Products that are generally labeled "AV" today are ones that "look for something" and must be triggered to do so, for the most part, by file activity (or via "Scan now"). There is another category of product that NAI has been pushing a lot this year and calling it Intrusion Prevention. We include in this category products that don't need "quite as much" updating and that have technologies that people don't associate to "string matching." Frankly, the world has equated for too long this notion that AV == string match. Instead, AV more accurately represents, "We already have you on our machines, could you also do this...?" And of course, from the other angle, "Ours is better because we *also* do X, Y, and Z." Anyway, I alluded to the notion that file-based triggers were changing in the future. And the obvious reason is the worms that hit without creating a file. We have another product in the Intrusion Prevention space that is triggered off other events, such as unusual protocol usage, execution from stack, etc. Today, it's a separate product. But as I said before, "we already have you on our machines..." And so, eventually, this technology will be bound together into one, and called "AV." Because AV sells. So, "Yes, we can." But right now, it's not called "AV." But in the future, it will. But frankly, it's all the same to me. And frankly, it's all the same to users as well. Everything in this space will eventually all be called "AV." That is, until one day when it will be a standard part of the security aspect of the OS. Jimmy -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Sent: Monday, October 06, 2003 10:04 PM To: Duane Nickull Cc: Kuo, Jimmy; ''crime@private ' ' Subject: Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd) Duane Nickull wrote: > While this is possible, I would argue that it is illogical to write a > virus that way. It has its strengths and weaknesses. The strength is that it lets the malicious payload be much larger than whatever little window the exploit has to squeeze through. The weakness is, as you say, it announces the incoming attack so that methods such as Jimmy's AV product can block it. It is being discussed because (as Jimmy related it) the Blaster worm used this 2-step approach. Conversely, the Slammer/Sapphire worm was a single step, notably doing all of its exploiting and damage in a single UDP datagram of a few hundred bytes. I don't know if AV products have a chance at stopping single-stage worms. I doubt it, but Jimmy is correct when he says I shouldn't talk about that which I don't know, so I'll let him address that question. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Tue Oct 07 2003 - 18:05:48 PDT