Re: standards status in the industry - opinion?

[Nick FitzGerald <nick () virus-l demon co uk>]

Gadi Evron to Matthew Murphy:

> > I agree 100%.  Purely signature-based scanning that proved able to
> > detect all the WMF exploits out there would produce scores of FPs.  It's
> > yet another example of why sig scanning is broken.

Actually, I could do you a prefect, no-FP "signature-scanning"-only 
solution.  It wouldn't be scanning WMFs at all though...

Have you ever wondered whether we may be scanning for the wrong thing?

Known virus scanning is not the only "signature scanning" approach -- 
as Fred Cohen suggested close to (or is that now "more than"??) two 
decades ago, by far the best solution to the generic problem of 
detecting the execution of unwanted code (of which, the problem of 
"detecting malware" is a sub-set) is to "fingerprint" the installed/ 
allowed code and prevent unknown code from being run.  Thought of in a 
different way, this is the firewall equivalent of a default-deny rule 
for the program loader...

(It would never fly for home users, but should be right at home in a 
corporate environment -- well a corporate environment with sysadmins 
with a scrap of clue...)

<<snip>>
> The fact that the marketing part of the business keeps sticking that 
> same solution down our throats is indeed the truth, and it is no longer 
> adequate and research should proceed in other fields as well.

This is part of the reason why MS should _NOT_ have entered the AV 
market...

> Our industry likes old and stable though. It fits well in budget requests.

...but that's the reason that MS _DID_ enter the AV market!   8-)


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.