Hi guys,
I have some other concerns regarding antivirus, namely the following and I was wondering if anyone else has considered them …
1. Scanning overhead for realtime detection - monitoring each of your processing machines to identify any impact AV scanning has on performance
2. AV scanning modifying timestamps on evidence
3. Deletion of files as opposed to quarantine
4. Ensuring monitoring of Terminal Services
5. Plug in evidence drive and AV kicks in to scan drive
6. Installing AV on a data server
IMO I think that end stations should have AV installed and the server has no AV what so ever. Thinking is 2 fold
1. Large quantities of evidence may take long periods to scan with AV, even when kicked off over the weekend
2. Potential deletion/modification of evidence and/or timestamp modification
If installing AV on end user/processing machines how do you ensure that you do not modify evidence on the external HDD that is plugged in after returning to the lab having been imaging onsite?
Ronan
Simple answer to this is Sophos in the UK most Goverment organisations use it. is it good YES
I purchased it myself its expensive but you get what you pay for.
regards
I always wondered why AV? Why scan for the bad things? Why not just make sure the good things are good?
TripWire is the closest to what I think is the best. "Change auditing software".
* There is a limited set of files to scan (number of total valid executable files to number of malware and their variants).
* database does not change, unless new applications are installed versus almost daily updates, with ever increasing database
* real time validation is faster as it no longer needs to check against DB, and heuristic logic, simply against valid DB.
We already use it in forensics. We have huge software fingerprint databases out there.
Just a thought….
I wish there was a Tripwire for WIntel desktops
I agree with jhup, this would be great but not aware of any tripwire equivalent for windows. Anyone any suggestions or recommendations?
What methodology do you guys use when deploying AV on your lab network?
1. Do you deploy it on the Server(s) and/or end user workstations?
2. How do you deal with a virus once it is detected, bearing in mind deleting/fixing it results in file modification (if one virus is found then documenting this process is fine - but what if thousands of viruses are found?)
3. Are you concerned that virus scanners may modify timestamps
Ronan
Without knowing all the details for a specific environment there _may_ be a Tripwire-like solution for the Windows environment
Osiris
Over at http//
I've used it in the past on Win32 systems.
You might enjoy it.
Cheers!
farmerdude
What methodology do you guys use when deploying AV on your lab network?
1. Do you deploy it on the Server(s) and/or end user workstations?
2. How do you deal with a virus once it is detected, bearing in mind deleting/fixing it results in file modification (if one virus is found then documenting this process is fine - but what if thousands of viruses are found?)
3. Are you concerned that virus scanners may modify timestampsRonan
Hi, I would also be interested to hear any responses to Ronan's questions. A debate in our own lab has led us to be considering these points right now. Let's wrap an example around these questions - what AV methodology would you deploy if you were, say, concerned about the prospect of a trojan horse defence being relied upon later.
Thanks.
We have recently taken the decision to deploy the following metholodogy.
1. Install AV on our desktops and configure to scan on access
This desktop is a standard build pulled down on PXE Lan Boot
2. Desktop machines poll for updates at 5pm daily
We download definition files from the vendors site daily or weekly depending on threat level, the our machines pickup these updates
3. Desktop does a full scan once a week
4. Desktops are have usb write protection enabled and auto run disabled
5. We deploy virtual machines on our desktop where our processing tools are installed. Virtual machines have usb write protection enabled and auto run disabled
As we process into a database all file time stamps, permissions etc are stored and can be referenced if required
6. These virtual machines has AV installed and check for updates daily again scan on access
7. If a virus is detected we delete and log
We feel protecting all our other data is more important that allowing a virus onto the network. If a client needs this file we inform them it is infected and we can provide it to them in other means
8. At the off chance a machine (virtual or desktop) we simply drop it and do a fresh install from the network
We use an enterpirse solution. Sophos is good, as is the CA offering. It is installed on all machines, servers included. The realtime overhead is neglegable.
It allows us to "report only" ie it stops anything executing and sends an alert, so that we can choose how to deal with it.
The compliance type software is also a good choice, but you have to plan the implementation properly and they can be expensive if you have a larger environment.
Ideally a mixture of the two would be my ultimate solution. That way you have protection as well as an audited forensic workstation