Sophos - UNC Flaw welcomes viruses
-
- New Member
- Posts: 31
- Joined: Mon Dec 31, 2007 9:52 am
Sophos - UNC Flaw welcomes viruses
This may be of interest both to those with direct responsibility for supporting end-user computers, as well as the folks @ headquarters responsible for specifying/configuring security software for the same.
While working on a machine from our FHC, I discovered a flaw in [our configuration of?] Sophos v9.5: It will happily execute a virus (or what it thinks is one) over a UNC path.
To replicate:
Download standard EICAR test file to machine "server" (a machine that lacks A/V software or otherwise configured not to complain about it).
http://www.eicar.org/download/eicar.com
c:\>COPY \\SERVER\SHARE\EICAR.COM
1 file(s) copied.
c:\>DIR
1 file, 68 bytes
("virus" is happily stored on local machine.)
c:\>EICAR.COM
Access is denied.
(hard drive crunches for half a minute)
c:\>DIR
0 files, 0 bytes
(access was correctly denied, and file quarantined/deleted)
c:\>\\SERVER\SHARE\EICAR.COM
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
(congratulations; you were just "infected"!)
While working on a machine from our FHC, I discovered a flaw in [our configuration of?] Sophos v9.5: It will happily execute a virus (or what it thinks is one) over a UNC path.
To replicate:
Download standard EICAR test file to machine "server" (a machine that lacks A/V software or otherwise configured not to complain about it).
http://www.eicar.org/download/eicar.com
c:\>COPY \\SERVER\SHARE\EICAR.COM
1 file(s) copied.
c:\>DIR
1 file, 68 bytes
("virus" is happily stored on local machine.)
c:\>EICAR.COM
Access is denied.
(hard drive crunches for half a minute)
c:\>DIR
0 files, 0 bytes
(access was correctly denied, and file quarantined/deleted)
c:\>\\SERVER\SHARE\EICAR.COM
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
(congratulations; you were just "infected"!)
-
- Community Administrator
- Posts: 34422
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
As long as that's a UNC and not a URL, I don't see a problem. Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself. Attempting to run anti-virus on network files can result is significant and noticeable performance issues.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- New Member
- Posts: 31
- Joined: Mon Dec 31, 2007 9:52 am
True -- as long as it's impossible for outsiders to connect to the network. A well-meaning clerk or a patron that says "here, just grab that off my laptop over the wi-fi"RussellHltn wrote: Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself.
Only if you're using the network. Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver, and are *not* normally transferring large amounts of data of the network, so network performance is not an issue.RussellHltn wrote: Attempting to run anti-virus on network files can result is significant and noticeable performance issues.
-
- Community Administrator
- Posts: 34422
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
cboling wrote: Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver,
Some FHC do. (Like the one I take care of). It supports all those older CD-based programs.
I noticed that the machine in question came from a FHC. I'd be interested in seeing the results of one that had been configured to be a admin computer.
Also note that while it did store the infected file, it did refuse to run it. As such, the "infection" was taken care of.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- New Member
- Posts: 31
- Joined: Mon Dec 31, 2007 9:52 am
I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.RussellHltn wrote:I'd be interested in seeing the results of one that had been configured to be a admin computer.
Only when run locally -- if you ran it directly off the share (as would happen if someone either intentionally double-clicked -- or "stuttered" when trying to drag -- in an Explorer window) it ran. (Oops! I just noticed that I copied the wrong command line just before the EICAR message was displayed. The file was executed, not merely copied again. I'll edit my post.)RussellHltn wrote:it did refuse to run it. As such, the "infection" was taken care of.
-
- Community Administrator
- Posts: 34422
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
cboling wrote:I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.
I assume that's MLS for the FHC. Otherwise I think your setup is more rare then servers in a FHC.
FHC computers are managed by the Family History Department which has it's own IT department. Unit administrative computers are handled by Local Unit Support.
Both run Sophos, but each is to obtain that program in different ways. The unit administrative computers from mls.lds.org and the FHC computers from LANDeak downloaded from remote.familysearch.org.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- Member
- Posts: 70
- Joined: Wed Jan 31, 2007 8:54 am
- Location: United Kingdom
-
- New Member
- Posts: 20
- Joined: Mon May 23, 2011 10:08 am
Admin Computer
This is probably a question for another post,... but I am interested in how to configuring a computer as an "Admin computer" as posted by RussellHltn. I have worked in several FHC's as I have moved around. They have all been set as a 'Peer to peer' network. So... what is configured differently for an 'admin computer'?
-
- Community Administrator
- Posts: 34422
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
bradh wrote:So... what is configured differently for an 'admin computer'?
I don't know what is different about an administrative computer other then then it's managed by a different IT department and the programs are to be downloaded from mls.lds.org rather then from familysearch's LANDesk.
By in large, I don't think they're networked other then to connect to broadband for faster send/receive. Maybe to share a printer (although I don't recommend it).
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- New Member
- Posts: 31
- Joined: Mon Dec 31, 2007 9:52 am
Brad, you are thinking the same thing I was initially -- that Russell was talking about a special kind of FHC computer -- but he clarified it in a later post when he said "unit administrative computers", i.e. he was contrasting the FHC setup w/ what you'd find e.g. a ward clerk using.
Russell, I tested a clerk's computer, and it DOES properly prevent direct execution of a "virus" from a UNC path, so it appears that this problem is limited to the configuration specified by the FH dept. Unfortunately, the real-time options appear to be locked down by them, so I don't have the ability to close that hole myself.
Russell, I tested a clerk's computer, and it DOES properly prevent direct execution of a "virus" from a UNC path, so it appears that this problem is limited to the configuration specified by the FH dept. Unfortunately, the real-time options appear to be locked down by them, so I don't have the ability to close that hole myself.