Honeypots mailing list archives
Re: Honeypot and AntiVirus
From: Devilscrow Sr <devilscrow () gawab com>
Date: Fri, 19 Dec 2003 19:05:58 +0530
Dear J,I was wondering if it was Iris that was creating a problem, but now i feel your av blocks and cleans the logs before anything can be done. I guess disabling your av should be a solution. and did you try setting the log directory as an exception to be left out of your scans ?
Hope it works for you. -dev J Bailes wrote:
In-Reply-To: <3FE0CFE9.2030500 () gawab com> Thanks for the reply. I have tried logging in the guest OS/honeypot but IRIS wouldn't function properly. When I trid to decode the captured packets, IRIS would freeze up, so to speak. The AV is cleaning the logs when I try to view a decoded packet in IRIS; e.g. 192.168.1.101 <1433> - when I tried to view the data the AV cleaned it before IRIS had a chance to display it. I don't believe the actual binary ever made to the honeypot as that port was protected. As far seperating my systems for logging and analysis is concerned, that day is coming shortly. I had to give up my Top Secret Computer Lab with 4 machines (a.k.a. bedroom #3) to make room for twins. I am currently limited to one PC in another room. Another person mentioned that it would probably be OK to disable the real-time scanning feature of the AV to avoid having my packet logs cleaned when I accessed them. Thanks again! J.
Current thread:
- Honeypot and AntiVirus J Bailes (Dec 17)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 17)
- <Possible follow-ups>
- Re: Honeypot and AntiVirus J Bailes (Dec 18)
- Re: Honeypot and AntiVirus Devilscrow Sr (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus KeyFocus (Dec 19)
- Re: [mailinglists] Re: Honeypot and AntiVirus sejhre (Dec 19)