[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <EFEDB05BD6D3904BA5A595FB322BB4FF2545AC@dnzakex1.datacom.co.nz>
From: StuartF at datacom.co.nz (Stuart Fox (DSL AK))
Subject: Multiple AV Vendors ignoring tar.gz archives
> For lack of a better name -- after all, this is a technology
> that has hardly been investigated -- I refer to this as
> integrity management.
> Basically you turn known virus scanning on its head to have
> the on- access scanner only allow known good code to run,
> rather than trying to do the impossible of finding all
> possible permutations of all possible
> (known) "bad" code. This can easily be done using the
> existing technology, but instead of depending on the a vendor
> to find new bad things, add detection of them and ship that
> update _finally_ giving the user protection, the user
> supplies their own list of _allowable_ code and new code can
> be run once the administrator updates their own, of allowable
> code database . (There are other clever things such a re-
> purposing of this technology neatly allows too -- for
> example, such technology could easily be configured to block
> access to all files of a given type; it can be easily used to
> track software usage for auditing
> and licensing checking; etc, etc...)
Isn't this similar to what MS do in Windows 2003/XP SP2 with Software
Restriction Policies? Executables are only allowed to run provided they
fit a prespecified pattern i.e. name (not very useful), signed or not,
hash of the executable.
Powered by blists - more mailing lists