funsec mailing list archives
Re: Kaspersky strikes again
From: Drsolly <drsollyp () drsolly com>
Date: Mon, 24 Dec 2007 19:30:38 +0000 (GMT)
On Mon, 24 Dec 2007 Valdis.Kletnieks () vt edu wrote:
On Sun, 23 Dec 2007 17:33:21 CST, Thomas Raef said:Is it constant corporate rivalries that forced AV companies to "brag" about releasing updates every hour?Ya know, a few years back, the vendor that does the A/V part of our front-end email boxes took about 6 hours to get us a pattern that matched a fast-burning email-based worm. In those 6 hours, we got pounded by so many copies all sending themselves to everybody (which is pretty badly synergistic in a mostly closed community like a .EDU with 50K active mailboxes, and almost every single one of them has zillions of *other* valid addresses on the same server just floating around on the drive waiting to be scraped). How badly? The backend system folded under the load when the load average got to 1487 or so, and it took us several *days* to get a clean restart (it proved to be harder than it looked to bring up the back end without the front ends dumping several tens of millions of messages onto the server and pounding it back into the Stone Age). When 6 or 8 hours of delay means you could have a meltdown with literally millions of backlogged messages, suddenly "every hour" starts sounding good...
Yes. This is why this kind of AV looks to me to be theoretically less possible than many people hope. 1) You need updates very quickly after a new thing is spread; within one hour would be good (see case above). 2) You need to test updates thoroughly before releasing them; this will probably take days (or you'll flag explorer.exe as malware, thus crashing a load of workstations). And you can't have both 1) and 2) _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again, (continued)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again David Harley (Dec 23)
- Re: shit happens, et tu, AVG? was Re: Kaspersky strikes again Dude VanWinkle (Dec 22)
- RE: [stuff] happens, et tu, AVG? was Re: Kaspersky strikes again Young, Keith (Dec 21)
- RE: Kaspersky strikes again Daniel H. Renner (Dec 21)
- RE: Kaspersky strikes again Thomas Raef (Dec 23)
- RE: Kaspersky strikes again Larry Seltzer (Dec 23)
- RE: Kaspersky strikes again Alex Eckelberry (Dec 23)
- Re: Kaspersky strikes again Dude VanWinkle (Dec 23)
- RE: Kaspersky strikes again Larry Seltzer (Dec 23)
- RE: Kaspersky strikes again Thomas Raef (Dec 23)
- Re: Kaspersky strikes again Valdis . Kletnieks (Dec 23)
- Re: Kaspersky strikes again Drsolly (Dec 24)
- Re: Kaspersky strikes again Valdis . Kletnieks (Dec 23)
- RE: Kaspersky strikes again Thomas Raef (Dec 24)