Anti Virus software...
 
Notifications
Clear all

Anti Virus software on Forensic Workstation

13 Posts
9 Users
0 Likes
2,154 Views
(@ludlowboy)
Posts: 71
Trusted Member
Topic starter
 

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

 
Posted : 02/03/2019 2:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

It seems to me a correct approach.

The theory of operation (not necessarily doable in practice) is to re-image "clean" the workstation before any investigation or to use a PE (or other live/volatile OS).

But nothing prevents to install/use a non-real time scanning Antivirus (no slowdowns due to the antivirus) to check the contents of an image.

After all, I doubt you are going to double click on .exe's or similar and the whole point of forensics is normally to use a read-only or non-modifiable image, or at the very least, needed changes - if any - should be fully documented and in the "full control" of the investigator, whilst a real-time anti-virus may either block your work nagging for errors about its attempts to fo something on read only mounted media or actually change something on it outside your direct control.
Besides good luck if you are using "minor" or non-commercial (or self-written) tools, only as an example a lot of AutoIt or AutoHotKey scripts/programs tend to trigger anti-virus heuristic engines (and as well tools intended to have direct access to disk, memory etc. tend to have instructions that are "common" with some forms of virus/malware and may as wel trigger the heuristic engines) .

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

Not really, though of course when you enter a multi-user setup the weak link becomes the less knowledgeable user.

jaclaz

 
Posted : 02/03/2019 4:55 pm
(@armresl)
Posts: 1011
Noble Member
 

If you're the police no real need.

If you're the defense, looking for viruses, malware, rootkits, etc, should all be part of the plan.

On a stand-alone forensic computer is it advisable to instal anti-virus software? If so what software would you recommend? What speed reduction have you experienced when it is installed?

Personally I only ever instal and use anti-virus software when a customer requires that a scan be carried out or for specific jobs that involve Malware attacks.

Would your views and recommendation change for a small closed forensic network with a server and several forensic work stations?

 
Posted : 03/03/2019 1:31 am
(@twjolson)
Posts: 417
Honorable Member
 

If you're the police no real need.

No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.

 
Posted : 03/03/2019 2:56 am
(@armresl)
Posts: 1011
Noble Member
 

You may do malware scans. In the vast majority of all cases I've done police do not do any scans.
All I have to go on is the Detectives report, depo, and trial testimony. If asked and they don't mention it, then I can't assume that they did it.

If you're the police no real need.

No! Our job is to seek the facts - inculpatory or exculpatory. We do malware scans.

 
Posted : 03/03/2019 3:42 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Always install anti-virus software.

You don't have to manually scan anything, but your OS should have a broad-based malware protection mechanism.

 
Posted : 06/03/2019 2:37 pm
(@ludlowboy)
Posts: 71
Trusted Member
Topic starter
 

Hi Phobby. What anti-virus do you recommend and what affect has it had on the performance of your work station.

I ask this because it appears to be a requirement by UKAS for ISO accreditation.

 
Posted : 06/03/2019 6:35 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

We test the performance impact of anti-virus (AV) software. Example report here,
https://www.passmark.com/reports/Consumer_Security_Products_Performance_Benchmarks_2019_Ed_2.pdf

Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.

But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.

There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,

1) It can dramatically slow everything down, especially when there is a large number of small files

2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.

3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).

So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).

 
Posted : 06/03/2019 9:58 pm
harrisonamj
(@harrisonamj)
Posts: 3
New Member
 

My principal focus is IR forensics so the expedient identification of malware is a common requirement and most images we take in will be scanned at the outset for quick identification of malware for further analysis.

We run AV on our workstations (specifically ESET) with the majority of default protections in place, and have not noticed a performance impact. This is supplemented with multiple AV solutions which are licensed and kept updated for use in scanning mounted images.

 
Posted : 06/03/2019 11:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

We test the performance impact of anti-virus (AV) software. Example report here,
https://www.passmark.com/reports/Consumer_Security_Products_Performance_Benchmarks_2019_Ed_2.pdf

Some of the AV products are awful. They can double or triple the time required to do certain tasks (e.g. download a web page, copy files, etc..). So they can certainly have an impact on your productivity.

But most of the commercial forensics tools don't mount disk images to a drive letter. Which means that the AV tool and the operating system itself don't see disk being investigated. Instead they do direct sector access to parse the MFT themselves. So most of the time the AV product doesn't see the file in the disk image and doesn't scan them.

There are some exceptions to this however. The big one for us being temporary files. When a disk image is scanned (e.g. for hashing or word indexing) then all the container files need to be opened up. So you might have a PDF, in a Zip, in a Email which is all in a PST file. And to extract the PDF file then you need to write some temporary files into a location that is visible to the AV. Then the scanning takes place. This has three bad effects,

1) It can dramatically slow everything down, especially when there is a large number of small files

2) The AV blocks access to the temp file while the AV scan takes place. Which can result in errors being throw in the Forensics tool, as the blocking returns a general access denied error. If is difficult for the forensics tool to know when and if the file will become available. So even if the scan take 0.5 seconds per file, the forensics might be delayed for seconds per file. This is a big deal if you have a million files.

3) If a suspect file is found by the AV, then the temp file gets deleted or quarantined. So from the point of view of the Forensics tool this is really unexpected. The tool writes a file, then tried to re-read the file 500ms later and the file is gone! This results in more errors and the file in question being skipped (e.g. not hashed, or not indexed).

So by all means install an AV solution if you think you need one, but turn it off for particular activities, or configure the AV to never monitor the temp folder(s) / drive(s).

Very interesting test benchmark, thanks.

What surprised me (and that is good to know ) ) is that current/recent Norton is as fast as (or faster) than ESET, the good guys at Symantec must have made some very relevant changes since - traditionally - ESET was of "light" impact on common operations whilst Norton used to be a snail (actually a snail trawling through molasses wink ).

jaclaz

 
Posted : 07/03/2019 8:43 am
Page 1 / 2
Share: