Full Disclosure mailing list archives
Re: Multiple AV Vendors ignoring tar.gz archives
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Feb 2005 08:36:45 +1300
Shoshannah Forbes to me:
Known virus scanning is a far from perfect method for achieving this, but as the only intelligent method of achieving it has been entirely disregarded by users, AV and OS developers, scanning is pretty much what we are left with.To which method are you referring here?
For lack of a better name -- after all, this is a technology that has hardly been investigated -- I refer to this as integrity management. Basically you turn known virus scanning on its head to have the on- access scanner only allow known good code to run, rather than trying to do the impossible of finding all possible permutations of all possible (known) "bad" code. This can easily be done using the existing technology, but instead of depending on the a vendor to find new bad things, add detection of them and ship that update _finally_ giving the user protection, the user supplies their own list of _allowable_ code and new code can be run once the administrator updates their own, of allowable code database . (There are other clever things such a re- purposing of this technology neatly allows too -- for example, such technology could easily be configured to block access to all files of a given type; it can be easily used to track software usage for auditing and licensing checking; etc, etc...) Fred Cohen realized this was the only intelligent way to do things two decades ago, but couldn't sell a product based on the idea at the time (he used the term "integrity shell" and may have even called his product "Integrity Shell"). Admittedly, this was a DOS product (there may have been Unix versions too?) and the time was one of _very_ limited system resources, no protected memory, no OS-provided security services or privilege separations, etc _AND_ the height of the first period of explosive growth of PC usage, where PCs were either not networked at all or only connected to isolated LANs. The Internet existed but worms, viruses and other mobile malicious code were all but non-existent and the "it will never happen to me" attitude reigned... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Multiple AV Vendors ignoring tar.gz archives, (continued)
- Re: Multiple AV Vendors ignoring tar.gz archives bkfsec (Feb 07)
- Re: Multiple AV Vendors ignoring tar.gz archives James Eaton-Lee (Feb 07)
- Re: Multiple AV Vendors ignoring tar.gz archives bkfsec (Feb 08)
- Software Licenses and compression (was: Multiple AV Vendors ignoring tar.gz archives) bkfsec (Feb 07)
- Re: Software Licenses and compression (was: Multiple AV Vendors ignoring tar.gz archives) James Eaton-Lee (Feb 07)
- Re: Multiple AV Vendors ignoring tar.gz archives Rodrigo Barbosa (Feb 10)
- Re: Multiple AV Vendors ignoring tar.gz archives Jorrit Kronjee (Feb 10)
- Re: Multiple AV Vendors ignoring tar.gz archives James Eaton-Lee (Feb 11)
- Re: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 07)
- RE: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 07)
- RE: Multiple AV Vendors ignoring tar.gz archives Barrie Dempster (Feb 08)
- RE: Multiple AV Vendors ignoring tar.gz archives Nick FitzGerald (Feb 08)