mailing list archives
RE: Multiple AV Vendors ignoring tar.gz archives
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Feb 2005 11:26:47 +1300
Stuart Fox to me:
Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies? Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.
Yes, but it has to be much more thoroughly implemented. It needs to be
at a low level in the file system (as existing on-access virus
scanners' file system filter drivers and the like currently are) and it
needs to be able to handle a much broader conception of "code" than the
existing implementation (again, as existing on-access virus scanners
have, with their "intelligent" file typing and such...).
Such a "solution" would only ever be widely useful in properly managed
corporate environments -- most small businesses (and many medium-sized
ones) and most individual users would never have the discipline and/or
interest in managing this, but in larger corporate, and many other
large institutional, settings, where most PCs are really just tools
providing a standard (and usually fairly limited) set of applications,
such an integrity management approach would be easily adopted in place
of on-access virus scanning and would only ever need updating just
before standard maintenance procedures update/patch the contents of the
managed PCs or new functionality (apps) were to be installed.
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
Full-Disclosure - We believe in it.
Re: Multiple AV Vendors ignoring tar.gz archives Barrie Dempster (Feb 06)
Re: Multiple AV Vendors ignoring tar.gz archives Shoshannah Forbes (Feb 07)
RE: Multiple AV Vendors ignoring tar.gz archives Stuart Fox \(DSL AK\) (Feb 07)
- RE: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 07)