funsec mailing list archives
Re: Kaspersky strikes again
From: silky <michaelslists () gmail com>
Date: Sat, 22 Dec 2007 12:27:46 +1100
On Dec 22, 2007 10:35 AM, Larry Seltzer <Larry () larryseltzer com> wrote:
Even so, there would be so much less testing to do, wouldn't there? After all, on an appliance users can't just arbitrarily install applications (not and expect support). Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: Drsolly [mailto:drsollyp () drsolly com] Sent: Friday, December 21, 2007 6:29 PM To: Larry Seltzer Cc: funsec () linuxbox org; Richard M. Smith Subject: RE: [funsec] Kaspersky strikes again On Fri, 21 Dec 2007, Larry Seltzer wrote:Damn, I'm going to get a good column out of this. Doc: What about gateway appliances? Is a signature system more reasonable when you have a limited number of closed platforms?You've misunderstood my concern. If you update your sigs hourly, then you have less than an hour to do all the testing. It doesn't matter how many computers are running the new version; they're all running something that has had less than an hour of testing, and I don't really want to run something that has been tested for less than an hour, on my systems.
sorry but i don't see how 'hourly releases' translates into 'one hour of testing'. that seems like an assumption on your part, it's not a direct result of that strategy. you need to look at the actual number of signatures they generate internally. if they only write one once an hour, then that's the one they must release. but if they write more then that, or have a stockpile they release from, then clearly they can spend more then one hour testing.
A month would probably be enough. A day would probably not be enough. Flagging "Explorer.exe" puts me in mind of when Fredrik issued a sig that false-alarmed on Command.com in the Virus Bulletin publication. We called that "The mother of all false alarms".
-- mike http://lets.coozi.com.au/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Kaspersky strikes again, (continued)
- RE: Kaspersky strikes again Richard M. Smith (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- RE: Kaspersky strikes again Drsolly (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- RE: Kaspersky strikes again Drsolly (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- RE: Kaspersky strikes again Drsolly (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- Re: Kaspersky strikes again Dude VanWinkle (Dec 22)
- Re: Kaspersky strikes again coderman (Dec 21)
- Re: Kaspersky strikes again silky (Dec 21)
- Re: Kaspersky strikes again Drsolly (Dec 22)
- Re: Kaspersky strikes again silky (Dec 22)
- RE: Kaspersky strikes again Richard M. Smith (Dec 21)
- RE: Kaspersky strikes again Alex Eckelberry (Dec 21)
- RE: Kaspersky strikes again Peter Kosinar (Dec 21)
- RE: Kaspersky strikes again Hubbard, Dan (Dec 21)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Alex Eckelberry (Dec 21)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Drsolly (Dec 21)
- Re: shit happens, et tu, AVG? was Re: Kaspersky strikes again Valdis . Kletnieks (Dec 21)