Prevention is definitely important, but risk management relies on logging and forensics as well, and those address post-incident activity.
You don't always get to prevent. Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Carl Houseman" <[email protected]> Date: Fri, 23 Oct 2009 02:24:19 To: NT System Admin Issues<[email protected]> Subject: RE: User who doesn't like logging off / shutting down If a "deep scan" looks for modifications to the hosts file, I can see that as some benefit for after-the-fact notification. Now you're talking about a threat that is otherwise undetectable except for the changes it makes to files or registry areas that aren't monitored by realtime scanning. But again, a scheduled scan doesn't do anything to *prevent* an infection that a realtime scan wouldn't also accomplish. The holy grail we're after is prevention. Signature-based detection is on the way out, and when it's gone, it will be because real-time detection of harmful behavior has finally been implemented effectively. Carl -----Original Message----- From: Angus Scott-Fleming [mailto:[email protected]] Sent: Friday, October 23, 2009 1:51 AM To: NT System Admin Issues Subject: Re: User who doesn't like logging off / shutting down On 22 Oct 2009 at 21:30, Carl Houseman wrote: > All this turmoil over scheduled scans... tell me, what do scheduled scans > find that real-time scanning won't catch? Stuff that has slipped under the radar that is new in the signature files that wasn't there when the malware was infecting the machine. Some stuff that might be significant here might be a file which writes to the HOSTS file. It has already done its work, but the deep scan might find it and alert the sysadmin to its presence. > Scheduled scans are about as useful as software firewalls... For careful folks, I agree. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
