RE: Strange servicepack.exe file (not service.exe) found.
From: John Ives (jives_at_cchem.berkeley.edu)
Date: 12/18/03
- Previous message: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Dec 2003 16:09:05 -0800 To: <incidents@securityfocus.com>
There are two answers to this. The first is that it be a default option
that can be turned off by support staff. the second is that IT staff could
(while building their distribution system eg. ghost images, etc)
pre-approve the supported app.
Of course, my perspective is always clouded by the realities of supporting
people on a university campus. This feature may not be necessary for
corporations, but it would help us.
John
At 06:45 PM 12/17/2003 -0500, Rob Shein wrote:
>I can't imagine this concept working. Imagine how users would react if VNC
>were used in the workplace (as it is in some companies I know of), and it
>popped up as a possible trojan or sign of compromise, because it's sometimes
>used that way by hackers. End users, who are the majority of people using
>antivirus solutions, are prone to overreaction and panic, particularly where
>viruses are concerned. While giving the user more information and letting
>them come to their own conclusion is theoretically the best way, actually
>implementing that solution is going to cause massive problems from a support
>perspective.
>
> > -----Original Message-----
> > From: John Ives [mailto:jives@cchem.berkeley.edu]
> > Sent: Wednesday, December 17, 2003 2:05 PM
> > To: incidents@securityfocus.com
> > Subject: RE: Strange servicepack.exe file (not service.exe) found.
> >
> >
> > One of the things I have noticed with Symantec (and I am sure
> > other vendors
> > do the same thing) is that files that have both good and bad uses are
> > considered good, no matter how rarely they are used that way.
> >
> > A better system would be a prompt informing the user of the
> > file's name,
> > location and any relevant information about its legitimate
> > uses and asking
> > if this was running intentionally. If so it should take a
> > hash of the file
> > and its directory path, archive that information to a file,
> > digitally sign
> > the file and use it as a reference whenever it does future
> > scans. If it is
> > not intentionally being run then quarantine it and notify the
> > user that, if
> > there are any problems they can un-quarantine the file by
> > doing x y and z.
> >
> > This isn't an absolute answer, because it still relies on the
> > user to make
> > sound decisions, but it would help alleviate problems caused
> > by legitimate
> > files performing illegitimate actions.
-------------------------------------------------
John Ives, GCWN, GCIH, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033
"If you spend more on coffee than on IT security, Then you will be hacked.
What's more, you deserve to be hacked." - Richard Clarke
Any opinions expressed are my own and not those of the Regents of the
University of California.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
