[unisog] AV for MACS

Jim Dillon Jim.Dillon at cusys.edu
Tue Dec 7 00:56:52 GMT 2004


How is AV protection a "Windows Oriented" thing?  It seems to be more related to the interaction of shared networking protocols, interpretive operating systems, and applications in general than to any particular OS. (Heck, usually its just poor programming and an unterminated string that opens the door.  That was true 20 years ago, still is.) Truly Windows has demonstrated a knack for susceptibility, but there are plenty of entries on the bug lists for others.  In my recollection, most early viruses attacked sendmail, not some Win component.  A virus simply takes advantage of any number of broken components, so why is a Mac somehow different? Is that not how a virus works against a Mac?  Might it not be more expedient to block the bug than wait for the next patch to surface?  Isn't squashing a windows targeted bug a rather good thing, anywhere it happens?  I'd rather not have an infected neighbor slowing down my network. 

The problem in my mind is an essential consequence of greed.  We've expanded the functionality of each computing component for convenience sake to the place it is hard to distinguish them, therefore our mail, messaging, office, and other components can all read, write, send, and execute a script of some sort, and even look to do so by default.  If we'd constructed the objects they all share with a tad more care this might not be a problem. Sorry, I don't buy the argument that the AV model we face is a Windows thing.  Yes, Windows is very susceptible, but so is any other system that can read, write, script, and execute.

I truly believe if the number of target OSs for Mac were equal with Windows, that you'd see equal havoc in the Apple/Mac world, ditto for Linux or whatever.  Opportunity breeds motivation.  Please enlighten me as to how AV tools are a "Windows" construct, and I'll admit my folly, but in the meantime, I can't imagine why I wouldn't want to squash a virus laden file headed toward my Mac (particularly if it has Virtual PC running!) We used AV type tools (detection engines/filters) years ago on Unix boxes, long before email became a Win dominated thing and Norton a household word.

I didn't intend to confuse "securing hosts" and "using A/V software."  Both are part of defense in depth and I hoped instead to be encouraging both as part of the current solution.  Stopping the bug may be more expedient than modifying the OS component, given we've now seen bugs go wild within two days of the vulnerability announcement.  Ignoring one avenue because you haven't yet felt the pain doesn't eliminate that avenue as a viable control point.  Yes, AV is usually a detective control, not as good as a preventative one, but given that developing preventative controls is much more time consuming and costly, I'd hope we'd not bail on the detective ones just yet.  


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Karl A. Krueger
Sent: Monday, December 06, 2004 1:06 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] AV for MACS

On Mon, Dec 06, 2004 at 10:20:33AM -0700, Jim Dillon wrote:
> Why AV for Macs?  Macs are just as interesting a target for security
> attacks, so why not for AV?  Observe...

We shouldn't encourage users to confuse "using anti-virus software" with
"securing hosts", on ANY platform.

Recently we had a couple of Windows 2000 systems broken into.  They were
cracked by a human user with a rootkit and an IRC backdoor -- NOT by a
virus or worm.  One of the problems that we had in incident response was
convincing Windows technicians that there actually was hostile code on
the system, since anti-virus scans (NAV and ClamAV) *did not* detect the
rootkit executable.

The problem was that this was basically a "Unix-style" break-in done
against a Windows system.  The vast bulk of security incidents on
Windows are virus-related, and the techs and users are used to the model
that they can run an AV scan or an AV removal tool to restore the system
to clean operation.  That doesn't work with an attack that isn't a virus
and isn't caught by AV.

Installing Windows-oriented anti-virus software on Mac, Linux, or
Solaris systems is not going to help them against the kinds of attacks
that are actually used against these systems.  It can certainly help on
Mac/Linux/etc. file servers that are serving files to Windows clients,
but that's a different case.

I also have to suspect that pushing Windows-oriented security policies
on non-Windows systems can't possibly inspire confidence in those
policies and the personnel who enforce them.  This is especially the
case if the selected AV software causes instability or slowness on those
systems -- it will be thought of as "the security people causing us
problems for no good reason" and will inspire resentment of security
procedures and personnel in general.  Not a politically good move.

Karl A. Krueger <kkrueger at whoi.edu>
Network Security -- Linux/Unix Systems Support -- Etc.
Woods Hole Oceanographic Institution

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list