Yup. The EICAR[1] string as a good example as well. In notepad, it's 68 ASCII characters. In DOS, it's an executable. So is it code or is it text?
[1] http://eicar.org/85-0-Download.html From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, April 18, 2012 12:31 AM To: NT System Admin Issues Subject: RE: Whitelisting Actually, to make this point better: If I open a certain set of 0s and 1s in notepad.exe, it just displays the ASCII/Unicode character representation of those 1s and 0s on the screen If I open the same set of 0s and 1s in cscript.exe, then certain other actions get performed on the system. The above is a fairly clear distinction, but there are plenty of scenarios that grey the boundary far more. As far as I'm concerned, it is very difficult to distinguish between data and code, except in the simplest of cases. Cheers Ken From: Ken Schaefer [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, 17 April 2012 11:12 AM To: NT System Admin Issues Subject: RE: Whitelisting The first statement is wrong - there is no difference between data and code - they are just ones and zeros. Now, an application, can, tell an OS that certain memory addresses contain code that should not be executed. But some other application, loading exactly the same ones and zeros, can tell the OS that it should be executable. Cheers Ken From: Andrew S. Baker [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, 17 April 2012 2:28 AM To: NT System Admin Issues Subject: Re: Whitelisting >>Data is code. Code is data. They're both strings of 1's and 0's. No, they are most certainly not the same. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
