funsec mailing list archives
Re: Security Vendor Bypasses Microsoft's Vista PatchGuard
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Thu, 26 Oct 2006 00:37:42 -0400
On 10/25/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Blue Boar to Dude VanWinkle: <<snip>> > > Isnt that worth something? > > It's not a useless attempt, and I don't think they should necessarily > get rid of it. It's also not necessarily mutually exclusive with what > McAfee and Symantec want. > > But Microsoft acting like having KPP has now eliminated all potential > kernel attack vectors, and the need for other security software to act > there, is a mistake. Microsoft has now claimed that their software > won't get to play there either. And that's good, it changes the > situation from Microsoft abusing a monopoly to Microsoft making a stupid > mistake. > > Not that I believe that MS will actually keep their security software > from playing where the other guys want to, but at least it's a claim we > can look back on. > http://www.microsoft.com/security/windowsvista/allchin.mspx Yes... By close analogy, the Sybari purchase is really interesting. Sybari's was the most reliable way of scanning Exchange message stores for malware (and any other "inappropriate" or undesirable content) _because_ they ignored the "officially sanctioned by MS and encapsulated in this public API" approach and actually reversed Exchange and developed something that _worked_. Eventually MS bought Sybari, so is doing it the unofficial way on Exchange now to be sanctioned?
They actually had two modes, one was compliant, the other was not (I forget the names). Non-compliant mode had its issues and was not always the best product for the heath of your exchange server, specifically for this reason. McAfee and some others had just started integrating spam and phishing filters into their SMTP av engines and would strip out the offending content. Of course they would first accept the email, then antigen would tell exchange "I have a 17k message to put in the information store" but would then delver a 1k envelope with no content. They didnt fix the issue for two months and I had to isinteg the information store and then switch to the compliant mode. Also antigen uses 7 engines, which would open your mailserver up to any vulnerabilities that came out for McAfee, Sophos, Kaspersky, CA (vet/iris), Norman, etc, etc. This meant you have to stay on top of the vulnerabilities mailing lists and disable a new engine each month aside from that it was a great product, except of course it would put all the AV scanning load on the same server that your end users connected to, although they were planning a gateway edition, or at least thats what they said when I dropped them ;-) Give me an SMTP gateway running MailFrontier any day -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard, (continued)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard John LaCour (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Drsolly (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Ron Bowes (Oct 25)