Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!mit-eddie!uw-beaver!cornell!biar!trebor
From: trebor@biar.UUCP (Robert J Woodhead)
Newsgroups: comp.sys.mac
Subject: Re: Virus Protection for AppleShare File Servers?
Keywords: virus, appleshare
Message-ID: <743@biar.UUCP>
Date: 10 Jul 89 13:53:41 GMT
References: <5956@hubcap.clemson.edu> <8148@bsu-cs.bsu.edu>
Reply-To: trebor@biar.UUCP (Robert J Woodhead)
Organization: Biar Games, Inc.
Lines: 48

In article <8148@bsu-cs.bsu.edu> mithomas@bsu-cs.bsu.edu (Michael Thomas Niehaus) writes:
>Now that your software is installed, you are safe because *THAT IS THE
>ONLY SOFTWARE EVER RUN* from the server.  All of the other files on the
>network are data files.  Viruses cannot be spread from these data files.
>Now, if you were to shut down your server, boot with another disk, and run
>some of the software that is on that server's disk *ON THE SAME SERVER
>MACHINE* then you could infect the server.  But, I recommend against
>doing this.

This is an _incorrect_ assertion.  It is correct to say that if the
server is proven free of viruses, and clients are not allowed read-write
access to applications (or the server system folder), then those applications
and system folder cannot be infected.  However:

	Any file on any volume visible to an infected application
	that is read-write to the application is a candidate for
	infection!

Read this carefully and understand it.  If a user on a client machine runs
his own Macwrite that is infected, and that client machine has read-write
access to server applications, the virus may infect a server application.
Whether or not it actually can is determined by the infection method of
the virus.

It gets worse, because many applications require that the user be able to
modify them.

The solution is twofold :

	1) Regularily scan all disks, both server and client, using a good
	   detection tool, such as (plug) Virex or Disinfectant.  This
	   includes scanning all ``incoming'' floppy disks.

	2) Install, in all client machines, a watchdog init, such as
	   Gatekeeper.  So long as the user boots from the client machines'
	   hard disk, the watchdog init will protect any visible Appleshare
	   volumes from attack, just as regular local volumes are
	   protected.  In order for an attack to work, the user must have
	   booted his own, infected floppy disk, which has Appleshare
	   on it, but not the watchdog.

The combination of these two techniques will provide adequate security for
high volume sites.

-- 
(^;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-;^)
Robert J Woodhead, Biar Games, Inc.   !uunet!biar!trebor | trebor@biar.UUCP
  ``I can read your mind - right now, you're thinking I'm full of it...''