Security Incidents mailing list archives
RE: Strange servicepack.exe file (not service.exe) found.
From: "Rob Shein" <shoten () starpower net>
Date: Wed, 17 Dec 2003 18:45:10 -0500
I can't imagine this concept working. Imagine how users would react if VNC were used in the workplace (as it is in some companies I know of), and it popped up as a possible trojan or sign of compromise, because it's sometimes used that way by hackers. End users, who are the majority of people using antivirus solutions, are prone to overreaction and panic, particularly where viruses are concerned. While giving the user more information and letting them come to their own conclusion is theoretically the best way, actually implementing that solution is going to cause massive problems from a support perspective.
-----Original Message----- From: John Ives [mailto:jives () cchem berkeley edu] Sent: Wednesday, December 17, 2003 2:05 PM To: incidents () securityfocus com Subject: RE: Strange servicepack.exe file (not service.exe) found. One of the things I have noticed with Symantec (and I am sure other vendors do the same thing) is that files that have both good and bad uses are considered good, no matter how rarely they are used that way. A better system would be a prompt informing the user of the file's name, location and any relevant information about its legitimate uses and asking if this was running intentionally. If so it should take a hash of the file and its directory path, archive that information to a file, digitally sign the file and use it as a reference whenever it does future scans. If it is not intentionally being run then quarantine it and notify the user that, if there are any problems they can un-quarantine the file by doing x y and z. This isn't an absolute answer, because it still relies on the user to make sound decisions, but it would help alleviate problems caused by legitimate files performing illegitimate actions.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
- Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)
- Re: Strange servicepack.exe file (not service.exe) found. dreamwvr () dreamwvr com (Dec 19)
- Administrivia: Dead Thread - Strange servicepack.exe file (not service.exe) found. Dan Hanson (Dec 19)
- RE: Strange servicepack.exe file (not service.exe) found. Lucretia (Dec 19)
- <Possible follow-ups>
- RE: Strange servicepack.exe file (not service.exe) found. Kolde, Jennifer E. (Dec 18)