Sophos - UNC Flaw welcomes viruses

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
cboling
New Member
Posts: 29
Joined: Mon Dec 31, 2007 9:52 am

Sophos - UNC Flaw welcomes viruses

Postby cboling » Sat May 21, 2011 2:59 pm

This may be of interest both to those with direct responsibility for supporting end-user computers, as well as the folks @ headquarters responsible for specifying/configuring security software for the same.

While working on a machine from our FHC, I discovered a flaw in [our configuration of?] Sophos v9.5: It will happily execute a virus (or what it thinks is one) over a UNC path.

To replicate:
Download standard EICAR test file to machine "server" (a machine that lacks A/V software or otherwise configured not to complain about it).
http://www.eicar.org/download/eicar.com

c:\>COPY \\SERVER\SHARE\EICAR.COM
1 file(s) copied.
c:\>DIR
1 file, 68 bytes
("virus" is happily stored on local machine.)
c:\>EICAR.COM
Access is denied.
(hard drive crunches for half a minute)
c:\>DIR
0 files, 0 bytes
(access was correctly denied, and file quarantined/deleted)

c:\>\\SERVER\SHARE\EICAR.COM
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
(congratulations; you were just "infected"!)

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat May 21, 2011 3:33 pm

As long as that's a UNC and not a URL, I don't see a problem. Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself. Attempting to run anti-virus on network files can result is significant and noticeable performance issues.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

cboling
New Member
Posts: 29
Joined: Mon Dec 31, 2007 9:52 am

Postby cboling » Sat May 21, 2011 3:51 pm

RussellHltn wrote: Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself.

True -- as long as it's impossible for outsiders to connect to the network. A well-meaning clerk or a patron that says "here, just grab that off my laptop over the wi-fi"

RussellHltn wrote: Attempting to run anti-virus on network files can result is significant and noticeable performance issues.

Only if you're using the network. :-) Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver, and are *not* normally transferring large amounts of data of the network, so network performance is not an issue.

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat May 21, 2011 4:10 pm

cboling wrote: Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver,


Some FHC do. (Like the one I take care of). It supports all those older CD-based programs.

I noticed that the machine in question came from a FHC. I'd be interested in seeing the results of one that had been configured to be a admin computer.

Also note that while it did store the infected file, it did refuse to run it. As such, the "infection" was taken care of.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

cboling
New Member
Posts: 29
Joined: Mon Dec 31, 2007 9:52 am

Postby cboling » Sat May 21, 2011 4:33 pm

RussellHltn wrote:I'd be interested in seeing the results of one that had been configured to be a admin computer.

I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.

RussellHltn wrote:it did refuse to run it. As such, the "infection" was taken care of.

Only when run locally -- if you ran it directly off the share (as would happen if someone either intentionally double-clicked -- or "stuttered" when trying to drag -- in an Explorer window) it ran. (Oops! I just noticed that I copied the wrong command line just before the EICAR message was displayed. The file was executed, not merely copied again. I'll edit my post.)

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat May 21, 2011 4:54 pm

cboling wrote:I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.


I assume that's MLS for the FHC. Otherwise I think your setup is more rare then servers in a FHC.

FHC computers are managed by the Family History Department which has it's own IT department. Unit administrative computers are handled by Local Unit Support.

Both run Sophos, but each is to obtain that program in different ways. The unit administrative computers from mls.lds.org and the FHC computers from LANDeak downloaded from remote.familysearch.org.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

silid
Member
Posts: 70
Joined: Wed Jan 31, 2007 8:54 am
Location: United Kingdom

Postby silid » Sun May 22, 2011 5:31 am

I agree that scanning all network shares could be exhaustive for an anti virus, compounded when all machines configured to use the share are scanning the same files, possibly simultaneously. However it should still probably be configured to have 'on access' scanning on network files.

bradh
New Member
Posts: 20
Joined: Mon May 23, 2011 9:08 am

Admin Computer

Postby bradh » Mon May 23, 2011 9:19 am

This is probably a question for another post,... but I am interested in how to configuring a computer as an "Admin computer" as posted by RussellHltn. I have worked in several FHC's as I have moved around. They have all been set as a 'Peer to peer' network. So... what is configured differently for an 'admin computer'?

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon May 23, 2011 10:07 am

bradh wrote:So... what is configured differently for an 'admin computer'?


I don't know what is different about an administrative computer other then then it's managed by a different IT department and the programs are to be downloaded from mls.lds.org rather then from familysearch's LANDesk.

By in large, I don't think they're networked other then to connect to broadband for faster send/receive. Maybe to share a printer (although I don't recommend it).
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

cboling
New Member
Posts: 29
Joined: Mon Dec 31, 2007 9:52 am

Postby cboling » Mon May 23, 2011 10:10 am

Brad, you are thinking the same thing I was initially -- that Russell was talking about a special kind of FHC computer -- but he clarified it in a later post when he said "unit administrative computers", i.e. he was contrasting the FHC setup w/ what you'd find e.g. a ward clerk using.

Russell, I tested a clerk's computer, and it DOES properly prevent direct execution of a "virus" from a UNC path, so it appears that this problem is limited to the configuration specified by the FH dept. Unfortunately, the real-time options appear to be locked down by them, so I don't have the ability to close that hole myself.


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest