Re: Show me the Virrii!

[S G Masood <sgmasood () yahoo com>]

--- Jason Coombs <jasonc () science org> wrote:


...

> Antivirus software exists because viral code and
> malware exist. Malware 
> signature databases coupled with antivirus software
> provide what I'll 
> call "matter of fact, after the fact" security. It
> is a matter of fact 
> that bytes matching an a/v vendor's malware
> signature must have 
> malicious potential resembling a known virus, worm,
> Trojan, or other 
> code analyzed in the past by the a/v software vendor
> and labeled as 
> harmful. 

...


> Updates to virus definitions occur after
> the fact, so everyone 
> is always out-of-date and must keep paying in order
> to feel protected. 
> This makes for a good business, but it doesn't make
> for very good 
> security. In fact, it's completely backwards. Think
> about it for a 
> moment, why should anyone go through the expense and
> the trouble of 
> keeping a running list of all bad code ever
> encountered? We can prove 

...

> Such a deny-first 
> security policy would give computer owners the kind
> of control over 
> their boxes that the introduction of automobile
> ignition keys gave to 
> early motorists. The fact is that today's computers
> are still designed 
> to accomodate arbitrary drivers as though the
> absence of security is a 
> feature demanded by the marketplace.

...

> Not unlike the
> anti-driver purpose 
> served by automobile ignition keys, or the
> anti-death purpose served by 
> seatbelts, we must redesign our infosec safety
> precautions around the 
> idea that the bad things that can happen are worse
> than the protections 
> we must have to guard against them. Nobody would
> accept an out-of-date 
> list of ways in which one can die in an automobile
> in lieu of a 
> seatbelt, so why do we accept that an out-of-date
> list of bad code is a 
> viable way to protect ourselves while we drive a
> computer?

I agree with many of the points you make in this post
but I have some objection to these statements. I know
you are talking about changing the way most people
view computer software which is wonderful but to say
that malware signatures (for whatever purpose, not
just AV) or, as you seem to imply, signature-based
controls in general, are useless is a bit too
far-fetched. The car analogy you provide here is,
IMHO, faulty and cannot be applied here. Automobile
Ignition Keys are more comparable to Login
Authentication and not to this scenario.

Although signature creation is after-the-fact(of
infection) for the signature developers, it is still
before-the-fact for a user who is not yet affected by
the malware. Even if mandatory controls are placed on
the execution of software and the known vectors of
infection are eliminated, new vectors will be found.
And signature based detection/prevention tools will be
around for a long time more.

Also, mandatory controls on execution will make the
learning curve steeper for non-technical users though
it will be a gift for admins. :)

Thanks for the code!

Cheers,

--
S.G.Masood

(NO BIG FAN OF AV VENDORS)



__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html