Re: Trojan horse Downloader.Generic.ML
From: kurt wismer (kurtw_at_sympatico.ca)
Date: Sat, 18 Jun 2005 00:36:09 -0400
Ron Reaugh wrote:
> "kurt wismer" <email@example.com> wrote in message
>>Jason Edwards wrote:
>>>Virus scanners are useless for exactly the reason that you are
>>>understandably upset about discovering for yourself. You thought you
>>>doing everything possible but you still got a trojan.
>>fallibility is not the same as uselessness... no security is perfect,
>>does that render all security useless? no...
> RIGHT, and your view plus the apparent failure of the normal model in my
> case is why I'm the OP of this thread and am trolling for hints about an
> improved model.
there will always be occasional failures, it's just a fact of life...
to try and deal with the failures in preventative measures one must
realize there's more to security than just preventative measures, and
there's more to preventative measures than just using the best scanner...
within the realm of preventative measures there's OS hardening and
keeping your applications/OS up-to-date and patched... there's process
whitelisting (i don't know about other software firewalls but kerio
personal firewall has something called application launch control which
is sort of along those lines)... also, on the behavioural side there's
the simple avoidance of new executable material (ie. keep your playing
around with new software/cracks/keygens/whatever to a bare minimum)...
besides preventative measures there are also detective and restorative
measures... detective measures include virus detectors (we actually use
their detective capabilities to try an implement a preventative measure)
but also change detectors (integrity checkers),
network/registry/filesystem/process monitoring tools, so-called rootkit
detection software, an observant user, etc... restorative measures are,
of course, the various backup facilities that are available, the
dedicated malware removal tools when available, and detailed manual
removal instructions when available...
when gauging how effective your security response to an incident was you
need to look at the whole picture, not just part... so your preventative
measures failed - how quickly were your detective measures able to sound
the alarm and how easy was it to recover?
if the only issue is the frequency of preventative failures then look at
exactly what security (not necessarily software) vulnerability is
involved in those failures and tighten that up...
-- "they threw a rope around yer neck to watch you dance the jig of death then left ya for the starvin' crows, hoverin' like hungry whores one flew down plucked out yer eye, the other he had in his sights ya snarled at him, said leave me be - i need the bugger so i can see"