OSPWD@EMUVM1.BITNET (Peter W. Day) (02/09/90)
Re the discussion of infection of AppleShare servers by WDEF and whether to run GateKeeper there, and Brian Bechtel's point that the server does not use its desktop file, so the disktop file can be removed, after which the server can not be infected by WDEF. Even if you leave the file "desktop" on the server, that file is not seen by clients (even using programs that can see the desktop file on local disks), so it appears that there is no way a client can infect an AppleShare server with WDEF. Clearly you could do so by putting an infected diskette in the server when it was running as a workstation (e.g. by booting it using an infected diskette). But could you infect the server by inserting an infected diskette in it while it was running as a server? Once infected, will the server infect local disks of clients?
dplatt@coherent.com (02/14/90)
Peter W. Day writes: > Re the discussion of infection of AppleShare servers by WDEF and > whether to run GateKeeper there, and Brian Bechtel's point that the > server does not use its desktop file, so the disktop file can be > removed, after which the server can not be infected by WDEF. > > Even if you leave the file "desktop" on the server, that file is not > seen by clients (even using programs that can see the desktop file on > local disks), so it appears that there is no way a client can infect > an AppleShare server with WDEF. This is an incorrect conclusion. If an AppleShare server publishes a disk which contains a Desktop file, client systems CAN see the Desktop file. If a client system is infected by WDEF, it _will_ attempt to open and infect the Desktop file on the server. If the client was granted "Make changes" permission for the volume itself, WDEF will be able to infect the Desktop file on the server volume. This infection-process causes the server's Desktop file to be updated by the client's Resource Manager... it can generate a very large amount of network activity, and "lock up" the client for an extended period... 15-30 seconds is not unusual. This performance-degradation is one of the warning signs of a WDEF infection. Trust me... this DOES happen! This infected Desktop file will not, however, be capable of infecting other clients. The Finder on a client machine does not attempt to open the Desktop file on the server... instead, it uses AFP services to fetch icons and bundle information from the AppleShare server (which uses the Desktop Manager interface to retrieve them from the Desktop Manager database files). This doesn't mean that the infection is benign, though. If you reboot the server from a floppy (or other volume) which does not contain the Desktop Manager INIT, the "latent" infection in the server's Desktop file will become active. > Clearly you could do so by putting an > infected diskette in the server when it was running as a workstation > (e.g. by booting it using an infected diskette). But could you infect > the server by inserting an infected diskette in it while it was > running as a server? Yes. An infected floppy could infect the Desktop file on the hard disk, even if the Desktop Manager were running. This is another way to create a "latent" WDEF infection. > Once infected, will the server infect local disks > of clients? Nope... as mentioned above, the Finders on the client machines do not open the Desktop file on the server. The best ways to ensure that your AppleShare servers do not become infected (by clients, or otherwise) are: 1) Install a Desktop-scanning INIT, such as Gatekeeper Aid, Eradicat'Em, or an up-to-date version of one of the commercial antivirals. This will ensure that infected floppies are cleansed when inserted, and that any infection which _does_ sneak in will be cleansed when you reboot. 2) Do NOT grant AppleShare clients the "Make changes" permission to the root directory on a published volume. Make all changes to this directory from the server itself. Grant "Make changes" permission only to lower-level directories. This will ensure that an infected client is unable to update the Desktop file on your server's volume. Remember that a Desktop file will be created on your volumes if you boot from ANY disk which doesn't have the Desktop Manager INIT in its System folder. You should NOT simply install Desktop Manager, delete the old Desktop file, and assume that you are safe from infection... this method is not reliable! - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303