So since there's no on-access scanning on a gateway device, the only way to test it is with on-access devices interal to it?
Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: Drsolly [mailto:[EMAIL PROTECTED] Sent: Friday, December 21, 2007 7:17 PM To: Larry Seltzer Cc: funsec@linuxbox.org; Richard M. Smith Subject: RE: [funsec] Kaspersky strikes again On Fri, 21 Dec 2007, Larry Seltzer wrote: > Even so, there would be so much less testing to do, wouldn't there? > After all, on an appliance users can't just arbitrarily install > applications (not and expect support). A signature system uses a single common database across all its incarnations. If you leave out some sigs on gateway appliances, users will scream when they find out. So, the testing of the database is common across all platforms. Would you be willing to have a gateway that, by design, allows Huhk-C to get through? > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > > -----Original Message----- > From: Drsolly [mailto:[EMAIL PROTECTED] > Sent: Friday, December 21, 2007 6:29 PM > To: Larry Seltzer > Cc: funsec@linuxbox.org; Richard M. Smith > Subject: RE: [funsec] Kaspersky strikes again > > On Fri, 21 Dec 2007, Larry Seltzer wrote: > > > Damn, I'm going to get a good column out of this. > > > > Doc: What about gateway appliances? Is a signature system more > > reasonable when you have a limited number of closed platforms? > > You've misunderstood my concern. > > If you update your sigs hourly, then you have less than an hour to do > all the testing. It doesn't matter how many computers are running the > new version; they're all running something that has had less than an > hour of testing, and I don't really want to run something that has been > tested for less than an hour, on my systems. > > A month would probably be enough. A day would probably not be enough. > > > Flagging "Explorer.exe" puts me in mind of when Fredrik issued a sig > that false-alarmed on Command.com in the Virus Bulletin publication. We > called that "The mother of all false alarms". > > > Larry Seltzer > > eWEEK.com Security Center Editor > > http://security.eweek.com/ > > http://blogs.pcmag.com/securitywatch/ > > Contributing Editor, PC Magazine > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Drsolly [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 21, 2007 5:52 PM > > To: Larry Seltzer > > Cc: Richard M. Smith; funsec@linuxbox.org > > Subject: RE: [funsec] Kaspersky strikes again > > > > That's one of the big reasons why it isn't possible to write a > > signature-based antivirus these days. You're caught in the nutcracker > > of > > 1) need to update frequently and 2) need to test adequately. > > > > I don't see how it's possible to do daily updates, let along hourly. > > Even weekly updates sounds too difficult. > > > > On Fri, 21 Dec 2007, Larry Seltzer wrote: > > > > > I remember years ago writing about the speed of updates necessary > > > now for a/v vendors, and how kaspersky talked about how they do it > hourly. > > > It basically makes it impossible to do meaningful tests. > > > Larry Seltzer > > > eWEEK.com Security Center Editor > > > http://security.eweek.com/ <http://security.eweek.com/> > > > <http://blogs.pcmag.com/securitywatch/> > > > http://blogs.pcmag.com/securitywatch/ > > > <http://blogs.pcmag.com/securitywatch/Contributing> > > > Contributing Editor, PC Magazine > > > [EMAIL PROTECTED] > > > > > > > > > > > > ________________________________ > > > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of Richard M. Smith > > > Sent: Friday, December 21, 2007 9:11 AM > > > To: funsec@linuxbox.org > > > Subject: [funsec] Kaspersky strikes again > > > > > > > > > Kaspersky false alarm quarantines Windows Explorer Accidents will > > > happen > > > > > > By John Leyden > > > <blocked::http://forms.theregister.co.uk/mail_author/?story_url=/200 > > > 7/ > > > 12 > > > /20/kaspersky_false_alarm/> > > > 20 Dec 2007 17:00 > > > http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/ > > > <blocked::http://www.channelregister.co.uk/2007/12/20/kaspersky_fals > > > e_ > > > al > > > arm/> > > > > > > A faulty signature update from Kaspersky Lab on Wednesday flagged up > > > > Windows Explorer (explorer.exe) as infected with a low-risk virus, > > > Huhk-C. As a result the core Windows component was quarantined or > > worse. > > > > > > Kaspersky released a revised update alongside advice on how to > > > recover > > > > > legitimate system and application files from quarantine (the default > > > setting) within two hours. But that's not much consolation for users > > > > that had set their software to auto-delete infected files, who found > > > > themselves with hosed systems. > > > > > > Among those affected was Reg reader Carl. "A false positive caused > > > the > > > > > deletion of explorer.exe.," he reports. "It would have only caused > > > problems for companies performing their network scan during the > > > hours that the dodgy update was present - which included me, > unfortunately. > > > I was working out of hours to fix the previous Kaspersky update > > > problem. I finally finished sorting it all at 5am.". > > > > > > ... > > > > > > > > > > > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
