Re: The Coalition against Personal Firewalls
- From: "Jason Edwards" <none@xxxxxxxxxxxxxxx>
- Date: Tue, 6 Jun 2006 14:26:04 +0100
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:sGehg.54359$P2.51220@xxxxxxxxxxxxxxxxxxxxxxxxx
In article <4ekvotF1fdip4U1@xxxxxxxxxxxxxx>, none@xxxxxxxxxxxxxxxPoC.
says...
We'll probably never know why AV vendors included a signature for Volker's
As far as I can tell there is no heuristic detection involved.
Sure you will, but you won't get it down the path you are taking - you
see, if something is a good enough example of how to exploit something,
well, it should be detected as such.
Why should a program which tells the browser to connect to www.dingens.org be
detected as a virus? Why should a program which tells the browser to connect to
www.download-more-viruses.com not be detected as a virus?
Making this change to Volker's program will change the signature and then it's
not a virus any more.
If you do not believe this then please do the following before replying.
1. Find a virus scanner which detects Volker's code as a virus.
2. Compile your own code which connects to a different http server.
Is the new code detected as a virus? And if so by which AV product?
Thank you for taking the time to perform this experiment and letting us know the
results.
I don't understand how you can fail
to see/rationalize that concept.
Anything that makes use of an exploit should be detected and
stopped/blocked as malware. AV software does not understand the
"Intenet" of the programmer, it understands the black/white functions of
the application, the vectors, and the actions.
I seriously doubt that any AV vendor has taken the time to put a
definition into their product to specifically detect VB's code, I would
expect, since it used the same method as other exploits, that it's being
detected by that, which is what anyone would expect.
Serious doubts are no good to me; I need facts which speak for themselves.
So please provide proof of your statement that "since it used the same method as
other exploits, that it's being detected by that".
I will accept this as a fact when you have proved that it is a fact.
To prove it as a fact you need only give me one AV tool (virus scanner) which
detects the code I compiled myself as a virus/malware. My code uses exactly the
same method unless there's something seriously wrong with the compiler.
Also I'll want to know when the scanner first detected Volker's code by the
methods it uses instead of by signature alone. It's no good if that's today or
some future time.
Thank you for taking the time to find and provide proof that Volker's code is
being detected (by AV software) by the method it uses and not just a signature.
Have a nice day.
Jason
--
spam999free@xxxxxxxxxx
remove 999 in order to email me
.
- References:
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- From: Lars M . Hansen
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- From: Lars M . Hansen
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- From: Lars M . Hansen
- Re: The Coalition against Personal Firewalls
- From: Volker Birk
- Re: The Coalition against Personal Firewalls
- From: Lars M . Hansen
- Re: The Coalition against Personal Firewalls
- From: Jason Edwards
- Re: The Coalition against Personal Firewalls
- Prev by Date: Re: NIS will not let me synchronize the PC Date/Time
- Next by Date: Block user access to websites using the ip addresses of the websites with PIX 515E
- Previous by thread: Re: The Coalition against Personal Firewalls
- Next by thread: Re: The Coalition against Personal Firewalls
- Index(es):
Relevant Pages
|
