On Sun, Oct 13, 2002 at 10:44:47PM +0200, Kjetil Kjernsmo wrote: > I have to admit that I've had a different view of the whole virus thing. I've > used that view frequently when I rant about how bad windoze is, so if I'm > totally off here, I would be nice to be told so by friends...: > > I mean, whatever viruses can exploit to propagate has to be a huge > security hole, right?
If you're concerned only with the propagation of the virus/worm/etc then you are mostly right. It takes all kinds. A seemingly secure system may still potentially be used to infect other systems. > So, the problem can't really be the virus, but rather the > security hole that the virus is allowed to exploit, and virus scanners > purpose seems mainly to look for signs of exploits of known holes. Not really. Perhaps you have an infected file in an archive, on a system that is impervious to infection by the infected file. Then this archive is moved to another system that it can infect. Use of a periodic virus scan most likely would have located and nullified the potential for problem. TMK, a virus scanner doesn't look for "signs of exploits" but rather signatures of reported viruses. Additionally, some some scanners (like the current version of clamav, soon to be added to Debian) are potentially able to locate mutated versions of a known strain. > They have to be known, otherwise you wouldn't know what to look for. See above > So, instead of patching the hole, the "get the latest > definition"-paradigm tries to identify exploits of those holes. It is but one layer, by itself not a complete solution. > Imagineably, you could do the same thing as the virus, but silently > and more directed, so that the anti-virus companies that produce > definitions never hear about it and never respond to it, and the > victim never notice (and don't notice e.g. a data theft, and don't > notify their definition provider). Sure, and this does happen, but as with most things, automation and scripting has been applied. > So, what role does the definitions play for a well-patched and well > maintained system, other than identifying that something is going on? Helping to ensure that data stored isn't infected. I for one don't like the prospect of passing on an infected file to someone else, regardless of whether my system(s) was effected by it. > Are there unpatchable, intrinsic design flaws that could be exploited > by viruses? If so, what is it that prevents exploits by anybody? I don't know that I would say "unpatchable", but I'm sure that somewhere there is a flaw that a virus can exploit. Why would one want to remove a possible line of defense against a given exploit? For example, lets say that for some reason an exploit is found and it will take a few hours or days to patch. Meanwhile, the signature of the exploit is already known. In one case it requires someone to write a patch to resolve the exploit, then for the effected sysadmin(s) to acquire and apply said patch, after becoming aware of it's existence. On the other, it simply requires the signature of the exploit to be added to a database, which in many cases is automatically updated. Looks like a potentially significant difference in resolution time to me. Sure, the patch is ultimately better, but the scanner signature definition can help. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
