mailing list archives
Re: Quarantine your infected users spreading malware
From: Michael.Dillon () btradianz com
Date: Tue, 21 Feb 2006 13:46:21 +0000
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.
Isn't there a risk of DoS though? What's to prevent someone from
"spoofing" those signals and shutting down other users?
The signal would be encoded using a unique key.
I would also expect that the choice of listening port
would be somehow randomized and registered in the central
registry to make it less of a DOS target.
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system. Thus leaving us in the same
situation as before. Firewall? I don't need no stinking firewall..
I see no reason why the user needs the ability to
override or remove the software. After all, during
normal operation it does nothing at all therefore it
does not interfere in any way with machine operation.
The intent is to make it virtually impossible to
remove this software so that a virus or worm cannot
remove it either.
Sure it does.. It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
If the quarantined state keeps open a port 443 connection
to a specific trusted webserver run by the group of trusted
security researchers then the specifics of combatting the
worm can be made available on that site. If necessary the
site could upload ActiveX controls to do malware scans or
recommend the installation of such software.