RE: Overloading AV software, try #2

["Richard M. Smith" <rms () bsf-llc com>]

The goal of the 200 warning messages is to get someone to turn off their AV
software and not to immedieately infect their machine.

Richard

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Friday, July 07, 2006 4:38 PM
To: Richard M. Smith
Cc: 'FunSec LList'
Subject: Re: [funsec] Overloading AV software, try #2

On Fri, 07 Jul 2006 16:24:53 EDT, "Richard M. Smith" said:
> My question is about overloading the user with warning messages, not
DoSing
> a box.  Let me try asking my question a different way.  If an AV software
> package suddenly sees 200 virus files being written to a hard drive, will
it
> present to the user 200 individual warning messages about these virus
files?

Depends on its design.  At that point, the more important question is
how/why the source is able to write 200 files that could potentially be
viruses onto the disk - that indicates a massive sandbox failure on the
part of the MUA or browswer or whatever.

(And yes, I know it's *theoretically* possible that a webpage have 200
alledged jpeg's on it that have malformed headers that cause a buffer
overrun
and a code exploit - but if you have *that*, you just want to send *one*
so you can try to fly under the wire...)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.