Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Multiple AV Vendors ignoring tar.gz archives
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Feb 2005 11:26:47 +1300

Stuart Fox to me:

Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies?  Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.

Yes, but it has to be much more thoroughly implemented.  It needs to be 
at a low level in the file system (as existing on-access virus 
scanners' file system filter drivers and the like currently are) and it 
needs to be able to handle a much broader conception of "code" than the 
existing implementation (again, as existing on-access virus scanners 
have, with their "intelligent" file typing and such...).

Such a "solution" would only ever be widely useful in properly managed 
corporate environments -- most small businesses (and many medium-sized 
ones) and most individual users would never have the discipline and/or 
interest in managing this, but in larger corporate, and many other 
large institutional, settings, where most PCs are really just tools 
providing a standard (and usually fairly limited) set of applications, 
such an integrity management approach would be easily adopted in place 
of on-access virus scanning and would only ever need updating just 
before standard maintenance procedures update/patch the contents of the 
managed PCs or new functionality (apps) were to be installed.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]