The NSRL has several issues that limit its usefulness. 1) The file signatures are scanned from the media, not from systems upon which they've been installed. This means it doesn't include the files inside .ZIP or .CAB files for example.
2) Many executables actually change when they're installed on to a system in ways unique to the system that they're installed on. To address this, we've written our own hashing algorithm which ignores sections of the executable which are likely to change during the installation process. 3) The list of programs and applications in the NSRL appears to be relatively random and mostly consists of programs which were donated to the NIST for this purpose. In short, we found the NSRL to be of limited usefulness for the purpose of authenticating popular enterprise software on installed systems. -John -----Original Message----- From: Elsner, Donald, ALABS [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 11:59 AM To: Donze, Erich; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Show me the Virrii! -----Original Message----- I like the idea of scanning for valid software. There are some problems with it that would need to be overcome, though: 1. Who makes the list, and keeps it updated? This would be a huge undertaking. ------------------- snip ----------------------------------- The U.S. Government is already doing this...... Please see National Software Reference Library (NSRL) (http://www.nsrl.nist.gov) Overview: The National Software Reference Library (NSRL) provides a repository of known software, file profiles, and file signatures for use by law enforcement and other organizations in computer forensics investigations. Industry Need Addressed: Investigation of computer files requires a tremendous effort to review individual files. A typical desktop computer contains between 10,000 and 100,000 files, each of which may need to be reviewed. Investigators need to eliminate as many known files as possible from having to be reviewed. An automated filter program can screen these files for specific profiles and signatures. If a specific file's profile and signature match the database of known files, then the file can be eliminated from review as a known file. Only those files that do not match would be subject to further investigation. In addition, investigators can search for files that are not what they claim to be (e.g., the file has the same name, size, and date of a common file, but not the same contents) or files that match a profile (e.g., hacking tools). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html