Educause Security Discussion mailing list archives
Wow - What a good thread - Virus Scanning Engine Flaw
From: James H Moore <jhmfa () RIT EDU>
Date: Fri, 11 Nov 2005 12:04:49 -0500
What a good thread on the rainbow crack online. I had my questions answered there. So back to the issue that started me writing. I have been looking at Sana Security for network managed anti-spyware. It might also be able to be part of a defense in depth strategy for when people kit the technique described in the article below, and then start mining the archives of successful virus and worm code to integrate it with the kit. I gave a heads-up to my management that we may need to go defense in depth with virus/worm protection, and I was about to call some of the lead systems admins together to plan for what that would take. But I decided that it would be better to ask if others saw the same potential http://security.ithub.com/article/Virus+Scanners+Made+Moot+by+New+Exploi t/164278_1.aspx <http://security.ithub.com/article/Virus+Scanners+Made+Moot+by+New+Explo it/164278_1.aspx> Describes a flaw in the design of most virus scanning engines. Most virus scanning engines assume that worms or viruses will play fair in writing the file. The technique shows how to not play fair in terms of the file headers and offsets. Is anyone else addressing this? How? - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio
Current thread:
- Wow - What a good thread - Virus Scanning Engine Flaw James H Moore (Nov 11)