[unisog] How often to pull anti virus updates from vendors
john.meyers at wright.edu
Fri Dec 7 21:47:03 GMT 2001
Anne Bennett wrote:
> Indeed, and if my vendor starts signing their stuff, I will add code
> to check the signatures. I agree that it would be a good idea.
> > So I think the worst that could happen is a fair bit more serious than
> > a DOS attack (although unlikely enough that the risk may be acceptable to you
> > as long as you are aware it is there and have considered it ...)
> Well, I'm aware that there's a risk in running any code I obtain from
> the net, but it's not clear to me how automating the download and
> installation of the new signatures increases the risk over installing
> them by hand.
Anne, just a note that we been running with this configuration for some time
now (automatic downloads of virus identities initiated via sophos alerts).
This has saved our rear ends more than a few times in that I have the process
set to check for alerts every half hour, and automatically fetch/install the
identity file. This works extremely well. Given the importance of having
the identities updated in a timely fashion, I really don't know how else you
could do this currently (short of the vendor implementing some form of secure
download, but who knows when that will happen). As it stands right now, whether
the alert comes at 3am in the morning or over the weekend, the identity file is
made active within 30 minutes. Sometimes that makes the difference between
having a handfull of infected machines and/or considerably more.
In order to attack this type of configuration, the attacker would have to
know the e-mail address that actually receiving the alerts, the account that
the address resolves to, and overcome any type of parsing checks that are in
place to parse the url to retrieve. Assuming your network/hosts are fairly
secure to begin with, I would think the risk is minimal.
Wright State University
E-mail: john.meyers at wright.edu
More information about the unisog