RE: Gadi Busted In Massive Conspiracy

[Sean Donelan <sean () donelan com>]

On Sat, 4 Feb 2006, Nick FitzGerald wrote:
> Also, smart bad guys will ensure that they take sound steps to block
> access to the WU servers, so that once run they prevent being usurped
> by new MSRT updates, just as they already do with AV, etc...
>
> Remember, when playing in a blacklisting-controlled environment (i.e.
> modern "known virus scanning" AV) the bad guy has the upper hand
> becvause his code always gets to run first...

That's why its important to get people with *UNMANAGED* PC's to turn on WU
auto-update.  PC's managed by professional IT sysadmins or actively
self-administered are not the target of WU auto-update.

WU should "run first" and install patches or updates before the exploits
start appearing after the public announcements (0-day is still a problem).
The best AV is to eliminate the vulnerability by preventitive medicine,
rather than trying to cure the machine after its infected.  It would be
great if software had no vulnerabilities, but absent that, the next best
thing is effectively patching as many machines as soon as possible.

Nevertheless, WU auto-update won't help as much with the self-infect
vectors.  Once you are owned, I wouldn't trust MSRT or any AV product to
completely restore a compromised computer because you never know what you
don't know.  The MSRT is an "air drop" to help control the worst
infections amoung the unmanaged PC population.  MSRT is not a replacement
for other security products or IT management.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.