On Dec 22, 2007 10:35 AM, Larry Seltzer <[EMAIL PROTECTED]> wrote: > Even so, there would be so much less testing to do, wouldn't there? > After all, on an appliance users can't just arbitrarily install > applications (not and expect support). > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > > > -----Original Message----- > From: Drsolly [mailto:[EMAIL PROTECTED] > Sent: Friday, December 21, 2007 6:29 PM > To: Larry Seltzer > > Cc: [email protected]; Richard M. Smith > Subject: RE: [funsec] Kaspersky strikes again > > On Fri, 21 Dec 2007, Larry Seltzer wrote: > > > Damn, I'm going to get a good column out of this. > > > > Doc: What about gateway appliances? Is a signature system more > > reasonable when you have a limited number of closed platforms? > > You've misunderstood my concern. > > If you update your sigs hourly, then you have less than an hour to do > all the testing. It doesn't matter how many computers are running the > new version; they're all running something that has had less than an > hour of testing, and I don't really want to run something that has been > tested for less than an hour, on my systems.
sorry but i don't see how 'hourly releases' translates into 'one hour of testing'. that seems like an assumption on your part, it's not a direct result of that strategy. you need to look at the actual number of signatures they generate internally. if they only write one once an hour, then that's the one they must release. but if they write more then that, or have a stockpile they release from, then clearly they can spend more then one hour testing. > A month would probably be enough. A day would probably not be enough. > > Flagging "Explorer.exe" puts me in mind of when Fredrik issued a sig > that false-alarmed on Command.com in the Virus Bulletin publication. We > called that "The mother of all false alarms". -- mike http://lets.coozi.com.au/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
