[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
- From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 08 Feb 2005 11:26:47 +1300
Stuart Fox to me:
> Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
> Restriction Policies? Executables are only allowed to run provided they
> fit a prespecified pattern i.e. name (not very useful), signed or not,
> hash of the executable.
Yes, but it has to be much more thoroughly implemented. It needs to be
at a low level in the file system (as existing on-access virus
scanners' file system filter drivers and the like currently are) and it
needs to be able to handle a much broader conception of "code" than the
existing implementation (again, as existing on-access virus scanners
have, with their "intelligent" file typing and such...).
Such a "solution" would only ever be widely useful in properly managed
corporate environments -- most small businesses (and many medium-sized
ones) and most individual users would never have the discipline and/or
interest in managing this, but in larger corporate, and many other
large institutional, settings, where most PCs are really just tools
providing a standard (and usually fairly limited) set of applications,
such an integrity management approach would be easily adopted in place
of on-access virus scanning and would only ever need updating just
before standard maintenance procedures update/patch the contents of the
managed PCs or new functionality (apps) were to be installed.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html