RE: Multiple AV Vendors ignoring tar.gz archives

[Nick FitzGerald <nick () virus-l demon co uk>]

Stuart Fox to me:

> Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
> Restriction Policies?  Executables are only allowed to run provided they
> fit a prespecified pattern i.e. name (not very useful), signed or not,
> hash of the executable.

Yes, but it has to be much more thoroughly implemented.  It needs to be 
at a low level in the file system (as existing on-access virus 
scanners' file system filter drivers and the like currently are) and it 
needs to be able to handle a much broader conception of "code" than the 
existing implementation (again, as existing on-access virus scanners 
have, with their "intelligent" file typing and such...).

Such a "solution" would only ever be widely useful in properly managed 
corporate environments -- most small businesses (and many medium-sized 
ones) and most individual users would never have the discipline and/or 
interest in managing this, but in larger corporate, and many other 
large institutional, settings, where most PCs are really just tools 
providing a standard (and usually fairly limited) set of applications, 
such an integrity management approach would be easily adopted in place 
of on-access virus scanning and would only ever need updating just 
before standard maintenance procedures update/patch the contents of the 
managed PCs or new functionality (apps) were to be installed.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html