RE: Strange servicepack.exe file (not service.exe) found.

From: Rob Shein (shoten_at_starpower.net)
Date: 12/18/03

  • Next message: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
    To: "'John Ives'" <jives@cchem.berkeley.edu>, <incidents@securityfocus.com>
    Date: Wed, 17 Dec 2003 18:45:10 -0500
    
    

    I can't imagine this concept working. Imagine how users would react if VNC
    were used in the workplace (as it is in some companies I know of), and it
    popped up as a possible trojan or sign of compromise, because it's sometimes
    used that way by hackers. End users, who are the majority of people using
    antivirus solutions, are prone to overreaction and panic, particularly where
    viruses are concerned. While giving the user more information and letting
    them come to their own conclusion is theoretically the best way, actually
    implementing that solution is going to cause massive problems from a support
    perspective.

    > -----Original Message-----
    > From: John Ives [mailto:jives@cchem.berkeley.edu]
    > Sent: Wednesday, December 17, 2003 2:05 PM
    > To: incidents@securityfocus.com
    > Subject: RE: Strange servicepack.exe file (not service.exe) found.
    >
    >
    > One of the things I have noticed with Symantec (and I am sure
    > other vendors
    > do the same thing) is that files that have both good and bad uses are
    > considered good, no matter how rarely they are used that way.
    >
    > A better system would be a prompt informing the user of the
    > file's name,
    > location and any relevant information about its legitimate
    > uses and asking
    > if this was running intentionally. If so it should take a
    > hash of the file
    > and its directory path, archive that information to a file,
    > digitally sign
    > the file and use it as a reference whenever it does future
    > scans. If it is
    > not intentionally being run then quarantine it and notify the
    > user that, if
    > there are any problems they can un-quarantine the file by
    > doing x y and z.
    >
    > This isn't an absolute answer, because it still relies on the
    > user to make
    > sound decisions, but it would help alleviate problems caused
    > by legitimate
    > files performing illegitimate actions.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."

    Relevant Pages

    • Re: RSFC unreadable
      ... :>: then turning around and allowing her to walk down dark alleys alone and ... something which has *no* legitimate value in a work setting. ... :> people in charge of businesses seem to expect their employees to work ... :> while they are at work, if you can imagine such nerve. ...
      (rec.sport.football.college)
    • Re: which tutorial to use?
      ... Ian Collins wrote: ... Maybe, but your workplace uses them more often than not, and I can't ... really imagine myself going up to the CEO and demanding that all MS ...
      (comp.lang.c)
    • Re: driving in London today
      ... Ridicule, satire, rudeness, humiliation... ... inside our homes; in the workplace; ... I imagine you must be getting used to it by now. ...
      (uk.rec.cycling)
    • Re: RSFC unreadable
      ... something which has *no* legitimate value in a work setting. ... IT types worrying about news servers is like living in the shadows of Chernobyl and worrying about how much sugar is in your diet. ... :> people in charge of businesses seem to expect their employees to work ... :> while they are at work, if you can imagine such nerve. ...
      (rec.sport.football.college)
    • Re: which tutorial to use?
      ... santosh wrote: ... Maybe, but your workplace uses them more often than not, and I can't ... really imagine myself going up to the CEO and demanding that all MS ...
      (comp.lang.c)