[88848] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Michael.Dillon@btradianz.com)
Tue Feb 21 08:01:23 2006
In-Reply-To: <43FB0928.1010808@linuxbox.org>
To: nanog@merit.edu
From: Michael.Dillon@btradianz.com
Date: Tue, 21 Feb 2006 13:03:38 +0000
Errors-To: owner-nanog@merit.edu
> > Offer them a free windows
> > infection blocker program that imposes the quarantine
> > itself locally on the user's machine. This program
> > would use stealth techniques to hide itself in the
> > user's machine, just like viruses do.
> As the defense is local to the user's machine, the attacker can just
> kick it away.
How are they going to identify the code to throw
away? I believe that the state of the art for
AV software is to create randomly named EXE files
so that attackers cannot delete the running process,
and then the EXE file ensures that the installed
program and startup config are not tampered with.
If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?
--Michael Dillon
