Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 10/25/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
> Blue Boar to Dude VanWinkle:
>
> <<snip>>
> > > Isnt that worth something?
> >
> > It's not a useless attempt, and I don't think they should necessarily
> > get rid of it.  It's also not necessarily mutually exclusive with what
> > McAfee and Symantec want.
> >
> > But Microsoft acting like having KPP has now eliminated all potential
> > kernel attack vectors, and the need for other security software to act
> > there, is a mistake.  Microsoft has now claimed that their software
> > won't get to play there either.  And that's good, it changes the
> > situation from Microsoft abusing a monopoly to Microsoft making a stupid
> > mistake.
> >
> > Not that I believe that MS will actually keep their security software
> > from playing where the other guys want to, but at least it's a claim we
> > can look back on.
> > http://www.microsoft.com/security/windowsvista/allchin.mspx
>
> Yes...
>
> By close analogy, the Sybari purchase is really interesting.  Sybari's
> was the most reliable way of scanning Exchange message stores for
> malware (and any other "inappropriate" or undesirable content)
> _because_ they ignored the "officially sanctioned by MS and
> encapsulated in this public API" approach and actually reversed
> Exchange and developed something that _worked_.  Eventually MS bought
> Sybari, so is doing it the unofficial way on Exchange now to be
> sanctioned?

They actually had two modes, one was compliant, the other was not (I
forget the names).
Non-compliant mode had its issues and was not always the best product
for the heath of your exchange server, specifically for this reason.

McAfee and some others had just started integrating spam and phishing
filters into their SMTP av engines and would strip out the offending
content. Of course they would first accept the email, then antigen
would tell exchange "I have a 17k message to put in the information
store" but would then delver a 1k envelope with no content. They didnt
fix the issue for two months and I had to isinteg the information
store and then switch to the compliant mode.

Also antigen uses 7 engines, which would open your mailserver up to
any vulnerabilities that came out for McAfee, Sophos, Kaspersky, CA
(vet/iris), Norman, etc, etc. This meant you have to stay on top of
the vulnerabilities mailing lists and disable a new engine each month

aside from that it was a great product, except of course it would put
all the AV scanning load on the same server that your end users
connected to, although they were planning a gateway edition, or at
least thats what they said when I dropped them  ;-)

Give me an SMTP gateway running MailFrontier any day

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.