[unisog] How often to pull anti virus updates from vendors

Anne Bennett anne at alcor.concordia.ca
Fri Dec 7 20:42:39 GMT 2001

>> Sophos has an "alert" mailing list for this very purpose.  My plan is
>> to have a message received from this list trigger a process to pick
>> up the latest set of definitions

> As a cracker the place I'm going to break in to is NAI's
> distribution server and let it automatically distribute my virus for me.
> [...] Failing that my next attack would be the network routing
> to the "hardcoded" site to insert my host [...] and my virus
> into your update stream.

If the cracker does all that, and manages to insert something in a virus
signature file that will somehow be executed (I'm no expert on anti-virus
programs, but I thought the signatures were just data files), then what
difference does it make whether I download the result automatically
or manually?  It's not as though I as a human would be able to detect
the attack you describe any more than my cron job would.

(In the case of my mail relays, the virus scanner runs as an
unprivileged user anyway, so the damage would be quite limited, even
assuming that the Master Cracker wrote something that would run on
Digital Unix. :-) )

> Digitally signed updates (assuming the attacker hasn't
> managed to compromise the virus company's key) would be one way around most 
> of this risk.

Indeed, and if my vendor starts signing their stuff, I will add code
to check the signatures.  I agree that it would be a good idea.

> So I think the worst that could happen is a fair bit more serious than 
> a DOS attack (although unlikely enough that the risk may be acceptable to you
> as long as you are aware it is there and have considered it ...)

Well, I'm aware that there's a risk in running any code I obtain from
the net, but it's not clear to me how automating the download and
installation of the new signatures increases the risk over installing
them by hand.

Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
anne at alcor.concordia.ca                                        +1 514 848-7606

More information about the unisog mailing list