[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
- To: <nick@xxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
- From: "Stuart Fox (DSL AK)" <StuartF@xxxxxxxxxxxxx>
- Date: Tue, 8 Feb 2005 09:56:54 +1300
> For lack of a better name -- after all, this is a technology
> that has hardly been investigated -- I refer to this as
> integrity management.
> Basically you turn known virus scanning on its head to have
> the on- access scanner only allow known good code to run,
> rather than trying to do the impossible of finding all
> possible permutations of all possible
> (known) "bad" code. This can easily be done using the
> existing technology, but instead of depending on the a vendor
> to find new bad things, add detection of them and ship that
> update _finally_ giving the user protection, the user
> supplies their own list of _allowable_ code and new code can
> be run once the administrator updates their own, of allowable
> code database . (There are other clever things such a re-
> purposing of this technology neatly allows too -- for
> example, such technology could easily be configured to block
> access to all files of a given type; it can be easily used to
> track software usage for auditing
> and licensing checking; etc, etc...)
Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies? Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html