dmg@lid.mitre.org (David Gursky) (09/28/89)
In Virus-L #205, Steve <XRAYSROK@SBCCVM.BITNET> and <CTDONATH@SUNRISE.BITNE> had some good comments about my Tiger Team suggestion. Here are some answers to their comments: RE: Most viruses are not spread by someone sneaking in at night... Absolutely true. The objective of this proposal would be to ensure that users are following a published anti-virus strategy, beyond simply backing up the data. If the user targeted by the Tiger Team is following the procedures properly, then the virus should not be able to get in. For instance, say the policy reads "All Macintosh computers shall run Gatekeeper". Gatekeeper is very effective at stopping nVir. If the Tiger Team attempts to infect a Mac with nVir, and the attempt fails, the user of the system is not properly following the established procedure. RE: What corporation is willing to take the risk of letting someone *tamper* with the computers which the company depends upon, especially when proper operating procedures will offer you very good protection? Good question. I would hope any company worth its salt. The objective of the "Tiger Teams" is to help ensure the corporate anti-virus policy is being adhered to. "Proper operating procedures" per se do not prevent an infection, *following* those procedures do. RE: Can you guarantee that the "Team" will not do damage?... In order for this proposal to be effective, the TT must do a complete backup of the system's data before proceding (I suspect an image backup would be preferred in this instance), and a restore afterward, regardless of whether the team succeeds or fails. RE: If they are introducing live viruses, ... no one can guarantee the virus will be benign in all situations... I have a problem with this suggestion. Viruses (even nasty ones) such as nVIR, (c) Brain, Lehigh, and so on are well understood. If I start with a "known" strain of one of these (and there are libraries out there of unmodified versions of these and other viruses), I know exactly how a virus will behave under any set of conditions. Please also remember that I proposed using a "neutered" version of a virus. Using (c) Brain as an example, if the logic-bomb or time-bomb is removed from it, leaving only the infector, it's hard to say that such a neutered virus proposes a serious threat to a user when used by a TT to check for the use of anti-virus procedures. RE: If the tiger team fails to exterminate ALL copies of the virus there is the possibility of virus parinoia (sic), files that grow in size for no good reason, and the possibility of lost data thru virus malfunctions. See my earlier comment about backups and neutered versions. RE: The virus would be released in a unsuspecting work area. The presence of strangers insisting on checking every disk that leaves the area would cause chaos. As described above, the virus would not be released in an unsuspecting work area. Tiger Teams are used as a method to test the effectiveness of a given policy. If the users within a given work area are not following an established anti-virus policy (it is taken as a given the suggestion of TT is only valid where such a policy exists, for the exact reason you point out) then they are at risk for a virus infection, and poss a risk for other computing resources (oops! Poss = pose). RE: "Controlled" environment Such environments are possible. They are routinely used for the handling of classified materials for example. Again, the effectiveness of the controls directly depends on how well you adhere to them.
ignatz@att.att.com (10/01/89)
The author of the original "Tiger Team" concept responded to a couple of critical postings with some rebuttals. As I read them, he defended the TT concept by emphasizing, several times, that the TT would be checking compliance with anti-viral policies. I ask, if this *is* the goal, couldn't the corporation provide a configuration test program that checked for the existence of corporation-approved software and methods without introducing a virus, and requiring all the intermediate overhead of special backups, etc.? Dave Ihnat Analysts International Corporation, Chicago ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us