I don't even think you have to restrict the AD-related virus issue to the file-system.
Something that your AV tools won't help you with is a "virus", that simply runs malicious LDAP queries - i.e. changing all kinds of attributes on objects in AD or even delete a whole lot of objects at once... Obviously this virus would only be harmful for users with appropriate permissions on the AD objects. Again, AD will ensure that these malicious changes are replicated to all DCs and you could end up with quite a disaster which is certainly not very easy to recover of. /Guido -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 11. Dezember 2003 14:55 To: [EMAIL PROTECTED] Subject: Re: AD as a possible target of attack? RE: [ActiveDir] Virus softwareon DC > DO scan your DCs and reconsider excluding things like the Sysvol I fully agree with you here, John. I have seen for myself how good FRS is at distributing viruses throughout the infrastructure in short period of time!! Some of the major AV vendors previously had products that caused problems when scanning SYSVOL, but the recent offerings have resolved this. Bottom line: there is no good reason not to include SYSVOL (as long as you've checked with your AV vendor first). Tony ---------- Original Message ---------------------------------- Wrom: NNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU Reply-To: [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 23:18:52 +0100 I totally agree with all the guys out there that urge you to scan your DCs!!! I've been thinking about this issue for some time and I've come to the conclusion that Active Directory would be THE IDEAL target for a virus attack. The robustness of AD replication makes it the ideal distribution mechanism for virusses. Hey ... distributing virusses by mail is ancient technology ;-). Why not use the intense integration of Exchange 2000+ and AD to transport a virus from Exchange to AD? No guys... I'm very serious! DO scan your DCs and reconsider excluding things like the Sysvol because this is another possible target for the sick minds out there that like to screw up enterprise environments! It's only a matter of time before the first AD virus is a fact of life we have to deal with! So go out and check (before you go to bed) whether or not dat-file updates are really succeeding ;-). Cheers! John -----Original Message----- Wrom: WLSZLKBRNVW To: [EMAIL PROTECTED] Sent: 10-12-2003 18:07 Subject: RE: [ActiveDir] Virus software on DC Sorry, I have to throw-in my two cents. I exclude the sysvol/sysvol folder and sub-folders, but run the real-time scanner on everything else. These two folders deal with replication and are too volatile to play with. S ***************************************** Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -----Original Message----- Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNS [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [contractor] Sent: Wednesday, December 10, 2003 8:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC Same here, never had any problems either. Jeremy -----Original Message----- Wrom: KVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWI Sent: Wednesday, December 10, 2003 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Symantec AV corporate edition and don't exclude any directories. We haven't had any problems related to AV software...... -----Original Message----- Wrom: GYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXO [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, December 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC >What directories should I not be scanning? We use the exclusions in this list- 822158 - Virus Scanning Recommendations on a Windows 2000 Domain Controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 ________________________________ Wrom: EAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFX Sent: Wednesday, December 10, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC We run Trend here. Never have run into any issues and we are using the realtime scan. Just out of curiosity though, I am scanning all except for a few select dirs/ What directories should I not be scanning? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -----Original Message----- Wrom: ISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCG Sent: Wednesday, December 10, 2003 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Virus software on DC I do, but I exclude the AD files, and I do not have real-time scanning enabled, just periodic scheduled scans. Does not seem to cause any problems. <mc> -----Original Message----- Wrom: PKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS Sent: Wednesday, December 10, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Virus software on DC This may be a dumb question, but do you guys have virus scanning software on your DCs? I have been confused if the virus scanner slows the machine down or not. Thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
