Security Incidents mailing list archives

Re: Possible Mail server compromise ?

From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Wed, 20 Feb 2008 20:25:21 +0100

On Feb 20, 2008 6:11 PM,  <Valdis.Kletnieks () vt edu> wrote:

On Tue, 19 Feb 2008 21:14:46 EST, Jon Oberheide said:

I'm not sure how n.runs implements their system, but our system uses Xen
VMs for the detection engines.  When it is determined that a piece of
malware has exploited the AV software (through non-whitelisted process
spawning, any network activity, or other unexpected system behavior),

That is, of course, assuming you don't get blue-pilled before you realize that
it's been exploited.  Running in a VM helps a *lot*, but it does *not*
guarantee that nothing will get loose (and notice that a clever malware can
simply redpill detect that it's running in a VM, and do nothing malicious until
it detects that it's on a real machine - malware has a *long* tradition of
detecting and evading if it's running under a debugger...

Nope, you have to distinguish between a sandbox (code is run) to an AV
scanner scanning code in a VM,
when the av scanner scans the code, the code is not executed and
cannot decide whether it is inside
a VM =)

Current thread:

Re: Possible Mail server compromise ?, (continued)
- - - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
    - Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
    - Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eduardo Tongson (Feb 21)