funsec mailing list archives
Re: Texas Bank Dumps Antivirus for Whitelisting
From: Drsolly <drsollyp () drsolly com>
Date: Wed, 16 Jul 2008 23:05:32 +0100 (BST)
On Wed, 16 Jul 2008, David Harley wrote:
You're showing your age. ;-) Word macro viruses haven'tbeen muchof a problem for 6 or 7 years ever since Microsoft went to signed VBA code in Office.To be fair, the issue isn't really Word macro viruses: it's the fact that they represent a class of objects where executable code is found in places less obvious than a .EXE. A whitelisting solution that doesn't take them into account is obviously less effective.
Right - I was using Word macros as an example of something that whitelisting finds very hard to handle.
Breaking down the hoary old mindset that has allowed the patently stupid blacklisting approach to initially thrive, then survive for so long, will be whitelisting's biggest challenge to broader acceptability (and likely prevent it ever becomingwidely usedin the least IT-literate parts of the market such as theSOHO and individual user segment).Stop me if you've heard this before. Irrespective of the prejudices of the AV industry, the real problem is the sizeable market sector that thinks we should be able to detect every malicious program by name, and is enraged when we fail to do so. A sizeable subset of that group mistrusts any form of behaviour analysis because they believe in the magic power of names (which is why the industry continues to use reassuring names that sound specific but are actually generic...) Whitelisting doesn't have to be technically better: it just needs to be presented as a superior form of sympathetic magic.The main problem with whitelisting, is the high cost of maintenance.As opposed to blacklisting, which is... oh, wait a minute. ;-)
... cheaper. Because you have to add *all* the costs up, not just the cost of the software. Also - here's an unusual thought - an AV doesn't have to be 100% effective in warding off viruses (fortunately). There's a tradeoff applicable. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Texas Bank Dumps Antivirus for Whitelisting, (continued)
- Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Shipp (elist) (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 17)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 17)
- Re: Texas Bank Dumps Antivirus for Whitelisting Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Nick FitzGerald (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 17)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 17)
- Re: Texas Bank Dumps Antivirus for Whitelisting Nick FitzGerald (Jul 17)