> > You "hope" that they can't be executed on the web server.
> > That's an awfully arrogant statement to make.
>
> It is computer configuration 101: write or execute. Directories
> that can be written, and the files in them, can never have
> execute privileges.
At the risk of sounding like a parrot ("Jochem's right! Jochem's right!
Awk!"), this can't be stated strongly enough. Depending on antivirus
software to protect a web server is like depending on seatbelts while
driving blindfolded along a cliffside road. It doesn't protect your web
server, and may harm your web server, and may distract you from real
security measures. At best, antivirus software will protect people who
download non-HTML files from your web server. Your web server will not be
able to open Word files or run random executables - if it can, you have
bigger problems than viruses. There's nothing arrogant about saying that
antivirus doesn't protect your web server from attack.
> > At worst, you spend a littel bit of case
>
> At worst, your database will crash due to errors caused by the
> virusscanner locking files, files will be wiped out due to a
> virus scanner incorrectly identifying files as virusses or you
> might even loose complete mailboxes. I am not going to prove that
> now, I think I have proven that sufficiently in the past:
> http://www.houseoffusion.com/lists.cfm/link=m:5:9487:86997
Or, even worse, your antivirus software may introduce new vulnerabilities in
your web server environment! I recently ran into this exact problem with a
client. They ended up installing IIS on their "antivirus server" without
configuring it properly, because the software recommended it. Never mind the
fact that their environment had no mechanism to upload or download files -
everything's got to have antivirus!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:215991
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
