Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Multiple AV Vendors ignoring tar.gz archives
From: "Stuart Fox \(DSL AK\)" <StuartF () datacom co nz>
Date: Tue, 8 Feb 2005 09:56:54 +1300

For lack of a better name -- after all, this is a technology 
that has hardly been investigated -- I refer to this as 
integrity management.  
Basically you turn known virus scanning on its head to have 
the on- access scanner only allow known good code to run, 
rather than trying to do the impossible of finding all 
possible permutations of all possible
(known) "bad" code.  This can easily be done using the 
existing technology, but instead of depending on the a vendor 
to find new bad things, add detection of them and ship that 
update _finally_ giving the user protection, the user 
supplies their own list of _allowable_ code and new code can 
be run once the administrator updates their own, of allowable 
code database .  (There are other clever things such a re- 
purposing of this technology neatly allows too -- for 
example, such technology could easily be configured to block 
access to all files of a given type; it can be easily used to 
track software usage for auditing 
and licensing checking; etc, etc...)   

Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies?  Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]