Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Multiple AV Vendors ignoring tar.gz archives
From: Barrie Dempster <barrie () reboot-robot net>
Date: Tue, 08 Feb 2005 10:12:22 +0000

On Tue, 2005-02-08 at 11:26 +1300, Nick FitzGerald wrote:
Stuart Fox to me:

Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies?  Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.

Yes, but it has to be much more thoroughly implemented.  

Absolutely, There are a few minor implementations of this but it's
something that directory and management systems could incorporate. As
most OS's have an "executable permission", it would be an idea to have
software thats not in the white-list renderred incapable of having this
permission, combined with scan on execute to ensure that the any
software that previously has the permissions doesn't execute.

This isn't an entirely new idea, but it is one that isn't very well
implemented at this stage as noted. ( Gap in the market for any startups
reading the list :-P )

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]