Sheep dip (computing)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In data security, a sheep-dip is the process of using a dedicated computer to test files on removable media for viruses before they are allowed to be used with other computers.[1]

This protocol is a normal first line of defence against viruses in high-security computing environments[2][3] and IT security specialists are expected to be familiar with the concept.[4][5][6]

The process was originally developed in response to the problem of boot sector viruses on floppy discs. Subsequently, its scope has been expanded to include USB flash drives, portable hard discs, memory cards, CD-ROMs and other removable devices, all of which can potentially carry malware.

The name sheep-dip is derived from a method of preventing the spread of parasites in a flock of sheep by dipping all of the animals one after another in a trough of pesticide.[1] The term has been in use since at least the early 1990s, though footbath was also used at the time.[7] A sheep-dip system can be considered a special case of a sandbox, used to test for malware.

Typical sheep-dip system[edit]

A sheep-dip is normally a stand-alone computer, not connected to any network. It has antivirus software in order to scan removable media and to protect the sheep dip computer itself. The system can be made more effective by having more than one antivirus program, because any single antivirus product will not be able to detect all types of virus.[8]

It is very important to secure sheep-dip computers as strongly as possible against malware, because their role as a first line of defence means that they are particularly likely to be attacked. Software updates should be applied as soon as they become available.[9] Antivirus signatures should be the most up-to-date that are available,[10][11] which in practice means that they must be updated at least daily. The operating system should be hardened[12] and locked down as far as possible.

Network connections are avoided for two reasons. Firstly, an Internet connection is a potential attack vector via which the computer could be compromised. Secondly, there is a risk that a worm on a removable device might escape into a local area network if the sheep-dip computer is connected to it.

Computers running Incident Command System (ICS) Protection Agent will not accept any removable USB media device that has not been scanned and validated by the USB scanner station, thereby blocking all file transfer and application execution from unauthorized devices.[13]

Weaknesses of typical systems[edit]

Isolation from networks makes automatic updating impossible, because the sheep-dip computer is not able to make contact with the servers from which software updates and antivirus signatures are distributed. It is therefore normal for updates to be applied manually, after they have been downloaded by a separate network-connected computer and copied to a USB flash drive.

When a computer's security and antivirus updates are dependent on manual intervention by human beings, the system's security becomes vulnerable to human error. If pressure of work prevents updates from being applied as soon as they become available, a sheep-dip computer will gradually become more and more insecure.

Absence of network connections also makes it difficult for an organisation to monitor the status of sheep-dips if it has deployed them to several different locations. The people with central responsibility for IT security must rely on prompt and accurate reports from those who use the sheep-dips. Again, there is a risk of human error.

Active sheep-dip system[edit]

In an active sheep-dip[14] the antivirus protection is monitored in real time with another program in order to increase security. Antivirus is only effective if it is up-to-date, properly configured, and running. Active sheep-dips add an extra layer of security by checking antivirus and intervening if necessary.

At the very least, an active sheep-dip must disable access to removable media if it detects that its own antivirus signatures are not up-to-date. A more advanced system can be allowed limited network access for automatic updates and remote monitoring, but it must only enable its network connection when there is no immediate malware risk. When the network connection is active all removable media access must be disabled.


  1. ^ a b Webopedia definition of term "sheep-dip" Retrieved on 11 April 2013.
  2. ^ Build Your Own Security Lab: A Field Guide for Network Testing (Page 269) ISBN 978-0470179864
  3. ^ Statement of Capability Retrieved on 11 April 2013.
  4. ^ Certified Ethical Hacker Course Overview (Lesson 9) Retrieved on 11 April 2013. Archived 5 May 2013 at the Wayback Machine
  5. ^ EC-Council 312-49 Exam (Specimen question 2) Retrieved on 11 April 2013.
  6. ^ ICAN Examination: Information Technology (Question 5) Retrieved on 11 April 2013.
  7. ^ Solomon, Alan; Kay, Tim (1994). Dr Solomon's PC anti-virus book. Retrieved 8 April 2019.
  8. ^ AV-Comparatives independent tests of antivirus sortware
  9. ^ Software Updates Retrieved on 12 April 2013.
  10. ^ Viruses & Spyware Retrieved on 12 April 2013.
  11. ^ Symantec Corporation Virus Definitions and Security Updates Retrieved on 12 April 2013.
  12. ^ CPNI Good Practice Guide General Advice on Securing Operating Systems Retrieved on 27 May 2013.
  13. ^ "USB device security". Retrieved 2021-02-16.
  14. ^

External links[edit]