Point and Counterpoint

On June 20, 2008, in Security, by

TheGoldFish.net Blog » Blog Archive » No Server-Side AV:

Do I have a/v on a file server, yes.

Do I have a/v on a server who’s entire role/duty is merely a blog server?  Given that antivirus software itself has vulnerabilties?Less code on a box means less attack surface, yes?  And that’s the key here.  When you have a publicly exposed box you must decide what software adds risk.

I planned to be owned with backups of just data to build back the system.  The file that got on the box is merely the effect to a cause..the initial cause is still being investigated.  My current theory is that it may have been a SQL injection that antivirus would not have protected for.

Steve Riley on Security : More on the necessity of antivirus software:

The key here is that I/we must plan to be owned.  Truly.  Protect the data, enrypted it so that it cannot be accessed, but if you plan the server to be owned, then you can flatten without fear.

“Inside the Security Mind” by Kevin Day talks about this.  Did I planned to be owned good enough?  No.  Obviously I didn’t.  But I’m still not budging from my view that a web server that’s single role to be a web server introduces more risk to a system in this area of antivirus software that has as many/more vulnerabilties than the Operating system.


Should a public system have on it some of the most vulnerable software on it, when I’m still of the strong belief that it would only be reactionary and I’d still be flattening the system regardless?

By the time any file got on the box that I didn’t put on there, game is over.  Antivirus in my opinion in all cases is not the answer. 


My plan is still the same.  And I’ll do a better job and right now testing a filter for SQL injection, but again, running anti virus, anti malware software on a web server brings risks that cannot and should not be overlooked.  Nor should it be believed that antivirus would have stopped this.  Especially at this point when it’s still in investigation and the initial event is still not understood. 


Regardless of the identification of this file, something was able to enter this system that I didn’t authorize and then placed the file on the box.  In that respect I failed.  But don’t think that this wasn’t a planned setup and decisions made based on risks of the software placed on the system.  Antivirus would not have stopped the original entry.  This server should and would have been flattened regardless.  By biggest takeaway was not that I need more antivirus, but rather better monitoring. 


Antivirus software is not for all situations.  I still stand by that decision.


But for a public exposed web server these days… plan to be owned… so you can flatten and start over.


Microsoft Product Support Services for Security are still investigating and I’ll be very transparent with what they find.  The buck does stop here though.  I fund the blog out of my personal pocket and this isn’t a business.  If it were a money making entity would I make different decisions?  I still don’t think so.  It is still my strong belief that one just doesn’t blindly install antivirus software without looking at the impact of false positives, security issues, and other vulnerabilties that make it bring risks to any box.


That’s the thing about security… Best practices are only best for you… will my list of best change?  You betcha.  But on this particular box, I’m still not installing antivirus.  It’s still a measured decision that I’m making weighing the pros and the cons.




Comments are closed.