MS whitelist suggestions? (no, it's not really a question)
in [Spyware]
|
Prev: MVPS HOSTS file updated [JAN-12-2010]
Next: MSE 2
From: Dustin Cook on 16 Jan 2010 01:43 http://www.itworld.com/security/90249/ignore-microsoft-check-everything? source=peer2peerpromo -- "Is there anything in Guul Draz that doesn't suck the life out of you?" - Tarsa, Sea Gate sell-sword.
From: FromTheRafters on 16 Jan 2010 17:22 "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250... > http://www.itworld.com/security/90249/ignore-microsoft-check-everything? > source=peer2peerpromo It's another case of terminology problems I think. If the filetype is non-executable - it *cannot* be infected so there is no need to scan it for *viruses*. ....now if you define virus more widely (to include worms) infection has little to do with it and non-executable files should be scanned - binary data in the registry even becomes a hiding place for code. You might as well include trojans in the mix, because replication is irrelevant to whether or not a file should be scanned by an antimalware application. Now the question is if you trust Microsoft to know which filetypes (of their own creation) are executable and which are not (remembering WMF).
From: Ant on 16 Jan 2010 18:39 "FromTheRafters" wrote: > Now the question is if you trust Microsoft to know which filetypes (of > their own creation) are executable and which are not (remembering WMF). Yes, indeed but such files are not "executables" in the way that exe and dll files are. However, it's wise to check these other types, not for "viruses", but for malformed headers, abnormal structure, etc. which might indicate the presence of an exploit. Also, you can't rely on file extensions to determine the type. A file named "runme.txt", for example, will not be opened by notepad if it's really an executable (with an 'MZ' and 'PE' header) and the full name is typed at a command prompt. It will be run the same way as any conventionally named exe file. This means that all files should be opened and read by a scanner, regardless of extension, in order to check their format even if no further scanning is done on a particular file.
From: FromTheRafters on 16 Jan 2010 19:16 "Ant" <not(a)home.today> wrote in message news:ceWdnY7D0pbz08_WnZ2dnUVZ7sydnZ2d(a)brightview.co.uk... > "FromTheRafters" wrote: > >> Now the question is if you trust Microsoft to know which filetypes >> (of >> their own creation) are executable and which are not (remembering >> WMF). > > Yes, indeed but such files are not "executables" in the way that exe > and dll files are. The WMF filetype example was designed to be, but many assumed it was not. > However, it's wise to check these other types, not > for "viruses", but for malformed headers, abnormal structure, etc. > which might indicate the presence of an exploit. The 'list' referred to (and linked to) on that site suggested that these files were not "infectable" by "viruses" and you need not scan them for "viruses". They didn't make it clear that other kinds of malware scanning software may have a need to scan them. Unfortunately, there is the possibility that those experts use the term "viruses" to mean malware - in which case it would be wrong to exclude any filetypes. > Also, you can't rely on file extensions to determine the type. That was mentioned on the MS page ISTR. > A file > named "runme.txt", for example, will not be opened by notepad if it's > really an executable (with an 'MZ' and 'PE' header) and the full name > is typed at a command prompt. It will be run the same way as any > conventionally named exe file. Certain extensions have special meanings to the OS (or associations set in the registry), but the actual format is what they refer to. > This means that all files should be opened and read by a scanner, > regardless of extension, in order to check their format even if no > further scanning is done on a particular file. Malware scanners, yes. The idea that certain filetypes and/or directories can be safely excluded from malware scanning is too 'brain-dead' an idea even for Microsoft. ....isn't it..? Viruses, on the other hand, cannot infect non-executables, so non-executable filetypes need not be searched for them.
From: David H. Lipman on 16 Jan 2010 19:24
From: "FromTheRafters" <erratic(a)nomail.afraid.org> < snip > | Viruses, on the other hand, cannot infect non-executables, so | non-executable filetypes need not be searched for them. No but they can be hidden or contained within through such techniques as steganography. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |