Damn, I'm going to get a good column out of this. Doc: What about gateway appliances? Is a signature system more reasonable when you have a limited number of closed platforms?
Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: Drsolly [mailto:[EMAIL PROTECTED] Sent: Friday, December 21, 2007 5:52 PM To: Larry Seltzer Cc: Richard M. Smith; [email protected] Subject: RE: [funsec] Kaspersky strikes again That's one of the big reasons why it isn't possible to write a signature-based antivirus these days. You're caught in the nutcracker of 1) need to update frequently and 2) need to test adequately. I don't see how it's possible to do daily updates, let along hourly. Even weekly updates sounds too difficult. On Fri, 21 Dec 2007, Larry Seltzer wrote: > I remember years ago writing about the speed of updates necessary now > for a/v vendors, and how kaspersky talked about how they do it hourly. > It basically makes it impossible to do meaningful tests. > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ <http://security.eweek.com/> > <http://blogs.pcmag.com/securitywatch/> > http://blogs.pcmag.com/securitywatch/ > <http://blogs.pcmag.com/securitywatch/Contributing> > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > > > ________________________________ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Richard M. Smith > Sent: Friday, December 21, 2007 9:11 AM > To: [email protected] > Subject: [funsec] Kaspersky strikes again > > > Kaspersky false alarm quarantines Windows Explorer Accidents will > happen > > By John Leyden > <blocked::http://forms.theregister.co.uk/mail_author/?story_url=/2007/ > 12 > /20/kaspersky_false_alarm/> > 20 Dec 2007 17:00 > http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/ > <blocked::http://www.channelregister.co.uk/2007/12/20/kaspersky_false_ > al > arm/> > > A faulty signature update from Kaspersky Lab on Wednesday flagged up > Windows Explorer (explorer.exe) as infected with a low-risk virus, > Huhk-C. As a result the core Windows component was quarantined or worse. > > Kaspersky released a revised update alongside advice on how to recover > legitimate system and application files from quarantine (the default > setting) within two hours. But that's not much consolation for users > that had set their software to auto-delete infected files, who found > themselves with hosed systems. > > Among those affected was Reg reader Carl. "A false positive caused the > deletion of explorer.exe.," he reports. "It would have only caused > problems for companies performing their network scan during the hours > that the dodgy update was present - which included me, unfortunately. > I was working out of hours to fix the previous Kaspersky update > problem. I finally finished sorting it all at 5am.". > > ... > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
