tag:blogger.com,1999:blog-7347279.post5446658938682188479..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: fred cohen says anti-virus doesn't workkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-7347279.post-80673104622324059082009-06-13T11:07:30.383-04:002009-06-13T11:07:30.383-04:00@rob lewis:
"does that signify that AV contro...@rob lewis:<br />"does that signify that AV controls are an either-or choice with no graduated scale in between?"<br /><br />i'm not sure i see what you're getting at - i'm guessing you mean does av only block or allow the entire malware rather than blocking parts of the malware's function. some av products (specifically behavioural ones) are able to block individual functions that the malware attempts to carry out.<br /><br />"I know that our technology looks uses context as the basis for behavior enforcement. I just don't know enough about AV to know if that exists in the AV realm. It seens to me that if it existed in AV you would not be able to make that statement."<br /><br />behavioural enforcement does, yes. the degree to which context is included in the deliberation of whether to block or not block varies by implementation.<br /><br />"As far as stripped down systems go, exokernels are very tailored stripped down, hardened OSes for specific purposes. I imagine that if they were used for say, ATMs, or evoting machines, they might be useful, or at least more secure than windows XP."<br /><br />they'd be safer, for sure, and perhaps more secure - but perhaps not. coming back to the subject matter of this post, if the stripped down OS is still running on commodity hardware (traditional computer hardware) then there's still plenty of functionality left for malware to take advantage of. bootsector viruses are the perfect example as they execute <b>before</b> the operating system and are often OS agnostic (though they may not continue to operate properly after the OS has loaded).kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-76646344086058178622009-06-10T22:59:40.177-04:002009-06-10T22:59:40.177-04:00"when an anti-virus stops a piece of malware ..."when an anti-virus stops a piece of malware from executing on your system it is effectively limiting your system's ability to perform the function that malware represents" does that signify that AV controls are an either-or choice with no graduated scale in between?<br /><br />I know that our technology looks uses context as the basis for behavior enforcement. I just don't know enough about AV to know if that exists in the AV realm. It seens to me that if it existed in AV you would not be able to make that statement.<br /><br />As far as stripped down systems go, exokernels are very tailored stripped down, hardened OSes for specific purposes. I imagine that if they were used for say, ATMs, or evoting machines, they might be useful, or at least more secure than windows XP.Rob Lewishttp://www.trustifier.comnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-51880480415891226032009-05-25T08:39:04.454-04:002009-05-25T08:39:04.454-04:00@anonymous:
i'll get right on that.
@ryan:
yes i'...@anonymous:<br />i'll get right on that.<br /><br />@ryan:<br />yes i've tried kasperky's product before - a long time ago when it was still called AVP.<br /><br />i've heard good things about their more recent versions, i'm sure if that's what you're using it will serve you well. just don't put your eggs all in one basket - use non-scanning based tools and techniques in addition to the scanning based ones.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-53885864305188242142009-05-25T01:04:53.156-04:002009-05-25T01:04:53.156-04:00Have you try out Kaspersky before?Have you try out Kaspersky before?Kyan Jimhttps://www.blogger.com/profile/15885203210845641514noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-1857211726366413942009-05-23T04:59:05.896-04:002009-05-23T04:59:05.896-04:00proper punctuation would be nice.proper punctuation would be nice.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-23406619217139854932009-05-17T11:57:00.000-04:002009-05-17T11:57:00.000-04:00@vess:
was i being hard on him? i threw away almos...@vess:<br />was i being hard on him? i threw away almost the entirety of my first draft in an effort to avoid that (i don't even do multiple drafts, usually)...<br /><br />@david harley:<br />i agree with you, i doubt very much that people want limited functionality defenses - who chooses the less powerful option? who says to themselves "well y'know what, that's good enough"? not many people have that discipline... <br /><br />i see tactical advantages to an approach that blends limited functionality with more conventional methods, but it would be difficult to get the average person to use such an approach...<br /><br />the comparison to schneier is interesting but with schneier i feel fairly confident that when it comes to his specialty (crypto) he definitely knows what he's talking about... i get the feeling from both of you that you don't think viruses are really cohen's specialty - though that seems odd considering his background in the field...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-5555941169233223132009-05-17T10:45:00.000-04:002009-05-17T10:45:00.000-04:00I don't think people want limited functionality de...I don't think people want limited functionality defences. They cling to an image of AV that never existed, as a product that defends against all present and future malware without limited functionality and false positives. They often get enraged because AV can't really do all that, but stick with it anyway because they see it as promising them a solution where they don't have to take responsibility themselves for breaches. <br /><br />I was at EICAR, but didn't catch the Cohen keynote. While you can't detract from the man's achievements in the beginning, and in other fields subsequently, I don't altogether get the feeling he wastes a lot of time thinking about this field. Like Schneier, his view is strictly 30,000 feet...David Harleyhttp://www.eset.com/threat-center/blognoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-62632894836103801372009-05-17T01:29:00.000-04:002009-05-17T01:29:00.000-04:00Don't be too hard on good ol' Fred. :) Remember - ...Don't be too hard on good ol' Fred. :) Remember - he's an academician first and everything else second. After all, this is the man who has proven mathematically that it is not possible to distinguish between computer viruses and other programs and that the traditional security (the discretionary access control model) cannot prevent a virus from spreading (he's not talking just about scanners, if you're left with such an impression).<br /><br />The fact that his proof doesn't preclude the possibility of, say, distinguishing between viruses and normal programs for all viruses smaller than 10 terabytes, or that "precluding the virus from spreading" fails if the virus spreads to just one user on a 1000-user system and after you've told him "run this file" and he's stupid enough to do so - such minor practical annoyances are beneath the great theoretical thinking of the good doctor... ;)Vesshttps://www.blogger.com/profile/09226866181634905270noreply@blogger.com