Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

[Nick FitzGerald <nick () virus-l demon co uk>]

Dude VanWinkle to me:

> They actually had two modes, one was compliant, the other was not (I
> forget the names).
> Non-compliant mode had its issues and was not always the best product
> for the heath of your exchange server, specifically for this reason.
<<snip>>

I didn't say it was perfect, just "better" (for an undefined meaning of 
"better"...).

It seems you obviously did not use it before MS (mostly) fixed its 
first and second runs at its quarter-arsed implementation of the 
official Exchange AV API.  If you had been using Sybari back then on a 
server receiving more than a few message delivery or retrieve requests 
per minute, you would know that the "officially sanctioned" MS approach 
_could not by design and/or implementation_ intercept _ALL_ message 
delivery/retrieve events and thus "virus infected" messages could be 
delivered into the store from outside _and_ retrieved by a user without 
the scanner(s) you had hanging off the MS API ever getting a chance to 
see them.  You'd also know that the MS implementation, _by design_ 
could not allow for scanning message _bodies_ which meant any scanning 
solution depending on the official method was blind to things like 
Bumblebee and Kak (the latter being quite probably the most widespread 
self-mailing virus ever, or at least until some of the massively fast 
self-mailing binary viruses several years later).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.