Re: [funsec] Do AV products detect PHP backdoors? Should they?

Fri, 07 Nov 2008 14:46:19 -0800 

On Fri, 7 Nov 2008, Jim Murray wrote:
> Gadi Evron wrote:
>
>>
>> I feel your pain, but I personally believe that the AV world:
>> 1. Has no business doing web security.
>> 2. Will.
>
> I'd have to disagree with you on that one Gadi. Take for example the
> common practice of hosting multiple clients on a single server. It would
> be very useful for the hosting company to be able to automatically
> detect malicious files and remove them (ideally generating an
> administrative alert at the same time).
>
> Client FTP passwords do get compromised. Clients do use insecure
> versions of web applications. Clients frequently don't bother to update
> when bugfixes come out. All of those mean that client sites can and will
> get compromised regardless of how good the primary host's web security is.
>
> Anything which can automatically mitigate such problems can only be a
> good thing, surely.
>
> I don't see it as AV doing 'web security' as such. I see it as AV doing
> what AV is designed to do, detecting and removing malicious files.
> Dealing with how they got there is something which AV can't and
> shouldn't try to do - that's a job for the server's admin to do with
> thier big, heavy stick ;)

Well, my meaning is that AV is useless technology here. Them starting to 
sell products that:
1. Detect only some of the shells, reactively.
2. Slow down production servers.

Is just wrong. The solution to inclusion attacks is straight-forward, and 
detecting such shell is straight-forward as well. The av industry getting 
involved is a joke, although a practical one, which I made when I wrote my 
original paper on the subject.

So, while John's work is as good as usual, his conclusion is one I 
disagree with.

        Gadi.

> Jim.
>
> --
>      DigitalDaemons IT Services.
> ---------------------------------------
>   E-Mail : [EMAIL PROTECTED]
>       PGP Key ID : 0xB7066495
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to