EWF as an Antivirus solution

re: EWF as an Antivirus solution

Anthony Spina — Sun, 27 Mar 2005 02:47:00 GMT

When you stated that "Many have tried and many have failed and learned their lesson the hard way":

Where they commiting changes after the box had been up for days or on a fresh boot ?
Where they SP2 installs with Firewall on/No Exceptions ?
Was the IE policy locked down ?

Conceptually it would sound like a no-brainer that EWF would solve everyones virus issues, being able to start fresh everytime you hit the reset button. That entire post seemed like a lead in to the Computer Associates plug on the bottom.

When hackers learn to circumvent EWF, thats when people will have problems, No ?

re: EWF as an Antivirus solution

Andy Allred — Sun, 27 Mar 2005 05:33:00 GMT

Hi Anthony, thanks for the feedback.

This isn't a plug, it's the only componentized AV solution for XPe today. Actually, you can install any AV software designed for XP Pro, perhaps i should have emphasized that as an alternative, but the CA version is the one componentized which is more helpful for smaller footprint devices.

I've componentized FPROT for my own experiments and it worked fine, so you're not limited to the one listed in the post, but CA's is the only one publicly available. I've also installed from the desktop Symantec and Panda on XPe runtimes, but those weren't componentized and required a lot more dependencies just to get the AV *installer* to work. For small footprint devices restricted in disk space a componentized version is preferable.

I highly recommend you don't use EWF for the reasons i mentioned regarding commiting to disk and the fact that, even though the disk is protected, the device can still continue to infect other machines. If there's no person sitting in front of the device how do you know you need to press that reset button in order to "fix" the problem, for instance if the device is headless or in a remote location?

Using EWF as an AV solution is not a "best practice". If you decide to do it anyways, at least having the servicing infrastructure, firewall and security of SP2 will help.

SP2 for embedded was only just released a few months ago, it was the Gold and SP1 versions that have been infected, all the incidents i'm aware of did not have a firewall. To date i haven't heard of any SP2 infected embedded devices yet.

This raises the issue that for devices like a thin client or a cash register that have a user sitting in front of it most of the day, user education comes into play as well. Another issue are the devices that allow everyone to run as Administrator, but as you mentioned, IE being locked down is a good idea as well.

To answer some of your other questions, i don't know about the IE settings of the infected machines. These were mostly SP1 devices and some were not being serviced properly if at all.

For most embedded devices, a firewall is going to protect you due to very few open ports. Having AV on the box is additional insurance.

One issue i did not raise is that you need the ability to update the virus definition files, something you'll need to consider as part of your servicing scenario perhaps.

A lesson learned is that security in general needs to be a consideration early on in the design phase of your device. EWF was not designed to act as an AV feature, if you choose to use it in this manner please at least use a firewall, service the device and use SP2.

Lastly, security of EWF is a concern and is considered in the design and test of the feature. I worry about *any* of our features being attacked by hackers <grin>

Thanks again Anthony. Do you have any requests for topics?

re: EWF as an Antivirus solution

Mohammed Nusrath — Fri, 29 May 2009 16:56:39 GMT

We are facing issues with thin clients running Mcafee and if we are disabling the EWF option, then the performance is good. We are running mcafee on our wyse thin clients.

What is your take on disabling EWF completely. I understand that disabling EWF will allow users to write files to the disk but we will educate them not to save anything on the box.

Apart from that,will there be any impact.?

thanks

re: EWF as an Antivirus solution

MattKell (MSFT) — Fri, 29 May 2009 18:14:08 GMT

Mohammed: Generally speaking, if you are running an actual anti-virus program, you will probably not want to use EWF, as any changes, cleanup, quarantines, etc. performed by the AV program will be lost once the EWF overlay is discarded. The intent behind this post was to show how EWF could be considered an anti-virus solution by enabling it to "lock down" the hard drive - you can just throw out any changes that a virus may have made to your system. But as Andy pointed out in an earlier reply, as long as the virus is active on the computer, it can infect other machines as well, so a real AV solution is in fact better.

The only major impact of disabling EWF completely would be that you don't get the benefits of EWF's write filtering. At that point, if protecting your hard drive from unauthorized writes is a concern, there are a number of other ways to lock the system down for security that are supported in XP Pro (and therefore in XPe). Your mileage may vary.

Hope this helps!

Windows Embedded Standard NT4e XPe and beyond EWF as an Antivirus | debt solutions

Fri, 19 Jun 2009 19:36:49 GMT

PingBack from http://debtsolutionsnow.info/story.php?id=1996