I would like to hear the details of what you are thinking, offlist if you prefer. I.E. How do you feel an Exchange server could infect a domain controller assuming someone is smart and isn't running exchange on a domain controller.
Exchange servers do not have write access to a DC's file system, admins that could log into an Exchange could however. Though I would hope anywhere that an admin logs in that they could do silly things like run unsafe executables, web browse, or read email they have AV software running. That would tend to slow down a sysvol infection. Exchange can write to the directory but what field do you feel is exposed and that is actually executed by any other system? I actually agree that AD is a hell of a target for a virus, not as a distribution point, but as an DOS attack target. In fact I could easily visualize multiple methods of dropping entire enterprises with Viruses attacking AD in general. I was visualizing them back in the summer of 2001 when I was reading Iseminger's AD Programmers Reference Library. Scared me silly actually. I have visualized a program now that should be able to wipe out an entire forest in 90 seconds or less even one as large as mine which is global and has hundreds of domain controllers. I have actually had an offlist discussion with some of the gurus from the list about it. It is but one way to really hurt as there are many. I do not however forsee admins who are careful having infected sysvols and repicating viruses around that way. I wouldn't touch sysvol with AV software because any changes just get FRS chomping. DFS shares though... Hmmmmm. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Wednesday, December 10, 2003 5:19 PM To: '[EMAIL PROTECTED] ' Subject: AD as a possible target of attack? RE: [ActiveDir] Virus software on DC I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -----Original Message----- From: Steve Shaff To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder and sub-folders, but run the real-time scanner on everything else. These two folders deal with replication and are too volatile to play with. S ***************************************** Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [contractor] Sent: Wednesday, December 10, 2003 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC Same here, never had any problems either. Jeremy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Symantec AV corporate edition and don't exclude any directories. We haven't had any problems related to AV software...... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, December 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC >What directories should I not be scanning? We use the exclusions in this list- 822158 - Virus Scanning Recommendations on a Windows 2000 Domain Controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 ________________________________ From: John Parker [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Trend here. Never have run into any issues and we are using the realtime scan. Just out of curiosity though, I am scanning all except for a few select dirs/ What directories should I not be scanning? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC I do, but I exclude the AD files, and I do not have real-time scanning enabled, just periodic scheduled scans. Does not seem to cause any problems. <mc> -----Original Message----- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Virus software on DC This may be a dumb question, but do you guys have virus scanning software on your DCs? I have been confused if the virus scanner slows the machine down or not. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
