[unisog] How often to pull anti virus updates from vendors

Anne Bennett anne at alcor.concordia.ca
Fri Dec 7 21:53:33 GMT 2001


John Meyers <john.meyers at wright.edu> writes:
>> 
>> Well, I'm aware that there's a risk in running any code I obtain from
>> the net, but it's not clear to me how automating the download and
>> installation of the new signatures increases the risk over installing
>> them by hand.
> 
>  Anne, just a note that we been running with this configuration for some time
>  now (automatic downloads of virus identities initiated via sophos alerts).
>  This has saved our rear ends more than a few times

:-)

>  in that I have the process
>  set to check for alerts every half hour, and automatically fetch/install the
>  identity file.  This works extremely well.  Given the importance of having
>  the identities updated in a timely fashion, I really don't know how else you
>  could do this currently

I think that's the right approach, and it's the one I intend to take,
with the addition that an incoming alert will *also* trigger an
immediate fetch/install.

>  In order to attack this type of configuration, the attacker would have to
>  know the e-mail address that actually receiving the alerts, the account that
>  the address resolves to, and overcome any type of parsing checks that are in
>  place to parse the url to retrieve.   Assuming your network/hosts are fairly
>  secure to begin with, I would think the risk is minimal.

I don't intend to extract information from the message (other than to
do a cursory check that it's probably Sophos's alert, to avoid having
random spam set off a download unnecessarily).  In particular, I would
not retrieve a URL I received in a mail message; that *could* be
dangerous!

It's interesting to note how people often come up with pretty much
the same scheme independently -- probably means we're doing sometyhing
right. :-)


Anne.
-- 
Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
anne at alcor.concordia.ca                                        +1 514 848-7606



More information about the unisog mailing list