Re: Want to write a disinfection tool?

[aleph1 () securityfocus com]

* L. Christopher Paul (lcp () bofh sh) [010806 02:21]:
> One question ... Mighten this lead to a false sense of security?
>
> With the CRv1 or CRv2 I can see this as being appropriate, but with CRII 
> creating backdoors and then broadcasting the vulnerability, the incidence 
> of compromises beyond the initial worm infestation is incredibly high.
>
> By automating a 'fix', and not rebuilding the box, there is no guarantee 
> that the box is safe to be re-connected to the network; only that the worm 
> is gone and that it can't be re-infected.
>
> If such a tool is built (which isn't all bad), it needs to be shipped with 
> a big 'ole warning to that effect.

Agreed. If anyone developed such tool and if we decided to point people
to it from our warning message to administrators of possible infected
machines we would add such warning. But realistically speaking we are
talking about the same folks who have failed to patch their systems
after two highly publicized worms. The changes of them going through
the trouble of reinstalling the whole system are not very good. Its
good to give them an easy option that at the very least closes the
hole and hope that the machine had not yet been found by an attacker
and modified further.

> --lcp

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com