Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Multiple AV Vendors ignoring tar.gz archives
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 09 Feb 2005 01:01:59 +1300

Barrie Dempster to me:

Yes, but it has to be much more thoroughly implemented.  

Absolutely, There are a few minor implementations of this but it's
something that directory and management systems could incorporate. As
most OS's have an "executable permission", it would be an idea to have
software thats not in the white-list renderred incapable of having this
permission, combined with scan on execute to ensure that the any
software that previously has the permissions doesn't execute.

It's a tad more complex than simply execute permissions though, hence 
my suggestion that it really needs to be done much as in contemporary 
on-access virus scanners.

Think script code embedded in HTML inside all manner of pseudo-archive 
formats.  Think macros inside OLE2 container files.  Think NTFS AD 

And consider that the bad guys will always find the stupid bugs (and 
often the arcane ones) so there will always be ways for "new stuff" to 
get where it shouldn't be, so default-deny, rather than default-allow 
(as known virus scanning provides) is the only sensible approach.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]