Re: Honeypot and AntiVirus

[Devilscrow Sr <devilscrow () gawab com>]

Dear J,

I was wondering if it was Iris that was creating a problem, but now i 
feel your av blocks and cleans the logs before anything can be done. I 
guess disabling your av should be a solution. and did you try setting 
the log directory as an exception to be left out of your scans ?

Hope it works for you.

-dev
J Bailes wrote:

> In-Reply-To: <3FE0CFE9.2030500 () gawab com>
>
> Thanks for the reply.
>
> I have tried logging in the guest OS/honeypot but IRIS wouldn't function properly.  When I trid to decode the captured packets, 
> IRIS would freeze up, so to speak.  The AV is cleaning the logs when I try to view a decoded packet in IRIS; e.g. 192.168.1.101 
> <1433> - when I tried to view the data the AV cleaned it before IRIS had a chance to display it.  I don't believe the actual 
> binary ever made to the honeypot as that port was protected.  As far seperating my systems for logging and analysis is concerned, that 
> day is coming shortly.  I had to give up my Top Secret Computer Lab with 4 machines (a.k.a. bedroom #3) to make room for twins. I am 
> currently limited to one PC in another room.  Another person mentioned that it would probably be OK to disable the real-time scanning 
> feature of the AV to avoid having my packet logs cleaned when I accessed them.
>
> Thanks again!
>
> J.
>