[unisog] How often to pull anti virus updates from vendors

William D. Colburn (aka Schlake) wcolburn at nmt.edu
Wed Dec 5 16:19:32 GMT 2001

We pulls files nightly, and they are installed everywhere pretty
quickly.  A cron job downloads updates from NAI/Mcafee and puts them on
into a samba share so that Mcafee will find them.

My mail server also downloads the current dat every night and installs

I happened to be looking at the Mcafee web site yesterday when they
released the the new dat so I got it, otherwise I wouldn't have known
about it until a) the virus started streaming into my mailbox (which
happened 36 minutes after installing the new dat, or b) someone on this
list posted a warning about needing the new dat.

I sometimes worry that NAI/Mcafee will be upset that we download the
weekly dats every night, but they have never complained to us about it.

We already have a lightweight method in place to distribute the dats
internally, so if we had a lightweight way to query for new dats it
wouldn't be a burden on us.

I was thinking about this problem this morning.  I like the idea of
hesiod records that contain the newest version information.  They are
fast and simple. If the software detected a version mismatch it could
perform one of several options such as automatically fetch and install,
alert, ignore, etc.  They would also be great than the current internal
datestamp, rather than giving a warning when something is n months old,
it query, and give a warning the moment it is out of date.

Obvious risks are the fact that the hesiod domain would then become a
prime target for DOS, forgery, etc.  Cryptographically signed records
could be reasonably small and would help with a lot of that problem.

In the meantime, I plan to rely on nightly updates and seeing warnings
from people on this mailing list.

On Wed, Dec 05, 2001 at 09:33:51AM -0600, Harris, Michael C. wrote:
> with two new rapid replicating e-mail worm/script/viruses in the last three
> days I think it may be time to reevaluate how often new antivirus files are
> being pulled from the AV vendor sites.
> it seems weekly won't cut it any more, but is daily enough? 
> is hourly a performance burden?
> what implications does that have to host based AV (e-mail, proxy, other)?
> or clients side AV? if updates came in three hours in a row could the files
> be distributed to all your clients that fast, without unreasonable burden on
> network performance?
> thanks
> Mike
> --------------------------------------------------
> Michael C Harris
> System Security Analyst - Expert
> ITS / Research Education and Support
> University of Missouri Health Center
> Phone: 573-882-3392 
> harrismc at health.missouri.edu
> --------------------------------------------------
> This e-mail is sent with 99.73% recyclable electrons

William Colburn, "Sysprog" <wcolburn at nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

More information about the unisog mailing list