Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Antivirus vendor conspiracy theories

Re: Antivirus vendor conspiracy theories

From: Danny <nocmonkey_at_gmail.com>
Date: Thu, 2 Dec 2004 15:33:24 -0500

On Sun, 28 Nov 2004 10:57:47 +0100, Ben Nagy <ben_at_iagu.net> wrote:
> [MHawkins]
> > > Antivirus vendors have painted themselves into their own
> > conspiracy theoried
> > > corner by purveying a product that is based on technology
> > that is purely
> > > reactive and for the last ten years they've use one method
> > of protection
> > > thereby enabling other attack vectors to be repeatedly successful.
>
> And this is a bad thing WHY, exactly? AV does a very good job, in general,
> at looking at dodgy things as they enter and leave the filesystem. That was
> the original job of AV and remains the core of the products.

You are referring to host-based AV, of course.

> A firewall, for example, does a generally good job of allowing or declining
> traffic at layer 3/4, but a generally crappy job at looking at layer 7. That
> doesn't mean that firewall vendors are hopeless and that they haven't
> evolved over the last ten fifteen years.

Two words: Fortinet's Fortigate. (No, I do not work for Fortinet. I
work in the IT dept. of a food processing company). I am sure there
are many upper-layer-aware firewalls, but for the price, I haven't
found much competition.

> The problem starts when "the market" start expecting FW+AV to protect them
> from all current threats - well they don't. You may as well get mad at your
> fire alarm when the pipes burst in your roof.

FW+AV in one, works well here.

> At a host level malware is using a bunch of different attack vectors which
> were never in-spec for AV. Worms work by hijacking execution somehow, which
> is all happening in memory, before the AV gets a shot at it. They require no
> user interaction to spread, whereas AV have typically looked at Viruses
> (gasp) which _do_ require user interaction.

Concentrate on the perimeter with upper-layer-aware Firewalls if you
can't rely (we don't) on host-based AV

> Spyware, adware and all those tasty browser malwares work by exploiting the
> security identity of IE, making it impossible for an AV to tell that the
> functions are not what was intended.

Security through obscurity combined with a wee bit of education works
here. You are very pessimistic, sir. :)

...D
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 05 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos