On Wed, 16 Jul 2008, David Harley wrote: > > > > You're showing your age. ;-) Word macro viruses haven't > > been much > > > > of a problem for 6 or 7 years ever since Microsoft went to signed > > > > VBA code in Office. > > To be fair, the issue isn't really Word macro viruses: it's the fact that > they represent a class of objects where executable code is found in places > less obvious than a .EXE. A whitelisting solution that doesn't take them > into account is obviously less effective.
Right - I was using Word macros as an example of something that whitelisting finds very hard to handle. > > > Breaking down the hoary old mindset that has allowed the > > > patently stupid blacklisting approach to initially thrive, then > > > survive for so long, will be whitelisting's biggest challenge to > > > broader acceptability (and likely prevent it ever becoming > > widely used > > > in the least IT-literate parts of the market such as the > > SOHO and individual user segment). > > Stop me if you've heard this before. Irrespective of the prejudices of the > AV industry, the real problem is the sizeable market sector that thinks we > should be able to detect every malicious program by name, and is enraged > when we fail to do so. A sizeable subset of that group mistrusts any form of > behaviour analysis because they believe in the magic power of names (which > is why the industry continues to use reassuring names that sound specific > but are actually generic...) Whitelisting doesn't have to be technically > better: it just needs to be presented as a superior form of sympathetic > magic. > > > The main problem with whitelisting, is the high cost of maintenance. > > As opposed to blacklisting, which is... oh, wait a minute. ;-) ... cheaper. Because you have to add *all* the costs up, not just the cost of the software. Also - here's an unusual thought - an AV doesn't have to be 100% effective in warding off viruses (fortunately). There's a tradeoff applicable. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
