--- Jason Coombs <[EMAIL PROTECTED]> wrote:
... > Antivirus software exists because viral code and > malware exist. Malware > signature databases coupled with antivirus software > provide what I'll > call "matter of fact, after the fact" security. It > is a matter of fact > that bytes matching an a/v vendor's malware > signature must have > malicious potential resembling a known virus, worm, > Trojan, or other > code analyzed in the past by the a/v software vendor > and labeled as > harmful. ... > Updates to virus definitions occur after > the fact, so everyone > is always out-of-date and must keep paying in order > to feel protected. > This makes for a good business, but it doesn't make > for very good > security. In fact, it's completely backwards. Think > about it for a > moment, why should anyone go through the expense and > the trouble of > keeping a running list of all bad code ever > encountered? We can prove ... >Such a deny-first > security policy would give computer owners the kind > of control over > their boxes that the introduction of automobile > ignition keys gave to > early motorists. The fact is that today's computers > are still designed > to accomodate arbitrary drivers as though the > absence of security is a > feature demanded by the marketplace. ... > Not unlike the > anti-driver purpose > served by automobile ignition keys, or the > anti-death purpose served by > seatbelts, we must redesign our infosec safety > precautions around the > idea that the bad things that can happen are worse > than the protections > we must have to guard against them. Nobody would > accept an out-of-date > list of ways in which one can die in an automobile > in lieu of a > seatbelt, so why do we accept that an out-of-date > list of bad code is a > viable way to protect ourselves while we drive a > computer? > I agree with many of the points you make in this post but I have some objection to these statements. I know you are talking about changing the way most people view computer software which is wonderful but to say that malware signatures (for whatever purpose, not just AV) or, as you seem to imply, signature-based controls in general, are useless is a bit too far-fetched. The car analogy you provide here is, IMHO, faulty and cannot be applied here. Automobile Ignition Keys are more comparable to Login Authentication and not to this scenario. Although signature creation is after-the-fact(of infection) for the signature developers, it is still before-the-fact for a user who is not yet affected by the malware. Even if mandatory controls are placed on the execution of software and the known vectors of infection are eliminated, new vectors will be found. And signature based detection/prevention tools will be around for a long time more. Also, mandatory controls on execution will make the learning curve steeper for non-technical users though it will be a gift for admins. :) Thanks for the code! Cheers, -- S.G.Masood (NO BIG FAN OF AV VENDORS) __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html