[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives



> For lack of a better name -- after all, this is a technology 
> that has hardly been investigated -- I refer to this as 
> integrity management.  
> Basically you turn known virus scanning on its head to have 
> the on- access scanner only allow known good code to run, 
> rather than trying to do the impossible of finding all 
> possible permutations of all possible
> (known) "bad" code.  This can easily be done using the 
> existing technology, but instead of depending on the a vendor 
> to find new bad things, add detection of them and ship that 
> update _finally_ giving the user protection, the user 
> supplies their own list of _allowable_ code and new code can 
> be run once the administrator updates their own, of allowable 
> code database .  (There are other clever things such a re- 
> purposing of this technology neatly allows too -- for 
> example, such technology could easily be configured to block 
> access to all files of a given type; it can be easily used to 
> track software usage for auditing 
> and licensing checking; etc, etc...)   

Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies?  Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html