RE: Strange servicepack.exe file (not service.exe) found.

[John Ives <jives () cchem berkeley edu>]

There are two answers to this.  The first is that it be a default option 
that can be turned off by support staff. the second is that IT staff could 
(while building their distribution system eg. ghost images, etc) 
pre-approve the supported app.

Of course, my perspective is always clouded by the realities of supporting 
people on a university campus.  This feature may not be necessary for 
corporations, but it would help us.

John

At 06:45 PM 12/17/2003 -0500, Rob Shein wrote:
> I can't imagine this concept working.  Imagine how users would react if VNC
> were used in the workplace (as it is in some companies I know of), and it
> popped up as a possible trojan or sign of compromise, because it's sometimes
> used that way by hackers.  End users, who are the majority of people using
> antivirus solutions, are prone to overreaction and panic, particularly where
> viruses are concerned.  While giving the user more information and letting
> them come to their own conclusion is theoretically the best way, actually
> implementing that solution is going to cause massive problems from a support
> perspective.
>
> > -----Original Message-----
> > From: John Ives [mailto:jives () cchem berkeley edu]
> > Sent: Wednesday, December 17, 2003 2:05 PM
> > To: incidents () securityfocus com
> > Subject: RE: Strange servicepack.exe file (not service.exe) found.
> >
> >
> > One of the things I have noticed with Symantec (and I am sure
> > other vendors
> > do the same thing) is that files that have both good and bad uses are
> > considered good, no matter how rarely they are used that way.
> >
> > A better system would be a prompt informing the user of the
> > file's name,
> > location and any relevant information about its legitimate
> > uses and asking
> > if this was running intentionally.  If so it should take a
> > hash of the file
> > and its directory path, archive that information to a file,
> > digitally sign
> > the file and use it as a reference whenever it does future
> > scans.  If it is
> > not intentionally being run then quarantine it and notify the
> > user that, if
> > there are any problems they can un-quarantine the file by
> > doing x y and z.
> >
> > This isn't an absolute answer, because it still relies on the
> > user to make
> > sound decisions, but it would help alleviate problems caused
> > by legitimate
> > files performing illegitimate actions.

-------------------------------------------------
John Ives, GCWN, GCIH, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security,  Then you will be hacked. 
What's more,  you deserve to be hacked."   - Richard Clarke

Any opinions expressed are my own and not those of the Regents of the 
University of California. 


---------------------------------------------------------------------------
----------------------------------------------------------------------------