NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2003-10

RE: strange windows behaviour.

From: Harley David (david.harleynhsia.nhs.uk)
Date: Fri Oct 10 2003 - 03:40:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From what I've seen of this thread, I'm not sure that
streams are quite as "safe" as I thought they were.
However, I think Paul's point essentially still stands,
individual AV implementation quirks apart. -Except- for
the assertion that there's no advantage to detecting
inert malware. If vendors really believed this, they
wouldn't scan for Mac viruses on PCs, or Windows viruses
on Unix boxes. If it's malicious, it's on a system,
and it's technically possible to detect it, surely it's
reasonable to expect at least an available option to
detect it? After all, viruses already exist that force
the vendors to mess with streams to repair the infection.

--
David Harley
Threat Assessment Centre Manager
Anti-Virus/Email Abuse Specialist
NHS Information Authority
07765 250765

> There's been a lot of discussion about this amongst av professionals.
> There's really no advantage to scanning streams because they are
> "inert". In order for the trojan to do anything, it has to
> "come out of
> hiding" as it were, and when it does, av on access scanning
> will detect
> it **if it's a known trojan**. While it's in the stream it's
> merely in
> storage, not being used.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>

This e-mail is confidential and privileged. If you are not the intended recipient please accept our apologies; please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Please inform us that this message has gone astray before deleting it. Thank you for your co-operation.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]