I would like to hear the details of what you are thinking, offlist if you
prefer. I.E. How do you feel an Exchange server could infect a domain
controller assuming someone is smart and isn't running exchange on a domain
controller.

Exchange servers do not have write access to a DC's file system, admins that
could log into an Exchange could however. Though I would hope anywhere that
an admin logs in that they could do silly things like run unsafe
executables, web browse, or read email they have AV software running. That
would tend to slow down a sysvol infection. Exchange can write to the
directory but what field do you feel is exposed and that is actually
executed by any other system?

I actually agree that AD is a hell of a target for a virus, not as a
distribution point, but as an DOS attack target. In fact I could easily
visualize multiple methods of dropping entire enterprises with Viruses
attacking AD in general. I was visualizing them back in the summer of 2001
when I was reading Iseminger's AD Programmers Reference Library. Scared me
silly actually. I have visualized a program now that should be able to wipe
out an entire forest in 90 seconds or less even one as large as mine which
is global and has hundreds of domain controllers. I have actually had an
offlist discussion with some of the gurus from the list about it. It is but
one way to really hurt as there are many.

I do not however forsee admins who are careful having infected sysvols and
repicating viruses around that way. I wouldn't touch sysvol with AV software
because any changes just get FRS chomping. DFS shares though... Hmmmmm.

  joe
 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders
Sent: Wednesday, December 10, 2003 5:19 PM
To: '[EMAIL PROTECTED] '
Subject: AD as a possible target of attack? RE: [ActiveDir] Virus software
on DC

I totally agree with all the guys out there that urge you to scan your
DCs!!! I've been thinking about this issue for some time and I've come to
the conclusion that Active Directory would be THE IDEAL target for a virus
attack. The robustness of AD replication makes it the ideal distribution
mechanism for virusses. Hey ... distributing virusses by mail is ancient
technology ;-). Why not use the intense integration of Exchange 2000+ and AD
to transport a virus from Exchange to AD? 

No guys... I'm very serious! DO scan your DCs and reconsider excluding
things like the Sysvol because this is another possible target for the sick
minds out there that like to screw up enterprise environments! It's only a
matter of time before the first AD virus is a fact of life we have to deal
with!

So go out and check (before you go to bed) whether or not dat-file updates
are really succeeding ;-).

Cheers!
John
 

-----Original Message-----
From: Steve Shaff
To: [EMAIL PROTECTED]
Sent: 10-12-2003 18:07
Subject: RE: [ActiveDir] Virus software on DC

Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder
and sub-folders, but run the real-time scanner on everything else.  These
two folders deal with replication and are too volatile to play with.

S

*****************************************
Steve Shaff
Active Directory / Exchange Administrator Corillian Corporation
(W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[contractor]
Sent: Wednesday, December 10, 2003 8:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Virus software on DC

Same here, never had any problems either.

Jeremy

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 10, 2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Virus software on DC


We run Symantec AV corporate edition and don't exclude any directories.
We haven't had any problems related to AV software...... 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, December 10, 2003 11:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Virus software on DC

 >What directories should I not be scanning?

We use the exclusions in this list-

822158 - Virus Scanning Recommendations on a Windows 2000 Domain
Controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158


________________________________

        From: John Parker [mailto:[EMAIL PROTECTED] 
        Sent: Wednesday, December 10, 2003 8:30 AM
        To: [EMAIL PROTECTED]
        Subject: RE: [ActiveDir] Virus software on DC
        
        
        We run Trend here.
        Never have run into any issues and we are using the realtime scan.
        Just out of curiosity though, I am scanning all except for a few
select dirs/
        What directories should I not be scanning?



        John Parker, MCSE 
        IS Admin. 
        Senior Technical Specialist 
        Alpha Display Systems. 

        Alpha Video 
        7711 Computer Ave. 
        Edina, MN. 55435 
          
        952-896-9898 Local 
        800-388-0008 Watts 
        952-896-9899 Fax 
        612-804-8769 Cell 
        952-841-3327 Direct 

        [EMAIL PROTECTED] 
        "Be excellent to each other" 
        ---End of Line--- 


        -----Original Message-----
        From: Creamer, Mark [mailto:[EMAIL PROTECTED]
        Sent: Wednesday, December 10, 2003 10:24 AM
        To: [EMAIL PROTECTED]
        Subject: RE: [ActiveDir] Virus software on DC
        
        

        I do, but I exclude the AD files, and I do not have real-time
scanning enabled, just periodic scheduled scans. Does not seem to cause any
problems.

         

        <mc>

        -----Original Message-----
        From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
        Sent: Wednesday, December 10, 2003 11:17 AM
        To: [EMAIL PROTECTED]
        Subject: [ActiveDir] Virus software on DC

         

        This may be a dumb question, but do you guys have virus scanning
software on your DCs? I have been confused if the virus scanner slows the
machine down or not. Thanks


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to