Home page logo

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: Michael.Dillon () btradianz com
Date: Tue, 21 Feb 2006 13:03:38 +0000

Offer them a free windows 
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do.

As the defense is local to the user's machine, the attacker can just 
kick it away.

How are they going to identify the code to throw
away? I believe that the state of the art for 
AV software is to create randomly named EXE files
so that attackers cannot delete the running process,
and then the EXE file ensures that the installed
program and startup config are not tampered with.

If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?

--Michael Dillon

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]