Re: Overloading AV software, try #2

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/7/06, Richard M. Smith <rms () bsf-llc com> wrote:
> The goal of the 200 warning messages is to get someone to turn off their AV
> software and not to immedieately infect their machine.
>
> Richard


Most that I know of will just indicate the number of instances of a
virus, of course that is usually seen during a scan but..


-JP



> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> Sent: Friday, July 07, 2006 4:38 PM
> To: Richard M. Smith
> Cc: 'FunSec LList'
> Subject: Re: [funsec] Overloading AV software, try #2
>
> On Fri, 07 Jul 2006 16:24:53 EDT, "Richard M. Smith" said:
> > My question is about overloading the user with warning messages, not
> DoSing
> > a box.  Let me try asking my question a different way.  If an AV software
> > package suddenly sees 200 virus files being written to a hard drive, will
> it
> > present to the user 200 individual warning messages about these virus
> files?
>
> Depends on its design.  At that point, the more important question is
> how/why the source is able to write 200 files that could potentially be
> viruses onto the disk - that indicates a massive sandbox failure on the
> part of the MUA or browswer or whatever.
>
> (And yes, I know it's *theoretically* possible that a webpage have 200
> alledged jpeg's on it that have malformed headers that cause a buffer
> overrun
> and a code exploit - but if you have *that*, you just want to send *one*
> so you can try to fly under the wire...)
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.