What is an antivirus for?
As you know, nails can be hammered and viruses can be caught with antivirus. But this opinion is widespread among users, as well as (unfortunately) among those who prepare tender documents for large projects. And what do their vendors think about the appointment of anti-viruses?
The article thinks not very big and, in general, continues the topic already touched upon in the antivirus myths. In fact, this is the result of a series of articles about the purpose , possibilities and limitations of antiviruses. So say the summary.
First of all, it must be said (and it was repeatedly stressed in the comments to the articles of the series) that the only and unique solution for all situations does not exist and (probably) cannot exist. For example, if a tablet is used for surfing and working with corporate mail of corporate mail, there is no critical data on it or you can quickly restore it, then (if we do not consider the need to protect against information leakage and / or its replacement), in principle, we can limit ourselves to creating backup copies . But if the same tablet is used on business trips, then the antivirus is already needed, since not in any place in the world you can get access to backup copies (if only because of the quality of communication).
The choice of a solution depends on the level of risks - and to the greatest extent this provision applies to the protection of workstations. At one time, a survey was conducted at the Security Code conference in Chelyabinsk - why install an antivirus. There were three options: since the regulators demand it, because everyone does it and “how else?”. That is, in essence, antivirus does not evaluate the need for protection against malware (except for the need to protect weak machines, heavily loaded machines, and machines that perform procedures that are critical at the time of execution).
')
This is largely due to the widespread belief that the antivirus should catch all malware at the time of an attempt to penetrate the protected system. In fact, an antivirus (antivirus engine, including heuristic mechanisms and behavioral analyzers of all types) can catch only known types of malware and their new variants. If the malware was created taking into account the peculiarities of the antivirus, was tested on its current version (and it happens for the most dangerous malware), then the antivirus will miss it.
Accordingly, to protect against penetration, it is necessary to use not only the antivirus (estimates vary, but it will intercept at least 50 percent of the malicious programs at the entrance), but first of all the rights restriction systems, white lists of the programs being run. Otherwise, acquaintance with cryptographers or banker Trojans may well not happen during the study of logs. Well, of course, backing up data is because “they are different cases.”
The role of the antivirus on workstations and file / terminal servers is the removal of malicious programs that have previously penetrated the protected machine. In this role, the antivirus can be completely replaced by backup - but only if the recovery / interruption time of business processes is not critical.
That is why the antivirus (first of all, the antivirus for workstations and file servers) should have self-defense (no one should demolish it until the knowledge of the new Trojan is obtained), protected update and control systems (the update should not be intercepted) and the system for treating active infections .
The number of anti-virus installations on mail servers is much less than installations on workstations. For the simple reason - according to most, the presence of antispam and antivirus on workstations makes similar protection at the mail server level unnecessary. Rational grain in this opinion is. Indeed, the opportunities provided by products from Microsoft, IBM, Kerio for antivirus / antispam plugins are not very great. And mail servers on Linux, where the filtering capabilities in such plugins are really very powerful, are not as common as we would like. As a result, the argument of sellers, arguing the need to purchase anti-spam for the server by reducing the load on it - does not work.
In fact, antivirus for mail servers is needed for the same reason as for workstations. Unknown viruses - now the main problem. Installing the anti-virus on the mail server provides the ability to periodically scan mailboxes for previously unknown malicious programs - we recall that for Exchange / Lotus / Kerio and so on - scanning of the mail databases with a file antivirus is impossible.
Attention! In MS Exchange 2013, the VSAPI mechanism was removed, which provided the ability to periodically scan mail databases / check on access. In this regard, this mail server is not recommended for those who need to provide protection against viruses at the mail server level.
But for those who want to provide truly reliable protection against viruses and spam, you need to look towards email proxies implemented on the basis of your own mechanisms for analyzing SMTP / POP3 / IMAP traffic - not in the form of plug-ins for mail servers and therefore not having restrictions on functionality.
Antivirus has a completely different task for Internet gateways / internal gateways. In this case, the antivirus provides a reduction in the risk of malicious programs penetrating those devices / computers that can not be installed on an antivirus for one reason or another. From process control systems to printers and refrigerators.
A particular headache is the protection of home computers / personal devices. Here, first of all, we need means of differentiating access to data. Antivirus also provides protection against traffic analysis (including interception of passwords), protection against phishing and banking Trojans.
It is mandatory to protect home computers and mobile devices from those who serve various systems outside the office. Practice shows that the level of protection of such devices is lower than that of computers on the local network and infection via interchangeable media of the discussing personnel is a daily reality.
The article thinks not very big and, in general, continues the topic already touched upon in the antivirus myths. In fact, this is the result of a series of articles about the purpose , possibilities and limitations of antiviruses. So say the summary.
First of all, it must be said (and it was repeatedly stressed in the comments to the articles of the series) that the only and unique solution for all situations does not exist and (probably) cannot exist. For example, if a tablet is used for surfing and working with corporate mail of corporate mail, there is no critical data on it or you can quickly restore it, then (if we do not consider the need to protect against information leakage and / or its replacement), in principle, we can limit ourselves to creating backup copies . But if the same tablet is used on business trips, then the antivirus is already needed, since not in any place in the world you can get access to backup copies (if only because of the quality of communication).
The choice of a solution depends on the level of risks - and to the greatest extent this provision applies to the protection of workstations. At one time, a survey was conducted at the Security Code conference in Chelyabinsk - why install an antivirus. There were three options: since the regulators demand it, because everyone does it and “how else?”. That is, in essence, antivirus does not evaluate the need for protection against malware (except for the need to protect weak machines, heavily loaded machines, and machines that perform procedures that are critical at the time of execution).
')
This is largely due to the widespread belief that the antivirus should catch all malware at the time of an attempt to penetrate the protected system. In fact, an antivirus (antivirus engine, including heuristic mechanisms and behavioral analyzers of all types) can catch only known types of malware and their new variants. If the malware was created taking into account the peculiarities of the antivirus, was tested on its current version (and it happens for the most dangerous malware), then the antivirus will miss it.
Accordingly, to protect against penetration, it is necessary to use not only the antivirus (estimates vary, but it will intercept at least 50 percent of the malicious programs at the entrance), but first of all the rights restriction systems, white lists of the programs being run. Otherwise, acquaintance with cryptographers or banker Trojans may well not happen during the study of logs. Well, of course, backing up data is because “they are different cases.”
The role of the antivirus on workstations and file / terminal servers is the removal of malicious programs that have previously penetrated the protected machine. In this role, the antivirus can be completely replaced by backup - but only if the recovery / interruption time of business processes is not critical.
That is why the antivirus (first of all, the antivirus for workstations and file servers) should have self-defense (no one should demolish it until the knowledge of the new Trojan is obtained), protected update and control systems (the update should not be intercepted) and the system for treating active infections .
The number of anti-virus installations on mail servers is much less than installations on workstations. For the simple reason - according to most, the presence of antispam and antivirus on workstations makes similar protection at the mail server level unnecessary. Rational grain in this opinion is. Indeed, the opportunities provided by products from Microsoft, IBM, Kerio for antivirus / antispam plugins are not very great. And mail servers on Linux, where the filtering capabilities in such plugins are really very powerful, are not as common as we would like. As a result, the argument of sellers, arguing the need to purchase anti-spam for the server by reducing the load on it - does not work.
In fact, antivirus for mail servers is needed for the same reason as for workstations. Unknown viruses - now the main problem. Installing the anti-virus on the mail server provides the ability to periodically scan mailboxes for previously unknown malicious programs - we recall that for Exchange / Lotus / Kerio and so on - scanning of the mail databases with a file antivirus is impossible.
Attention! In MS Exchange 2013, the VSAPI mechanism was removed, which provided the ability to periodically scan mail databases / check on access. In this regard, this mail server is not recommended for those who need to provide protection against viruses at the mail server level.
But for those who want to provide truly reliable protection against viruses and spam, you need to look towards email proxies implemented on the basis of your own mechanisms for analyzing SMTP / POP3 / IMAP traffic - not in the form of plug-ins for mail servers and therefore not having restrictions on functionality.
Antivirus has a completely different task for Internet gateways / internal gateways. In this case, the antivirus provides a reduction in the risk of malicious programs penetrating those devices / computers that can not be installed on an antivirus for one reason or another. From process control systems to printers and refrigerators.
A particular headache is the protection of home computers / personal devices. Here, first of all, we need means of differentiating access to data. Antivirus also provides protection against traffic analysis (including interception of passwords), protection against phishing and banking Trojans.
It is mandatory to protect home computers and mobile devices from those who serve various systems outside the office. Practice shows that the level of protection of such devices is lower than that of computers on the local network and infection via interchangeable media of the discussing personnel is a daily reality.
Source: https://habr.com/ru/post/266789/
All Articles