Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Antivirus vendor conspiracy theories

RE: Antivirus vendor conspiracy theories

From: Mark Teicher <mht3_at_earthlink.net>
Date: Sat, 04 Dec 2004 06:36:13 -0700

Some HIPS (Host-based IPS) vendors have changed their marketing tactics and
relabeled themselves as Continous Compliance(tm) mechanicsms with Host
Based IDS signatures, others have repositioned their marketing as
Anti-Virus firewalls.

Hard to tell a the players with a program

/m

At 11:29 AM 11/30/2004, Ames, Neil wrote:
>Ben,
> If you had gotten your head out of the clouds and gotten the
>"Deep Inspectotron Application Fireweasel" off the ground we wouldn't
>these issues. (I don't remember if the draft spec. had it baking
>muffins, however, so there is always something, isn't there?)
>
>
>--Fritz
>
>-----Original Message-----
>From: firewall-wizards-admin_at_honor.icsalabs.com
>[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Ben Nagy
>Sent: Sunday, November 28, 2004 4:58 AM
>To: 'Paul D. Robertson'; MHawkins_at_TULLIB.COM
>Cc: firewall-wizards_at_honor.icsalabs.com
>Subject: RE: [fw-wiz] Antivirus vendor conspiracy theories
>
> > -----Original Message-----
>[MHawkins]
> > > Antivirus vendors have painted themselves into their own
> > conspiracy theoried
> > > corner by purveying a product that is based on technology
> > that is purely
> > > reactive and for the last ten years they've use one method
> > of protection
> > > thereby enabling other attack vectors to be repeatedly successful.
>
>And this is a bad thing WHY, exactly? AV does a very good job, in
>general,
>at looking at dodgy things as they enter and leave the filesystem. That
>was
>the original job of AV and remains the core of the products.
>
>A firewall, for example, does a generally good job of allowing or
>declining
>traffic at layer 3/4, but a generally crappy job at looking at layer 7.
>That
>doesn't mean that firewall vendors are hopeless and that they haven't
>evolved over the last ten fifteen years.
>
>The problem starts when "the market" start expecting FW+AV to protect
>them
>from all current threats - well they don't. You may as well get mad at
>your
>fire alarm when the pipes burst in your roof.
>
>At a host level malware is using a bunch of different attack vectors
>which
>were never in-spec for AV. Worms work by hijacking execution somehow,
>which
>is all happening in memory, before the AV gets a shot at it. They
>require no
>user interaction to spread, whereas AV have typically looked at Viruses
>(gasp) which _do_ require user interaction.
>
>Spyware, adware and all those tasty browser malwares work by exploiting
>the
>security identity of IE, making it impossible for an AV to tell that the
>functions are not what was intended.
>
>[MHawkins]
> > > after year major infections spread and the consumer, faced with the
> > > cognitive dissonance between antivirus vendor marketing
> > spin and the reality
> > > of a system rebuild, crashes, deleted files etc, wakes up
> > and realizes that
> > > the antivirus vendors are peddling an awful product that
> > really doesn't
> > > protect their system at all.
>[Paul]
> > AV works against almost 100% of existing in-the-wild viruses,
> > and probably
> > greater than 90% of new viruses, that's not "doesn't protect
> > their systems
> > at all."
>[...]
>
>Exactly. AV protects well against viruses. Do the vendors call it "anti
>all
>kinds of malware"? No. Do they claim that it bakes muffins? No.
>
>In fact, everyone is scrambling to get products ready for a market that
>is
>thinking exactly what you are saying, Mike - that the simple fact is
>that
>FW/AV doesn't protect well against current malware. To a large extent,
>that's because said malware is specifically designed to bypass those
>kinds
>of protection.
>
>[Paul]
> > The market won't accept better mechanisms, just like better
> > firewalls are disdained in favor of IDS, which is also a reactive
> > technology.
>
>I don't think that's the case. What the market won't accept are _ideal_
>mechanisms. Pretty much all the major players are betting they'll buy
>Yet
>Another Type Of Protection Software in droves. Personally, I think it
>should
>be called YATOPS, but vendors think H-IPS (Host Intrusion Prevention
>Systems) is more exciting - presumably by virtue of being tantalisingly
>vague.
>
>We went around this turnstile a few months back, with mjr ready to hold
>down
>the current state of OS / Software and hammer a stake through it's
>heart.
>YATOPS vendors think we can keep it limping along for another few years.
>
>[Paul]
> > As an industry, we've failed in getting vendors to go the
> > "this is now allowed to work" have it blessed first mode, so
> > we're left with picking up the pieces reactively.
>
>Right. Maybe in ten years every PC will just be one big mobile code
>interpreter with proper sandboxing. Who knows.
>
>Cheers,
>
>ben
>(Disclaimer, I work for a YATOPS vendor, which may affect my point of
>view)
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards_at_honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards_at_honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 05 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos