Educause Security Discussion mailing list archives
Re: viruses that have been cleaned or quarantined
From: Ken Connelly <ken.connelly () UNI EDU>
Date: Wed, 21 Jun 2017 16:02:27 -0500
On 6/21/17 3:52 PM, Kevin Wilcox wrote:
On 21 June 2017 at 15:50, Chelsie Power <cpower () csusm edu> wrote:If your virus scanner has cleaned or quarantined a virus/malware/etc., do you do any additional scanning or followup on the endpoint? I know virus definitions, though up to date, may potentially just be catching a virus that have lived on the machine for several months and had only been recently identified. Do you trust that "cleaned" means it took care of any damage that had been done, if any?Chelsie - I see no difference between AV and IDS. The idea that AV can "clean" a system is one that I'd like to see eradicated. That's not to say that it's impossible - just that it takes known-good cryptographic hash values for every file on the system, a trusted off-system scanning agent and good alerting when something changes. That's before having the same thing in place for registry hives, the ability to detect/audit ADSs, etc. If AV alerts on anything, and I can't otherwise determine it's a false positive, it's a re-image of the system. Again, AV alerts are treated the same as IDS alerts. There are some exceptions where it's profile removal/recreation but generally speaking that's insufficient for most of our environment. One massive hole to that approach - we backup data, re-image and restore. If something is hiding in one of the backed-up files, it comes back on the newly-built system. It's certainly not perfect and needs some work but I've done too many forensic examinations of systems to trust that AV can do anything beyond alerting on 25% of the stuff that's out there. kmw
25% is being overly kind and generous. Otherwise, I'm with Kevin on this one. "Cleaning" is not an option. Wipe, reformat, and reinstall/reimage is the only way to go. That might seem like overkill, but it saves time, headache, and gnashing of teeth in the long run. -ken -- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
- Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
- Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
- Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)
- Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
- Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)