lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a0c503c4040615110851ad3fb0@mail.gmail.com>
From: kponds at gmail.com (Kevin Ponds)
Subject: antivirus and spyware scanning

Logically speaking, all of a viruses kinetic countermeasures to
detection can be negated by scanning for the virus whilst the drive is
not mounted.

I think the original poster wanted to take more of a forensic approach
to virus removal, in this way the antivirus software cannot be
hijacked itself.

A good implementation would either download the definitions from the
internet right after the CD boots (this could be a problem because of
oddball NICs and linux drivers), or alternatively from a
floppy/USB-key.

The only problems that I see with it are that "at rest" detection
methodology does not work for certain viral stealth manuvers, such as
polymorphic engines and (in the near future) cryptovirology*.  
Run-time analysis is needed for viruses that obfuscate their stored
code.

*however, we have to get our users to stop downloading attachments and
to start patching before the virus writers have any incentive to be
innovative and use things like polymorphic engines and cryptovirology.


ponds 

On Tue, 15 Jun 2004 09:43:08 -0700 (PDT), Harlan Carvey
<keydet89@...oo.com> wrote:
> 
> 
> > I think it is very useful to scan a windows machine
> > from viruses while having that machine booted to
> > linux.  This pretty much ensures that you will find
> > all the virii on that system.
> 
> Not necessarily.  You'll have to update the virus
> signatures on your CD distribution prior to scanning,
> and that doesn't guarantee complete coverage, either.
> 
> 
> > Does anyone know of a spyware scanner that can also
> > work from within Linux?  I dis-like the idea of
> > having to boot to windows just to scan the box for
> > spyware.  One could argue that the harddrive could
> > be put into another machine and scanned there, but
> > what if your in an environment where that is just
> > not possible (making housecalls, no unused machine,
> > etc)?
> >
> > Also, if you know of a better solution that this, I
> > am always interested.
> 
> Better solution than what?  I'm not really clear on
> what you're trying to do...you seem to have Windows
> machines that you're interested in scanning for
> viruses and spyware...why not simply use Windows apps?
> That way, you wouldn't have to boot to another os, or
> remove the hard drive at all...
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ