lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <414835C0.23225.A499F818@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AV companies better hire good lawyers soon.

Frank Knobbe wrote:

> Alternatively, software manufacturers can add their applications into AV
> exclusion lists upon installation of their products. Applications
> already have to "register" with the operating systems. Why not make it
> register with the AV software if the software is prone to false
> positives? Or at least advice the end-user of such recommended manual
> step during installation.

Do I detect the re-emergence of parasitic binary infectors?

> If the user trusts the application, and does not trust the AV software,
> he can override the AV checks for this software. If AV vendors present a
> lot of false positives, my guess is that the trust of the end user in
> those AV products will wane.
> 
> So, it is in the best interest for the AV vendor to ensure low/no false
> positives. There is no need for software manufacturers to "register"
> their products with AV vendors.

Of course, the best solution is to fix the cart-before-the-horse design 
of contemporary scanners.  They should not be black-listing (by it's 
nature heavily prone to _both_ false-positives (the issue here) and 
false-negatives ("you should expoect us to miss new malware")) but 
enforcing white lists.  The "bad old days" of severe hardware (RAM, CPU 
cycles, I/O speed) limitations that made black-listing only marginally 
acceptable because it was the only amrginallt viable approach, are 
_long_ past.  Idiot users that want to run just any old cr*p code from 
anywhere are welcome to keep failing to be "protected" by black-listing 
scanners, but informed admin types should have been agitating for years 
npw for their AV developers (or, perhaps better, other security system 
developers) to develop a useful, real-time black-listing solution that 
would work in a corporate setting.  Partly because this did not happen 
we then had all manner of further idiocies "enforced" on us, such as 
the truly screwed-up notion that we should accept arbitrary code from 
web servers (in the form of HTML-embedded scripts, scripting in third-
party interpreted languages such as are used in SWF, etc, etc).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ