Re: Definition of Zero Day Protection

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-08-09 at 12:29, Joel Snyder wrote:
> In the world of virus scanners, the idea of zero day protection is 
> promoted by folks who sell heuristic scanners (i.e., those which do not 
> depend on specific matching of a signature).  The idea is that using a 
> heuristic, you can determine whether a file has a virus or not, even if 
> you've never seen the virus.  Thus, for certain classes of un-written 
> viruses, this technology would offer "zero day protection."

Unfortunately we all know how well this concept is working. If
heuristics would actually work, we wouldn't have to battle virus after
virus (like the new strain today). I have the sneaky suspicion that
heuristic IPS (those with 0 day-protection... *chuckle*) will have the
same success rate as heuristic virus scanners.

It seems to me that most anomaly based IPS shut down after a certain
threshold is exceeded. That means that some communication has already
taken place. As Joel said, the host is already compromised, and I
wouldn't be surprised if that host infected a handful of other hosts
before the IPS shut it down.


Regards,
Frank

PS: I can't believe these email viruses are STILL spreading...

Attachment: signature.asc
Description: This is a digitally signed message part