funsec mailing list archives
Re: standards status in the industry - opinion?
From: Drsolly <drsollyp () drsolly com>
Date: Sun, 8 Jan 2006 17:45:19 +0000 (GMT)
On Sun, 8 Jan 2006, Nick FitzGerald wrote:
Gadi Evron to Matthew Murphy:I agree 100%. Purely signature-based scanning that proved able to detect all the WMF exploits out there would produce scores of FPs. It's yet another example of why sig scanning is broken.Actually, I could do you a prefect, no-FP "signature-scanning"-only solution. It wouldn't be scanning WMFs at all though... Have you ever wondered whether we may be scanning for the wrong thing? Known virus scanning is not the only "signature scanning" approach -- as Fred Cohen suggested close to (or is that now "more than"??) two decades ago, by far the best solution to the generic problem of detecting the execution of unwanted code (of which, the problem of "detecting malware" is a sub-set) is to "fingerprint" the installed/ allowed code and prevent unknown code from being run. Thought of in a different way, this is the firewall equivalent of a default-deny rule for the program loader...
That wasn't practical then (think stealth boot sector viruses), and became even less practical with the first Word macro virus.
The fact that the marketing part of the business keeps sticking that same solution down our throats is indeed the truth, and it is no longer adequate and research should proceed in other fields as well.This is part of the reason why MS should _NOT_ have entered the AV market...Our industry likes old and stable though. It fits well in budget requests....but that's the reason that MS _DID_ enter the AV market! 8-)
... and might lead to new or old AV companies coming up with radically different solutions. For example, I can't see MS promoting grannyx. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: standards status in the industry - opinion?, (continued)
- RE: standards status in the industry - opinion? Drsolly (Jan 08)
- RE: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 08)
- Re: standards status in the industry - opinion? Valdis . Kletnieks (Jan 08)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? James Kehl (Jan 09)
- Re: standards status in the industry - opinion? Barrie Dempster (Jan 09)
- Re: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re[2]: standards status in the industry - opinion? Pierre Vandevenne (Jan 07)
- Re[2]: standards status in the industry - opinion? Drsolly (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Nick FitzGerald (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Nick FitzGerald (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Valdis . Kletnieks (Jan 07)
- Re: standards status in the industry - opinion? Blue Boar (Jan 07)
- Re: Re[2]: standards status in the industry - opinion? Drsolly (Jan 08)
- Re: Re[2]: standards status in the industry - opinion? Valdis . Kletnieks (Jan 08)