That's great for EXE files. But how would you handle DOC files (and similar things that include executable macros)?
On Wed, 16 Jul 2008, Richard M. Smith wrote: > Another option is to have .EXE files digitally signed and the whitelist work > off vendor names in digital certs and not .EXE MD5 file hashes. This > stratergy would cut down a great deal keeping a whitelist up to date for > software updates. > > Richard > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Harley > Sent: Wednesday, July 16, 2008 8:15 AM > To: 'Drsolly'; 'Nick FitzGerald' > Cc: 'funsec' > Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting > > > > > You're showing your age. ;-) Word macro viruses haven't > > been much > > > > of a problem for 6 or 7 years ever since Microsoft went to signed > > > > VBA code in Office. > > To be fair, the issue isn't really Word macro viruses: it's the fact that > they represent a class of objects where executable code is found in places > less obvious than a .EXE. A whitelisting solution that doesn't take them > into account is obviously less effective. > > > > Breaking down the hoary old mindset that has allowed the patently > > > stupid blacklisting approach to initially thrive, then survive for > > > so long, will be whitelisting's biggest challenge to broader > > > acceptability (and likely prevent it ever becoming > > widely used > > > in the least IT-literate parts of the market such as the > > SOHO and individual user segment). > > Stop me if you've heard this before. Irrespective of the prejudices of the > AV industry, the real problem is the sizeable market sector that thinks we > should be able to detect every malicious program by name, and is enraged > when we fail to do so. A sizeable subset of that group mistrusts any form of > behaviour analysis because they believe in the magic power of names (which > is why the industry continues to use reassuring names that sound specific > but are actually generic...) Whitelisting doesn't have to be technically > better: it just needs to be presented as a superior form of sympathetic > magic. > > > The main problem with whitelisting, is the high cost of maintenance. > > As opposed to blacklisting, which is... oh, wait a minute. ;-) > > -- > David Harley, ESET Research Author > AVIEN COO: http://www.avien.org > http://www.smallblue-greenworld.co.uk > > > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
