Full Disclosure mailing list archives

Re: Multiple AV Vendors ignoring tar.gz archives

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Feb 2005 08:36:45 +1300

Shoshannah Forbes to me:

Known virus scanning
is a far from perfect method for achieving this, but as the only
intelligent method of achieving it has been entirely disregarded by
users, AV and OS developers, scanning is pretty much what we are left
with.


To which method are you referring here?


For lack of a better name -- after all, this is a technology that has 
hardly been investigated -- I refer to this as integrity management.  
Basically you turn known virus scanning on its head to have the on- 
access scanner only allow known good code to run, rather than trying to 
do the impossible of finding all possible permutations of all possible 
(known) "bad" code.  This can easily be done using the existing 
technology, but instead of depending on the a vendor to find new bad 
things, add detection of them and ship that update _finally_ giving the 
user protection, the user supplies their own list of _allowable_ code 
and new code can be run once the administrator updates their own, of 
allowable code database .  (There are other clever things such a re-
purposing of this technology neatly allows too -- for example, such 
technology could easily be configured to block access to all files of a 
given type; it can be easily used to track software usage for auditing 
and licensing checking; etc, etc...)   

Fred Cohen realized this was the only intelligent way to do things two 
decades ago, but couldn't sell a product based on the idea at the time 
(he used the term "integrity shell" and may have even called his 
product "Integrity Shell").  Admittedly, this was a DOS product (there 
may have been Unix versions too?) and the time was one of _very_ 
limited system resources, no protected memory, no OS-provided security 
services or privilege separations, etc _AND_ the height of the first 
period of explosive growth of PC usage, where PCs were either not 
networked at all or only connected to isolated LANs.  The Internet 
existed but worms, viruses and other mobile malicious code were all but 
non-existent and the "it will never happen to me" attitude reigned...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Multiple AV Vendors ignoring tar.gz archives, (continued)
- - - Re: Multiple AV Vendors ignoring tar.gz archives bkfsec (Feb 07)
    - Re: Multiple AV Vendors ignoring tar.gz archives James Eaton-Lee (Feb 07)
    - Re: Multiple AV Vendors ignoring tar.gz archives bkfsec (Feb 08)
    - Software Licenses and compression (was: Multiple AV Vendors ignoring tar.gz archives) bkfsec (Feb 07)
    - Re: Software Licenses and compression (was: Multiple AV Vendors ignoring tar.gz archives) James Eaton-Lee (Feb 07)
    - Re: Multiple AV Vendors ignoring tar.gz archives Rodrigo Barbosa (Feb 10)
    - Re: Multiple AV Vendors ignoring tar.gz archives Jorrit Kronjee (Feb 10)
    - Re: Multiple AV Vendors ignoring tar.gz archives James Eaton-Lee (Feb 11)
  - Re: Multiple AV Vendors ignoring tar.gz archives Barrie Dempster (Feb 06)
  - Re: Multiple AV Vendors ignoring tar.gz archives Shoshannah Forbes (Feb 07)
    - Re: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 07)
- RE: Multiple AV Vendors ignoring tar.gz archives Stuart Fox (DSL AK) (Feb 07)
  - RE: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 07)
    - RE: Multiple AV Vendors ignoring tar.gz archives Barrie Dempster (Feb 08)
    - RE: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 08)