RE: eWeek: Government-Funded Startup Blasts Rootkits

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to Blanchard_Michael () emc com to Drsolly:

> > > Remember Thunderbyte?
> >
> > It Thunderbyte similliar to the Apple II card CopyIIplus?  I remember
> > years ago there that CopyIIplus card that would copy any program disk
> > to disk I believe, regardless of copy protection too  :-)
> It was a hardware antivirus.

Are we remembering differ things?

The Thunderbyte I remember was very much software, written initially by 
Frans Veldman of the Netherlands and joined later by Righard 
Zweinenberg.  In the mid-90s it was bought up by Norman and by 1999 (or 
earlier?) Norman stopped shipping updates for it, much to the 
disappointment of its hardcore users.

There have been various "hardware antivirus" (or more generically 
"security") products.  All of these that I've ever seen plug in between 
the IDE controller and IDE drive (I think there were a few very early 
ones that worked with pre-IDE drives too) and, if you had to describe 
their operation in just a few words (what, me??) you'd say they were 
"hardware partition access managers".

In a few more words, once setup and configured, they block, and/or re-
direct writes to "protected" partitions to "reserved" space on the disk 
and redirect reads to those same disk locations to the "temporary" 
record in reserved space.  On (hardware) reset, the reserved space and 
table of re-directed locations is cleared and the machine "restarts 
clean".  Such product often allow for three types of partitions -- 
completely immutable ones (where writes will simply be prevented), 
temporarily mutable ones (as described above) and totally mutable ones 
(for storing user data, possibly for TEMP, and such).

Such devices have sporadically been popular with some schools and other 
"public access" providers, but they are pretty shockingly bad as an 
"antivirus" (or general malware) "solution", given that "data" files 
(which, in a productive environment you generally want users to be able 
to save _and keep_) can be malicious, and that more and more the 
purpose of malware is to steal your data (e.g. harvest Email addresses, 
steal identity information) and/or steal your network bandwidth 
(spamming, spam relaying, proxying, warez storage, etc).

As briefly described, these new PCI devices are probably nothing like 
the above (and if that was all they are, the government just wasted a 
bunch of money re-inventing a largely disfunctional wheel!).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.