EWF as an Antivirus solution

Over the years, the product team is periodically contacted by different internal Technical Account Managers for some of our premier customers and the conversation goes something like this:

TAM:
I’ve got this customer and they have this cool device and it’s going to be exposed to the net.

Us:
Cool. Well make sure they start with SP2, do the Firewall and Antivirus and Servicing thing so they don’t hose themselves.

TAM:
Heh, no worries. But regarding the AV deal, they’re running on compact flash and don’t have much space left. So we’re thinking we can use EWF as our AV solution. Just wanted to touch base with you and make sure we’re OK with that.

Us:
Yeah, that’s a bad idea. Here’s the scenario you’re looking at with that solution.

Machine is running EWF RAM, gets infected and the device is protected only in the sense that the system files are not permanently corrupted. In the meantime, until you reboot the device it could be:
- consuming resources, trying to write to disk which fills up the ram overlay and eventually the machine runs out of memory and barfs. This is bad.
- Acting as a ‘zombie’ or host, infecting other machines on the net. This is bad.

Now after you reboot said device, the machine is no longer infected, but more than likely it’s going to be infected again and the same issues above apply until the next reboot.

Think that’s bad? Now here’s the nightmare scenario: Machine is infected, you don’t realize it yet but you need to commit some changes to disk. You commit the changes in the overlay to disk and you’ve now *permanently* written infected files. Rebooting will still leave you in a hosed state. Now you either need to re-image the device or install AV software, clean the disk, commit those changes and cross your fingers.

To reiterate – do NOT use EWF as an Antivirus solution. Many have tried and many have failed and learned their lesson the hard way.

TAM:
OK, thanks for the heads up. So what do I recommend to this customer?

Us:
Besides upgrading to SP2 and nailing down their servicing scenario (SUS or DUA or some other method) so they’ll be able to patch it in the future, the only things remaining are:
- Firewall
- AntiVirus

For Firewall you have several options, either use the new Windows Firewall in SP2 or use the new Sygate solution of components specifically for XP Embedded. This can also provide your customer with management of policies via an enterprise server for other cool features like patch enforcement. This was componentized and you’ll build and configure it through Target Designer.

For the Antivirus solution, do yourself a favor and check out the first AV solution for XPe from Computer Associates. Their AV product is pretty well componentized, so depending on the bells and whistles you want you can get the local scanner for 5.4MB all the way up to the full product at 21MB which gives you dual engines and management by an enterprise server.

Reference:
- Computer Associates “Securing the Embedded Platform” (PDF)

-Andy Allred

Comments

• Anonymous
  March 26, 2005
  The comment has been removed

• Anonymous
  March 26, 2005
  The comment has been removed

• Anonymous
  May 29, 2009
  The comment has been removed

• Anonymous
  May 29, 2009
  The comment has been removed

• Anonymous
  June 19, 2009
  PingBack from http://debtsolutionsnow.info/story.php?id=1996

• Anonymous
  January 12, 2010
  The comment has been removed

• Anonymous
  August 19, 2015
  The comment has been removed