Security Incidents mailing list archives

RE: strange windows behaviour.

From: "Harley David" <david.harley () nhsia nhs uk>
Date: Fri, 10 Oct 2003 09:40:28 +0100

From what I've seen of this thread, I'm not sure that

streams are quite as "safe" as I thought they were.
However, I think Paul's point essentially still stands,
individual AV implementation quirks apart. -Except- for
the assertion that there's no advantage to detecting
inert malware. If vendors really believed this, they
wouldn't scan for Mac viruses on PCs, or Windows viruses
on Unix boxes. If it's malicious, it's on a system,
and it's technically possible to detect it, surely it's
reasonable to expect at least an available option to
detect it? After all, viruses already exist that force
the vendors to mess with streams to repair the infection.

-- 
David Harley
Threat Assessment Centre Manager
Anti-Virus/Email Abuse Specialist
NHS Information Authority
07765 250765

There's been a lot of discussion about this amongst av professionals.
There's really no advantage to scanning streams because they are
"inert".  In order for the trojan to do anything, it has to 
"come out of
hiding" as it were, and when it does, av on access scanning 
will detect
it **if it's a known trojan**.  While it's in the stream it's 
merely in
storage, not being used.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------


This e-mail is confidential and privileged. If you are not the intended recipient please accept our apologies; please 
do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so 
is strictly prohibited and may be unlawful. Please inform us that this message has gone astray before deleting it. 
Thank you for your co-operation.


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: strange windows behaviour., (continued)
- - - Re: strange windows behaviour. Tobias Rice (Oct 10)
  - RE: strange windows behaviour. Harlan Carvey (Oct 09)
    - Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
  - RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
  - Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
  - RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)