funsec mailing list archives
Re: Texas Bank Dumps Antivirus for Whitelisting
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 16 Jul 2008 17:25:37 +1200
Richard M. Smith to DrSolly (tho I didn't see Alan's response on the list):
Another one who hasn't heard of Word acro viruses and similar.You're showing your age. ;-) Word macro viruses haven't been much of a problem for 6 or 7 years ever since Microsoft went to signed VBA code in Office.
That's Alan's standard, ill-considered, response to any suggestion of using whitelisting (or various other integrity management-oriented products) over blacklisting (aka "conventional known virus detection enhanced, or not, with heuristics, behaviour analysis, etc, etc") since a few days after his (former) conventional AV product included proper handling of Word format files. It totally ignores that "proper" whitelisting implementations, _just like_ proper blacklisting implementations, have to know how to locate and indentify all kinds of code in all the kinds of files likely to be encountered by the system one is trying to protect. _IF_ it is a carte blanche argument against whitelisting, as Alan's common use of it tends to suggest, then it is an equally damning argument against blacklisting. Assuming that we think either (or both) types of "listing" may reasonably survive despite Alan's reputedly telling blow, then whitelisting certainly faces by far the less complex _technical_ problem. Breaking down the hoary old mindset that has allowed the patently stupid blacklisting approach to initially thrive, then survive for so long, will be whitelisting's biggest challenge to broader acceptability (and likely prevent it ever becoming widely used in the least IT-literate parts of the market such as the SOHO and individual user segment).
However similar problems do existing with scripting code run by the Windows Scripting Host. Perhaps WSH doesn't get whitelisted?
The biggest problem here, both for whitelisting and blacklisting, is the gross stupidity of the designers of the WWW and their adoption of embedded scripting combined with an object model that encourages (in fact, almost requires) the widespread use (and thus client device support for) the greatest of programming evils -- self-modifying code. Security considerations were clearly not just far from, but utterly foreign to, the minds of these folk. In some senses we'd have been much better off if Harvard architecture, rather than von Neumann architecture, had won out in the early days of computing... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Chris Blask (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Florian Weimer (Jul 22)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 22)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 22)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 15)
- Message not available
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Nick FitzGerald (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Alex Shipp (elist) (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
- Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 15)
- Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)