funsec mailing list archives
Re: idea
From: "nick hatch" <nicholas.hatch () gmail com>
Date: Sun, 4 Jan 2009 11:27:17 -0800
On Sun, Jan 4, 2009 at 5:27 AM, Rich Kulawiec <rsk () gsp org> wrote:
You can *hope* it's executing the instructions you want it to, but "hope" is a poor security strategy. There is only one fix for this: wipe and reinstall.
Yes! I can't agree more. Once you run a Snort on a college resnet and work with students on infection remediation, your confidence in virus scanners is entirely destroyed. AV products should be treated as a diagnostic tool ONLY, eg if they catch an infection on a production network thank $DIETY that it actually worked and clued you in so you can flatten and reimage. I know a lot more about Windows internals than I ever wanted to know, but even with in-depth knowledge and hours to dig around I'd never say that a box is clean if it's ever been infected. To trust a commercial service (eg Geek Squad) or AV to make that determination is asinine. People don't like to hear this. I once got an absolutely furious call from a local comp shop with a "it's clean or it's free" type policy after a few students went back -- IDS logs in hand -- showing that their box was still infected. Sounds great on paper, but once you have "customers" (they're not paying you anymore) come back three or four times, it makes you look like a fool with a business plan which is either dishonest or just untenable. -Nick
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: idea, (continued)
- Re: idea Rich Kulawiec (Jan 04)
- Re: idea nick hatch (Jan 04)
- Re: idea Ben (Jan 04)
- Re: idea der Mouse (Jan 04)
- Re: idea Remo Cornali (Jan 04)
- Re: idea rackow (Jan 04)