RE: Multiple AV Vendors ignoring tar.gz archives

[Nick FitzGerald <nick () virus-l demon co uk>]

Barrie Dempster to me:

> > Yes, but it has to be much more thoroughly implemented.  
>
> Absolutely, There are a few minor implementations of this but it's
> something that directory and management systems could incorporate. As
> most OS's have an "executable permission", it would be an idea to have
> software thats not in the white-list renderred incapable of having this
> permission, combined with scan on execute to ensure that the any
> software that previously has the permissions doesn't execute.

It's a tad more complex than simply execute permissions though, hence 
my suggestion that it really needs to be done much as in contemporary 
on-access virus scanners.

Think script code embedded in HTML inside all manner of pseudo-archive 
formats.  Think macros inside OLE2 container files.  Think NTFS AD 
streams.

And consider that the bad guys will always find the stupid bugs (and 
often the arcane ones) so there will always be ways for "new stuff" to 
get where it shouldn't be, so default-deny, rather than default-allow 
(as known virus scanning provides) is the only sensible approach.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html