Antivirus on Workst...
 
Notifications
Clear all

Antivirus on Workstation/Server

5 Posts
4 Users
0 Likes
682 Views
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

Hi Guys,

We have a number of forensic workstations and a server for storing images. Our problem is that our anti virus software picks up viruses from our images, both on our server and on our workstations.

I'm curious as to what AV software you have on your systems, how you keep it up-to-date (assuming your forensic network is secure and not connected to the internet) and what your setup is to prevent the AV software cleaning any image files / files extracted from the image.

Ronan

 
Posted : 12/05/2008 1:20 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Ronan,

We currently use Sophos on our workstations. We can log in to their website and download updates as often as we want and can then just manually update the workstations as and when.

With regards to imaging the process does not trip the AV software even if we start previewing the drive (as long as we do it via EnCase/FTK). Having imaged the suspect drives (via a write blocker of course), we can usually analyse the data and even export it from EnCase/FTK (or whatever else) without the AV software getting too upset. Sometimes it does quarentime files automatically. It's usually when we want to copy files to CD to be an exhibit that we get problems. That may mean having to disable the AV software's automatic protection temporarily. We then need to consider whether the next computer that is used to view the CD will view it properly or whether it's AV software will quarentine the file.

Hope this in part answers your question.

Steve

 
Posted : 12/05/2008 2:08 pm
(@cymru100)
Posts: 21
Eminent Member
 

Within all Anti Virus software that I've used, you can specify an exclude list - a set of locations and file masks to exclude from scanning/protection.

Just set the exclude list to include the location of your images and/or exported data. Sometimes you can have issues copying over a network, so you might need to temporary disable your AV whilst doing so.

AVG and McAfee (enterprise edition, not the home edition) work very well. AVG being the easier to configure (very easy in fact). From experience, I'd try and avoid Norton/Symantec as it can be quite a system hog.

In our environment, AV updates are manually downloaded and stored on a server from which all workstations on the forensic network can update themselves.

)

 
Posted : 12/05/2008 3:02 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

Heya Ronan,

I update the AV software at the same time as I update the Analysis software prior to starting a new examination. Depending upon which machine I am using I have, and maintain, copies of AVG, Kapersky and ClamAV. I've not had any issues with image files (yet !) - but extracted files I put into a directory on a separate partition that I disable the a/v scan on … So long as I don't try to open them from there - it tends not to complain …

-)

Az.

 
Posted : 12/05/2008 3:08 pm
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

Cheers guys,

I was just curious as to how you handled it.

Appreciate the replies.

Ronan

 
Posted : 12/05/2008 4:05 pm
Share: