[unisog] How often to pull anti virus updates from vendors

Peter Van Epp vanepp at sfu.ca
Sat Dec 8 05:57:03 GMT 2001

> >> Sophos has an "alert" mailing list for this very purpose.  My plan is
> >> to have a message received from this list trigger a process to pick
> >> up the latest set of definitions
> > As a cracker the place I'm going to break in to is NAI's
> > distribution server and let it automatically distribute my virus for me.
> > [...] Failing that my next attack would be the network routing
> > to the "hardcoded" site to insert my host [...] and my virus
> > into your update stream.
> If the cracker does all that, and manages to insert something in a virus
> signature file that will somehow be executed (I'm no expert on anti-virus
> programs, but I thought the signatures were just data files), then what
> difference does it make whether I download the result automatically
> or manually?  It's not as though I as a human would be able to detect
> the attack you describe any more than my cron job would.

	The package I looked at did both virus signatures (which is dangerous 
enough, if I load one that says "ignore my particular virus" ...) and the 
virus engine itself (which is executable code). It did this utilizing a third
party update package (which had a security flaw exposed on bugtraq that same
week as I recall), so it isn't only the virus vendor you need to be trusting
(although your package may well be different). 
	That said you are correct that the change is hard to detect. The trade
off is, when doing manual updates someone else may have hit a problem first 
and posted to bugtraq or here saving you. As well you will be doing the update
and presumably monitoring it, that isn't likely to be true for a cron job
especially if it runs over night (and the cracker inserts a bogus signature 
at 1 AM prior to the virus flood at 2 AM). Of course most of the time this will
probably work fine and defeat the usual run of the mill script kiddies and thus
I'm not saying it is a poor idea, only that you need to have considered lots
of different failure modes (and better yet, you want to ask your vendor and 
make sure thay have considered all the possible failure modes and done 
something about them such as signed signature files). You also want to know
all the packages in use so a name on Bugtraq that might otherwise be ignored as
not running at your site is recognized in case of a problem. As with most 
security things this issue is nicely gray (although probably least gray towards
your solution ...)

> (In the case of my mail relays, the virus scanner runs as an
> unprivileged user anyway, so the damage would be quite limited, even
> assuming that the Master Cracker wrote something that would run on
> Digital Unix. :-) )

	STO is always a mistake. A local financial institution is rumored to 
have said something similar about the Pick operating system (and then they were
hacked ...) I know several sites that have been nailed by X.25 connections that
sometimes have been forgotten about, and in any case weren't considered because
they aren't the Internet (but they do just fine until we can get to the 
Internet out that so well firewalled Internet connected host that has the X.25
Pad connected to it, from the trusted direction  ...)
	We are particularly at risk because we are pre selecting our most 
probable crackers from the top %10 or so of the community at a less than
entirely judicious age (at least thats true here at SFU and I doubt any of the
rest of you select for stupid students either :-)). Assuming our probable 
crackers aren't more familiar (because of more time :-)) with the systems we 
run than we are is likely a fatal mistake.

> > Digitally signed updates (assuming the attacker hasn't
> > managed to compromise the virus company's key) would be one way around most 
> > of this risk.
> Indeed, and if my vendor starts signing their stuff, I will add code
> to check the signatures.  I agree that it would be a good idea.

	Then ask your vendor why they aren't already doing it, and how they
guarantee the integity of their updates without them :-). To some extent we
have to start voting with our money to get the vendors to start taking 
security seriously. I expect it goes without saying that as has been suggested
already in this thread that encouraging the use of alternative mail clients
(Eudora has luckily been our package of choice since before there was a Lookout
Distress :-)) is even more useful if something does get by your antivirus code.
Unfortunatly thatisn't always practical.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list