Quote
Posted : 02/03/2019 2:56 pm
jaclaz
(@jaclaz)
Community Legend

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

It seems to me a correct approach.

The theory of operation (not necessarily doable in practice) is to re-image "clean" the workstation before any investigation or to use a PE (or other live/volatile OS).

But nothing prevents to install/use a non-real time scanning Antivirus (no slowdowns due to the antivirus) to check the contents of an image.

After all, I doubt you are going to double click on .exe's or similar and the whole point of forensics is normally to use a read-only or non-modifiable image, or at the very least, needed changes - if any - should be fully documented and in the "full control" of the investigator, whilst a real-time anti-virus may either block your work nagging for errors about its attempts to fo something on read only mounted media or actually change something on it outside your direct control.
Besides good luck if you are using "minor" or non-commercial (or self-written) tools, only as an example a lot of AutoIt or AutoHotKey scripts/programs tend to trigger anti-virus heuristic engines (and as well tools intended to have direct access to disk, memory etc. tend to have instructions that are "common" with some forms of virus/malware and may as wel trigger the heuristic engines) .

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

Not really, though of course when you enter a multi-user setup the weak link becomes the less knowledgeable user.

jaclaz

ReplyQuote
Posted : 02/03/2019 4:55 pm
armresl
(@armresl)
Community Legend

If you're the police no real need.

If you're the defense, looking for viruses, malware, rootkits, etc, should all be part of the plan.

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

ReplyQuote
Posted : 03/03/2019 1:31 am
twjolson
(@twjolson)
Active Member

If you're the police no real need.

No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.

ReplyQuote
Posted : 03/03/2019 2:56 am
armresl
(@armresl)
Community Legend

You may do malware scans. In the vast majority of all cases I've done police do not do any scans.
All I have to go on is the Detectives report, depo, and trial testimony. If asked and they don't mention it, then I can't assume that they did it.

If you're the police no real need.

No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.

ReplyQuote
Posted : 03/03/2019 3:42 am
pbobby
(@pbobby)
Active Member

Always install anti-virus software.

You don't have to manually scan anything, but your OS should have a broad-based malware protection mechanism.

ReplyQuote
Posted : 06/03/2019 2:37 pm
ludlowboy
(@ludlowboy)
Member

Hi Phobby. What anti-virus do you recommend and what affect has it had on the performance of your work station.

I ask this because it appears to be a requirement by UKAS for ISO accreditation.

ReplyQuote
Posted : 06/03/2019 6:35 pm
Passmark
(@passmark)
Active Member

We test the performance impact of anti-virus (AV) software. Example report here,
https://www.passmark.com/reports/Consumer_Security_Products_Performance_Benchmarks_2019_Ed_2.pdf

Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.

But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.

There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,

1) It can dramatically slow everything down, especially when there is a large number of small files

2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.

3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).

So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).

ReplyQuote
Posted : 06/03/2019 9:58 pm
harrisonamj
(@harrisonamj)
New Member

My principal focus is IR forensics so the expedient identification of malware is a common requirement and most images we take in will be scanned at the outset for quick identification of malware for further analysis.

We run AV on our workstations (specifically ESET) with the majority of default protections in place, and have not noticed a performance impact. This is supplemented with multiple AV solutions which are licensed and kept updated for use in scanning mounted images.

ReplyQuote
Posted : 06/03/2019 11:05 pm
jaclaz
(@jaclaz)
Community Legend

We test the performance impact of anti-virus (AV) software. Example report here,
https://www.passmark.com/reports/Consumer_Security_Products_Performance_Benchmarks_2019_Ed_2.pdf

Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.

But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.

There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,

1) It can dramatically slow everything down, especially when there is a large number of small files

2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.

3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).

So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).

Very interesting test benchmark, thanks.

What surprised me (and that is good to know ) ) is that current/recent Norton is as fast as (or faster) than ESET, the good guys at Symantec must have made some very relevant changes since - traditionally - ESET was of "light" impact on common operations whilst Norton used to be a snail (actually a snail trawling through molasses wink ).

jaclaz

ReplyQuote
Posted : 07/03/2019 8:43 am
mcman
(@mcman)
Active Member

I will typically have A/V installed on my forensics box but please, please, please, if you do, make sure you're able to turn off active scanning and keep it off. That will be your biggest performance hit. Passmark's write up is excellent.

While regular examination things may not always be impacted, I know things like loading hash lists (especially when there are millions of records being written to a database) will have a major impact. I know in AXIOM I ran some tests with active scanning on vs off and it took almost 2 days to build a hash database. Turned off active scanning, less than 2 hours. That's a huge difference.

I'm actually a fan of Windows Defender for A/V scans however I struggle to control the active scanning on/off. I'll turn it off and a day later it will turn itself back on which becomes a problem so quite often I'll install something else over top of and disable Defender which gives me better control of the active scanning part of A/V.

So in short, I'm a big fan of doing manual A/V scans as part of my investigation but make sure you keep the active scanning in check or you'll have a bad time for many things.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 07/03/2019 2:39 pm
ludlowboy
(@ludlowboy)
Member

Thanks to everyone who has provided useful answers.

Has anyone had to instal and use AV software as part of ISO17025 accreditation?

ReplyQuote
Posted : 07/03/2019 10:08 pm
Garethb
(@garethb)
New Member

I think it might be more of a requirement for the FSR Codes than actually 17025 but I assume you are doing both together? It was not raised specifcially during our initial assessments but we already had it in place so it could be they saw that and decided not to ask about it. We also were doing 17025 and codes seperately and this was 17025 assessment only.

I have used an Enterprise version of McAfee (organisation IT already had it set up for the corporate network) and as long as you turn off On Access scanning and exclude file paths of temp directories, export folders and other directories used by the forensic tools to function then it didn't cause a problem. We had ours set to do a local scan once a week on a Friday night, so even if it used some machine resources during that, it wasn't noticed.

Either way some kind of virus scanning software should be pretty straightforward to implement on a small network, the challenge is getting frequent definition updates without manually updating them every week, as I assume you won't have internet access. We had a specific one-way route created via a firewall to pull updates from an internal respository on the corporate network.

ReplyQuote
Posted : 08/03/2019 9:52 am
Share: