Re: standards status in the industry - opinion?

[Drsolly <drsollyp () drsolly com>]

On Sun, 8 Jan 2006, Nick FitzGerald wrote:

> Gadi Evron to Matthew Murphy:
>
> > > I agree 100%.  Purely signature-based scanning that proved able to
> > > detect all the WMF exploits out there would produce scores of FPs.  It's
> > > yet another example of why sig scanning is broken.
>
> Actually, I could do you a prefect, no-FP "signature-scanning"-only 
> solution.  It wouldn't be scanning WMFs at all though...
>
> Have you ever wondered whether we may be scanning for the wrong thing?
>
> Known virus scanning is not the only "signature scanning" approach -- 
> as Fred Cohen suggested close to (or is that now "more than"??) two 
> decades ago, by far the best solution to the generic problem of 
> detecting the execution of unwanted code (of which, the problem of 
> "detecting malware" is a sub-set) is to "fingerprint" the installed/ 
> allowed code and prevent unknown code from being run.  Thought of in a 
> different way, this is the firewall equivalent of a default-deny rule 
> for the program loader...

That wasn't practical then (think stealth boot sector viruses), and became
even less practical with the first Word macro virus.
 
> > The fact that the marketing part of the business keeps sticking that 
> > same solution down our throats is indeed the truth, and it is no longer 
> > adequate and research should proceed in other fields as well.
>
> This is part of the reason why MS should _NOT_ have entered the AV 
> market...
>
> > Our industry likes old and stable though. It fits well in budget requests.
>
> ...but that's the reason that MS _DID_ enter the AV market!   8-)
 
 ... and might lead to new or old AV companies coming up with radically 
different solutions. For example, I can't see MS promoting grannyx.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.