Educause Security Discussion mailing list archives

Re: viruses that have been cleaned or quarantined

From: Ken Connelly <ken.connelly () UNI EDU>
Date: Wed, 21 Jun 2017 16:02:27 -0500

On 6/21/17 3:52 PM, Kevin Wilcox wrote:

On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:

If your virus scanner has cleaned or quarantined a virus/malware/etc., do
you do any additional scanning or followup on the endpoint? I know virus
definitions, though up to date, may potentially just be catching a virus
that have lived on the machine for several months and had only been recently
identified. Do you trust that "cleaned" means it took care of any damage
that had been done, if any?

Chelsie -

I see no difference between AV and IDS. The idea that AV can "clean" a
system is one that I'd like to see eradicated.

That's not to say that it's impossible - just that it takes known-good
cryptographic hash values for every file on the system, a trusted
off-system scanning agent and good alerting when something changes.
That's before having the same thing in place for registry hives, the
ability to detect/audit ADSs, etc.

If AV alerts on anything, and I can't otherwise determine it's a false
positive, it's a re-image of the system. Again, AV alerts are treated
the same as IDS alerts. There are some exceptions where it's profile
removal/recreation but generally speaking that's insufficient for most
of our environment.

One massive hole to that approach - we backup data, re-image and
restore. If something is hiding in one of the backed-up files, it
comes back on the newly-built system.

It's certainly not perfect and needs some work but I've done too many
forensic examinations of systems to trust that AV can do anything
beyond alerting on 25% of the stuff that's out there.

kmw


25% is being overly kind and generous.  Otherwise, I'm with Kevin on
this one.  "Cleaning" is not an option.  Wipe, reformat, and
reinstall/reimage is the only way to go.  That might seem like overkill,
but it saves time, headache, and gnashing of teeth in the long run.

-ken

-- 
- Ken
=================================================================
Ken Connelly                       Director, Information Security
Information Security Officer          University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Any request to divulge your UNI password via e-mail is fraudulent!

Current thread:

viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
  - Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
    - Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
  - Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
    - Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
    - Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
    - Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)