Sophos - UNC Flaw welcomes viruses

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
Post Reply
cboling
New Member
Posts: 31
Joined: Mon Dec 31, 2007 9:52 am

Sophos - UNC Flaw welcomes viruses

#1

Post by cboling »

This may be of interest both to those with direct responsibility for supporting end-user computers, as well as the folks @ headquarters responsible for specifying/configuring security software for the same.

While working on a machine from our FHC, I discovered a flaw in [our configuration of?] Sophos v9.5: It will happily execute a virus (or what it thinks is one) over a UNC path.

To replicate:
Download standard EICAR test file to machine "server" (a machine that lacks A/V software or otherwise configured not to complain about it).
http://www.eicar.org/download/eicar.com

c:\>COPY \\SERVER\SHARE\EICAR.COM
1 file(s) copied.
c:\>DIR
1 file, 68 bytes
("virus" is happily stored on local machine.)
c:\>EICAR.COM
Access is denied.
(hard drive crunches for half a minute)
c:\>DIR
0 files, 0 bytes
(access was correctly denied, and file quarantined/deleted)

c:\>\\SERVER\SHARE\EICAR.COM
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
(congratulations; you were just "infected"!)
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#2

Post by russellhltn »

As long as that's a UNC and not a URL, I don't see a problem. Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself. Attempting to run anti-virus on network files can result is significant and noticeable performance issues.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
cboling
New Member
Posts: 31
Joined: Mon Dec 31, 2007 9:52 am

#3

Post by cboling »

RussellHltn wrote: Normaly one sets up anti-virus on all machines in a network, so the server is responsible for checking itself.
True -- as long as it's impossible for outsiders to connect to the network. A well-meaning clerk or a patron that says "here, just grab that off my laptop over the wi-fi"
RussellHltn wrote: Attempting to run anti-virus on network files can result is significant and noticeable performance issues.
Only if you're using the network. :-) Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver, and are *not* normally transferring large amounts of data of the network, so network performance is not an issue.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#4

Post by russellhltn »

cboling wrote: Seriously, though, in a typical FHC or local unit environment, you *don't* have a fileserver,

Some FHC do. (Like the one I take care of). It supports all those older CD-based programs.

I noticed that the machine in question came from a FHC. I'd be interested in seeing the results of one that had been configured to be a admin computer.

Also note that while it did store the infected file, it did refuse to run it. As such, the "infection" was taken care of.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
cboling
New Member
Posts: 31
Joined: Mon Dec 31, 2007 9:52 am

#5

Post by cboling »

RussellHltn wrote:I'd be interested in seeing the results of one that had been configured to be a admin computer.
I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.
RussellHltn wrote:it did refuse to run it. As such, the "infection" was taken care of.
Only when run locally -- if you ran it directly off the share (as would happen if someone either intentionally double-clicked -- or "stuttered" when trying to drag -- in an Explorer window) it ran. (Oops! I just noticed that I copied the wrong command line just before the EICAR message was displayed. The file was executed, not merely copied again. I'll edit my post.)
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#6

Post by russellhltn »

cboling wrote:I'll test this week on some other machines (e.g. clerk). Forgive my ignorance, but what do you mean by "configured to be a admin computer"? Our small FHC has a machine that has MLS installed and has the film scanner attached, but it wasn't otherwise configured any differently AFAIK.

I assume that's MLS for the FHC. Otherwise I think your setup is more rare then servers in a FHC.

FHC computers are managed by the Family History Department which has it's own IT department. Unit administrative computers are handled by Local Unit Support.

Both run Sophos, but each is to obtain that program in different ways. The unit administrative computers from mls.lds.org and the FHC computers from LANDeak downloaded from remote.familysearch.org.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
silid
Member
Posts: 70
Joined: Wed Jan 31, 2007 8:54 am
Location: United Kingdom

#7

Post by silid »

I agree that scanning all network shares could be exhaustive for an anti virus, compounded when all machines configured to use the share are scanning the same files, possibly simultaneously. However it should still probably be configured to have 'on access' scanning on network files.
bradh
New Member
Posts: 20
Joined: Mon May 23, 2011 10:08 am

Admin Computer

#8

Post by bradh »

This is probably a question for another post,... but I am interested in how to configuring a computer as an "Admin computer" as posted by RussellHltn. I have worked in several FHC's as I have moved around. They have all been set as a 'Peer to peer' network. So... what is configured differently for an 'admin computer'?
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#9

Post by russellhltn »

bradh wrote:So... what is configured differently for an 'admin computer'?

I don't know what is different about an administrative computer other then then it's managed by a different IT department and the programs are to be downloaded from mls.lds.org rather then from familysearch's LANDesk.

By in large, I don't think they're networked other then to connect to broadband for faster send/receive. Maybe to share a printer (although I don't recommend it).
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
cboling
New Member
Posts: 31
Joined: Mon Dec 31, 2007 9:52 am

#10

Post by cboling »

Brad, you are thinking the same thing I was initially -- that Russell was talking about a special kind of FHC computer -- but he clarified it in a later post when he said "unit administrative computers", i.e. he was contrasting the FHC setup w/ what you'd find e.g. a ward clerk using.

Russell, I tested a clerk's computer, and it DOES properly prevent direct execution of a "virus" from a UNC path, so it appears that this problem is limited to the configuration specified by the FH dept. Unfortunately, the real-time options appear to be locked down by them, so I don't have the ability to close that hole myself.
Post Reply

Return to “Clerk Computers”