Honeypots mailing list archives
Honeypot and AntiVirus
From: J Bailes <jbailes () parasys com>
Date: 17 Dec 2003 16:23:13 -0000
Hello, I recently set up a honeypot using VMware and Windows 2000 Pro as the guest OS/honeypot. I am logging all packets on the host OS (Win XP Pro) using IRIS (plus I have some other tools running on both machines). I am also using AntiVirus software on the host OS. When I try to decode and view packets in IRIS the AV jumps into action and cleans what it reports as malicious code from the packet logs (e.g.; last night - W32.Slammer). So, here are my questions: 1) Can I set my AV to prevent this without risking compromise to my host OS where the analysis will be performed? 2) Can an analysis be performed with mitigated risk of compromise to the machine running the analysis? Thanks in advance. J.
Current thread:
- Honeypot and AntiVirus J Bailes (Dec 17)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 17)
- <Possible follow-ups>
- Re: Honeypot and AntiVirus J Bailes (Dec 18)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus KeyFocus (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus sejhre (Dec 19)