david@cerberus.bhpese.oz.au (David Masters) (01/22/91)
( This has been posted by David for Leon. Please reply to Leon.) Message begins: Is there a virus detector to run on a novel server, can a virus get from a workstation to the server. Please email me for any suggestions. --- Leon Bryant, BHP Rod & Bar Products Division, Newcastle, Australia INTERNET: lmb@cerberus.bhpese.oz.au | Work: (049)402205 UUCP: ...!uunet!cerberus.bhpese.oz!lmb | Home: (049)873272 Message ends. david. -- David Masters, BHP Information Technology, Newcastle, AUSTRALIA. Internet: david@bhpese.oz.au Phone: +61 49 402132
kenh@techbook.com (Ken Haynes) (01/23/91)
In article <1991Jan21.210144.21385@cerberus.bhpese.oz.au> david@cerberus.bhpese.oz.au (David Masters) writes: > >Is there a virus detector to run on a novel server, can a virus get from a SCANVxx from McAfee, actually NETSCAN will work. I use it in my backup batch file to scan the server every night. Problems can occur on a NW LAN if an infected workstation logs into a file server and the virus attacks the files on the server. This can occur if the infected account has supervisor privledges, or the .exe or .com files are in an area that is read/write and the files themselves are read/write. NW security is pretty tight when applied properly. Ken -- ****************************************************************************** Network Support Services: Ken Haynes, Certified Netware Engineer
mpd@anomaly.SBS.COM (Michael P. Deignan) (01/24/91)
david@cerberus.bhpese.oz.au (David Masters) writes: >Is there a virus detector to run on a novel server, can a virus get from a >workstation to the server. Please email me for any suggestions. McAffee Associates (sp?) NETSCAN is a Network Virus detector. It is available from just about every BBS in the country. Yes, a virus running on a workstation can infect the file server. If they couldn't, there wouldn't be any need for NETSCAN. MD -- -- Michael P. Deignan / They're not "bombs". -- Domain: mpd@anomaly.sbs.com / They're "gifts". -- UUCP: ...!uunet!rayssd!anomaly!mpd / "Gifts From Above". -- Telebit: +1 401 455 0347 /
6600sirt@ucsbuxa.ucsb.edu (Mike O'Brien) (01/25/91)
From article <1991Jan23.225630.1139@anomaly.SBS.COM>, by mpd@anomaly.SBS.COM (Michael P. Deignan): > david@cerberus.bhpese.oz.au (David Masters) writes: > >>Is there a virus detector to run on a novel server, can a virus get from a >>workstation to the server. Please email me for any suggestions. > > Yes, a virus running on a workstation can infect the file server. If they > couldn't, there wouldn't be any need for NETSCAN. > Let me clarify this a little. If you are asking whether or not a virus on a workstation could infect the program running on your file server (ie Novell Netware), the answer is: not bloody likely. And if it did, NETSCAN and others wouldn't find it. On the other hand, if you are asking whether a virus on a workstation could infect EXE and COM files stored on the network hard drive, which could then be run by other workstations, the answer is of course yes. The main advantage of NETSCAN is that you can stop a virus that infects one of your workstations from spreading to the entire net. You can get a copy of NETSCAN and other virus fighting programs from anonymous FTP to uwasa.fi. However, you may not use NETSCAN in a business environment without registering it with MacAffee Associates. The cost for a network starts at about $1000; not much when you consider what it could save you. (I am not affiliated with MacAffee in any way.) Mike O'Brien 6600sirt@ucsbuxa.ucsb.edu
will@ogre.cica.indiana.edu (William Sadler) (01/29/91)
In article <1991Jan23.001244.8432@techbook.com> kenh@techbook.com (Ken Haynes) writes: >In article <1991Jan21.210144.21385@cerberus.bhpese.oz.au> david@cerberus.bhpese.oz.au (David Masters) writes: >This can occur if the infected account >has supervisor privledges, or the .exe or .com files are in an area that >is read/write and the files themselves are read/write. NW security is >pretty tight when applied properly. > >Ken > It was my understanding that only the removal of the write right from a directory could effectively prevent the pread of certain virii (like Jerusalem B). Flagging the file SRO will not keep the virus from infecting it. Revoking the Modify right and flagging it SRO will work. But revoking write seems to be the only sure way. See Netware Connection, Sept/Oct 1990 p.2 Will -- *************************************************************************** * _______________\|/_ Will Sadler will@ogre.cica.indiana.edu * * Laser 44888 /|\ sadler@iubacs.bitnet * ***************************************************************************
david@thor.INS.CWRU.Edu (David Nerenberg) (01/30/91)
I have made an interesting observation, and would like to know if
anyone can explain this:
Most of us have used netscan from McAfee to check our Novell Servers
for viruses. I assume this is accomplished by opening the file to be
scanned, and comparing data strings with known virus strings.
Now, the interesting part: Execute-Only files are scanned without a
problem.
Problem: Execute-Only files can not be opened for reading except by
an execute call. Therefore, how is this being done, or is it not, and it
just looks like it is scanning these files? If it is actually scanning the
files in their entirety, McAfee has broken the Execute-Only copy protection.
Dave
--
david@ins.cwru.edu * Eagle * David Nerenberg
73107,177 Compuserve * Computers * Information Network Services
NY: H-516-751-6344 * Electronics * Case Western Reserve University
W-516-751-8111 * Sound & Stage * W-216-368-2982 H-216-754-2063cd5340@mars.njit.edu (Charlap) (01/30/91)
In article <1991Jan29.192211.1413@usenet.ins.cwru.edu> david@po.CWRU.Edu writes: > Problem: Execute-Only files can not be opened for reading except by >an execute call. Therefore, how is this being done, or is it not, and it >just looks like it is scanning these files? If it is actually scanning the >files in their entirety, McAfee has broken the Execute-Only copy protection. It may not be as un-breakable as you think. IPX knows nothing of calls to execute or read. That's all a function of NET4.EXE or the equivalent program on your PC. If you read the file using only IPX calls, then there is no protection to be broken. Needless to say, these calls aren't very documented, but I've seen it done. A program that makes IPX calls can do the equivalent of SUPERVISOR actions without too much trouble.
RBYAML@ROHVM1.BITNET (Aengus Lawlor) (01/30/91)
We have Netware for VMS, and when I tried to use NetScanhere, It bombed out pretty quickly. As most of the PCs in the place have Scan in their AUTOEXECs I didn't put any time into finding out what was wrong with NetScan, but if anyone has experience with it in a Netware for VMS environment, I'd appreciate any insights you might have. -- RBYAML@ROHMHAAS.COM Aengus Lawlor RBYAML@ROHVM1.BITNET (who used to be ALAWLOR@DIT.IE)