Re: Anti-Virus Updates - How?

["Eric C. Lukens" <eric.lukens () uni edu>]

Unfortunately, there probably is not a good answer.  The more recent
your virus definitions are, the better job the anti-virus will do, but
the more risk you encounter from a bad update.  We've found ourselves
having to deploy so-called "rapid release" definitions from time to time
to stop malware from spreading around campus.

I think the following things need to be part of your considerations:

1) Do all or most of your users have admin rights?  If so, av becomes
more important as a tool to stop malware.  A recent study said that some
90% of malware was completely non-functional under limited-user accounts
and those that ran with limited user rights were fairly easily cleaned. 
If your users can be limited users, you might not have to be as recent
on definitions, so you can do more testing.

2) Do you or can you implement other security measure to limit malware? 
For example, see http://mechbgon.com/srp/ where the author uses group
policy to limit executables to those that reside only in pre-defined
folders, typically Program Files and Windows, but you can specify
others.  If malware can't run, it probably doesn't matter so much if you
detect it.

3) Do you have virus scanning on your email server or spam appliance
that can remove malicious code from emails?  Email is still a huge way
for malicious code to get around, so if you have alternative scanners in
place, you will not have to rely on local anti-virus for email scanning
(assuming your users only use your email servers or others that have
scanning as well).

4) Do you or can you block known malicious sites and sites where malware
makers are wanting to target (myspace, twitter, etc)

5) Do you have procedures or policies in place that allows someone to
discipline users who violate policies and then infect their computers
and/or the other machines as well?

Basically, the more risk factors you have for getting malware on the
machines, the more you're going to need bleeding edge anti-virus
definitions.  That said, so many attacks are not caught by anti-virus
software anyway, so there is a decent argument that you just as well
test updates every so often since anti-virus isn't going to catch
everything anyway.  We have had bad updates from anti-virus do some
nasty things as well, but at least in our situation, the thought of not
running anti-virus software is much worse then the potential for damage
from a bad update.  You probably know your own users best, so look at
the logs and see how many detections your anti-virus software has.  If
yours is anything like what I see, you'll have a small subset of users
that account for most of your infections.  You could put them in their
own group that got frequent updates and put the rest of your users into
a tested definitions group.

-Eric

-------- Original Message  --------
Subject: Anti-Virus Updates - How?
From: Ian Bradshaw <ian () ianbradshaw net>
To: security-basics () securityfocus com
Date: 7/10/09 9:49 AM
> Hi,
>
> Just wondering if anyone has a plan for deployment of AV updates?
>
> There have been a couple of AV updates that have trashed systems recently
> (one from CA and one from McAfee).
>
> Neither of these have affected me (fortunately) but we do have all our
> systems set to update to the latest definitions - so guess it will happen at
> some point.
>
> The problem is, in a small IT department (4 staff with ~5,000 pcs/laptops
> over 10 geographic locations - we don't have much spare time!), what is the
> best way to deploy AV updates?
>
> Given the number of updates sent out, it's not feasible to test them all
> when they are released.
>
> So, leave auto-update on or hold back and test say once a week and update
> then, or what?
>
> Any thoughts? / how do people do it at the moment?
>
> Cheers
>
> I.
>
>   

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------