Re: idea

["nick hatch" <nicholas.hatch () gmail com>]

On Sun, Jan 4, 2009 at 5:27 AM, Rich Kulawiec <rsk () gsp org> wrote:

> You can *hope* it's executing the instructions you want it to,
> but "hope" is a poor security strategy.
>
> There is only one fix for this: wipe and reinstall.

Yes! I can't agree more. Once you run a Snort on a college resnet and work
with students on infection remediation, your confidence in virus scanners is
entirely destroyed.

AV products should be treated as a diagnostic tool ONLY, eg if they catch an
infection on a production network thank $DIETY that it actually worked and
clued you in so you can flatten and reimage.

I know a lot more about Windows internals than I ever wanted to know, but
even with in-depth knowledge and hours to dig around I'd never say that a
box is clean if it's ever been infected. To trust a commercial service (eg
Geek Squad) or AV to make that determination is asinine.

People don't like to hear this. I once got an absolutely furious call from a
local comp shop with a "it's clean or it's free" type policy after a few
students went back -- IDS logs in hand -- showing that their box was still
infected. Sounds great on paper, but once you have "customers" (they're not
paying you anymore) come back three or four times, it makes you look like a
fool with a business plan which is either dishonest or just untenable.

-Nick

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.