[unisog] AV for MACS

Karl A. Krueger kkrueger at whoi.edu
Mon Dec 6 20:05:32 GMT 2004


On Mon, Dec 06, 2004 at 10:20:33AM -0700, Jim Dillon wrote:
> Why AV for Macs?  Macs are just as interesting a target for security
> attacks, so why not for AV?  Observe...

We shouldn't encourage users to confuse "using anti-virus software" with
"securing hosts", on ANY platform.

Recently we had a couple of Windows 2000 systems broken into.  They were
cracked by a human user with a rootkit and an IRC backdoor -- NOT by a
virus or worm.  One of the problems that we had in incident response was
convincing Windows technicians that there actually was hostile code on
the system, since anti-virus scans (NAV and ClamAV) *did not* detect the
rootkit executable.

The problem was that this was basically a "Unix-style" break-in done
against a Windows system.  The vast bulk of security incidents on
Windows are virus-related, and the techs and users are used to the model
that they can run an AV scan or an AV removal tool to restore the system
to clean operation.  That doesn't work with an attack that isn't a virus
and isn't caught by AV.

Installing Windows-oriented anti-virus software on Mac, Linux, or
Solaris systems is not going to help them against the kinds of attacks
that are actually used against these systems.  It can certainly help on
Mac/Linux/etc. file servers that are serving files to Windows clients,
but that's a different case.

I also have to suspect that pushing Windows-oriented security policies
on non-Windows systems can't possibly inspire confidence in those
policies and the personnel who enforce them.  This is especially the
case if the selected AV software causes instability or slowness on those
systems -- it will be thought of as "the security people causing us
problems for no good reason" and will inspire resentment of security
procedures and personnel in general.  Not a politically good move.

-- 
Karl A. Krueger <kkrueger at whoi.edu>
Network Security -- Linux/Unix Systems Support -- Etc.
Woods Hole Oceanographic Institution




More information about the unisog mailing list