cancel
Showing results for 
Search instead for 
Did you mean: 
sagarmc004
Level 7

Infecting a Solidified System

Jump to solution

Hi,

I have weird requirement here. We want to solidify a XP system and we are not going to install any antivirus program ( We hope that solidifier will not allow any malicious code to run).

If anyone deploy a virus or a root kit into this solidified system, what are the chances of this rootkit or virus infecting the system when solidifier status is changed in to disable or update mode ?

How does solidifier protect the system when it is disable or set to update mode ?

Regards,
Sagar

0 Kudos
1 Solution

Accepted Solutions
bzielin
Level 10

Re: Infecting a Solidified System

Jump to solution

Any file added to the system in update will compromise the system.

Any file added in observe mode could comprmise the system if it is added to the whitelist.

Although the product guide says otherwise you should never go into update mode while in production and you could go to observe mode in production but pull inventory, do a image deviation against the gold image then add to the whitelist if you can confirm the added files are legit.

0 Kudos
5 Replies
bzielin
Level 10

Re: Infecting a Solidified System

Jump to solution

Any file added to the system in update will compromise the system.

Any file added in observe mode could comprmise the system if it is added to the whitelist.

Although the product guide says otherwise you should never go into update mode while in production and you could go to observe mode in production but pull inventory, do a image deviation against the gold image then add to the whitelist if you can confirm the added files are legit.

0 Kudos
sagarmc004
Level 7

Re: Infecting a Solidified System

Jump to solution

What happens when Solidifier is disabled ? Can system be compromised ?

0 Kudos
evaughn
Level 9

Re: Infecting a Solidified System

Jump to solution

Yes.  Disabled is just what it sounds like, disabled.

0 Kudos
evaughn
Level 9

Re: Infecting a Solidified System

Jump to solution

I would still have VirusScan installed on the system.  If performance is a concern, you could disable VirusScan on-access while enabled, then enable it before going into update/observe mode.  This could be done as a policy assignment rule.  Normal config has a 'scan nothing' VirusScan policy, taged for update mode enables update mode and enforces a full VirusScan On-access policy.  Having Application Control in update mode is little to no protection with logging enabled, which would make me uncomfortable. 

0 Kudos
bzielin
Level 10

Re: Infecting a Solidified System

Jump to solution

I agree with Eric I would still have VSE on the machine because just because a system is Solidified does nto mean I can't put malware on the system, it just won't run until soldified.

For example if you have Malware on a Solidifed system but the Malware is not Soldified and there is a known signature you could do a full scan to quaratine the malware.

Yes because disabled means not protecting it would be like not having Solidcore on the machine.

0 Kudos