Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: Peter Kosinar <goober () ksp sk>
Date: Thu, 21 Feb 2008 00:07:16 +0100 (CET)
Nope, you have to distinguish between a sandbox (code is run) to an AV scanner scanning code in a VM, when the av scanner scans the code, the code is not executed and cannot decide whether it is inside a VM =)
Wrong. This would be true only if the AV didn't have the parsing bug in the first place. If the AV is buggy and allows some form of arbitrary code execution, the attacker -does- have the code executed inside the VM; and nothing stands in his way of detecting whether it's a real machine or not. If, on the other hand, the AV was not vulnerable... then, what would be the gain of running it inside a VM? :-)
Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
Current thread:
- Re: Possible Mail server compromise ?, (continued)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
- Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eduardo Tongson (Feb 21)