[unisog] How often to pull anti virus updates from vendors

John Meyers john.meyers at wright.edu
Fri Dec 7 21:47:03 GMT 2001


Anne Bennett wrote:
> 
  snip ...
> 
> Indeed, and if my vendor starts signing their stuff, I will add code
> to check the signatures.  I agree that it would be a good idea.
> 
> > So I think the worst that could happen is a fair bit more serious than
> > a DOS attack (although unlikely enough that the risk may be acceptable to you
> > as long as you are aware it is there and have considered it ...)
> 
> Well, I'm aware that there's a risk in running any code I obtain from
> the net, but it's not clear to me how automating the download and
> installation of the new signatures increases the risk over installing
> them by hand.
> 

 Anne, just a note that we been running with this configuration for some time
 now (automatic downloads of virus identities initiated via sophos alerts).
 This has saved our rear ends more than a few times in that I have the process
 set to check for alerts every half hour, and automatically fetch/install the
 identity file.  This works extremely well.  Given the importance of having
 the identities updated in a timely fashion, I really don't know how else you
 could do this currently (short of the vendor implementing some form of secure
 download, but who knows when that will happen).  As it stands right now, whether
 the alert comes at 3am in the morning or over the weekend, the identity file is
 made active within 30 minutes.  Sometimes that makes the difference between
 having a handfull of infected machines and/or considerably more.

 In order to attack this type of configuration, the attacker would have to
 know the e-mail address that actually receiving the alerts, the account that
 the address resolves to, and overcome any type of parsing checks that are in
 place to parse the url to retrieve.   Assuming your network/hosts are fairly
 secure to begin with, I would think the risk is minimal.

 John Meyers
 Computing Services
 Wright State University
 E-mail: john.meyers at wright.edu



More information about the unisog mailing list