5 Replies Latest reply on Apr 18, 2013 1:15 PM by Eric Vaughn

    Infecting a Solidified System

    sagarmc004

      Hi,

       

      I have weird requirement here. We want to solidify a XP system and we are not going to install any antivirus program ( We hope that solidifier will not allow any malicious code to run).

       

      If anyone deploy a virus or a root kit into this solidified system, what are the chances of this rootkit or virus infecting the system when solidifier status is changed in to disable or update mode ?

       

      How does solidifier protect the system when it is disable or set to update mode ?

       

      Regards,
      Sagar

        • 1. Re: Infecting a Solidified System
          bzielin

          Any file added to the system in update will compromise the system.

           

          Any file added in observe mode could comprmise the system if it is added to the whitelist.

           

          Although the product guide says otherwise you should never go into update mode while in production and you could go to observe mode in production but pull inventory, do a image deviation against the gold image then add to the whitelist if you can confirm the added files are legit.

          • 2. Re: Infecting a Solidified System
            Eric Vaughn

            I would still have VirusScan installed on the system.  If performance is a concern, you could disable VirusScan on-access while enabled, then enable it before going into update/observe mode.  This could be done as a policy assignment rule.  Normal config has a 'scan nothing' VirusScan policy, taged for update mode enables update mode and enforces a full VirusScan On-access policy.  Having Application Control in update mode is little to no protection with logging enabled, which would make me uncomfortable. 

            1 of 1 people found this helpful
            • 3. Re: Infecting a Solidified System
              sagarmc004

              What happens when Solidifier is disabled ? Can system be compromised ?

              • 4. Re: Infecting a Solidified System
                bzielin

                I agree with Eric I would still have VSE on the machine because just because a system is Solidified does nto mean I can't put malware on the system, it just won't run until soldified.

                For example if you have Malware on a Solidifed system but the Malware is not Soldified and there is a known signature you could do a full scan to quaratine the malware.

                 

                Yes because disabled means not protecting it would be like not having Solidcore on the machine.

                1 of 1 people found this helpful
                • 5. Re: Infecting a Solidified System
                  Eric Vaughn

                  Yes.  Disabled is just what it sounds like, disabled.

                  1 of 1 people found this helpful