-{ Quote: "When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer." }-
Story (http://www.wired.com/news/columns/0,70802-0.html?tw=wn_index_4)

From that article:

"Antivirus: You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong." (Emphasis mine - Pete)

I wasn't really aware of that fact - if it is a "fact".

I'd be quite upset if my anti-virus (NOD32) had taken hush-money (for surely the A/V vendors didn't quash the detection out of the goodness of their hearts) and a dive on the detection.

-{ Quote: "I wasn't really aware of that fact - if it is a "fact"." }-
Good point. That would be an interesting question to post on Bruce Schneier's blog. (http://www.schneier.com/blog/archives/2006/05/who_owns_your_c.html)

The only way to be sure that such undesirables are detected is to use security software that doesn't rely on definitions or reference files. While your AV or anti-spyware may choose not to alert to these, apps like System Safety Monitor and Process Guard will. The downside is that you have to know your system and the software you use. Only permit the items you know, and allow them the interprocess activity that is absolutely necessary for them to function properly and no more. When used with a good rule based firewall and web filtering, you can keep all that "big brother-ware" out, providing you don't get Vista.
Rick

As for AVs or anti-spyware apps deliberately not detecting such items, would you expect them to admit it if it was true? That would be like asking them to alert to a government keylogger.

-{ Quote: "As for AVs or anti-spyware apps deliberately not detecting such items, would you expect them to admit it if it was true? That would be like asking them to alert to a government keylogger." }-I couldn't agree more. We'll never know the truth. It does, however, seem very fishy that nobody in those "AV" companies ever noticed (and if they honestly never noticed, it's still somewhat depressing).

-{ Quote: "The only way to be sure that such undesirables are detected is to use security software that doesn't rely on definitions or reference files." }-This sensible approach has been written about for several years now, but doesn't seem to invoke much discussion.

Host Threat Prevention: a New Weapon in the War against Desktop Threats (http://www.hurwitz.com/2004-newsletters/host-threat-prevention-a-new-weapon-in-the-war-against-desktop-threats-2.html)

"Traditional approaches to PC security-anti-virus software and personal firewalls-only partially address security threats in the form of malicious executables that are becoming more frequent and more sophisticated."

Also:

An Ounce of Prevention (http://www.infosec.co.uk/ExhibitorLibrary/123/An_Ounce_of_Prevention.pdf)

"‘Default-deny’ is an old principle that has deep security roots, relating not only to applications but to user policies."




________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Rmus

Re: An Ounce of Prevention link i get a, HTTP 400 - Bad Request Internet Explorer ?

I agree 'default-deny' and 'white-listing' are a very good extra solution which really does work. I have been running Winsonar for several years, with excellent results, and it's free too. It never fails to instantly block all unknown executables !

The Apps that Securewave market do seem impressive

________________________

-{ Quote: "How Sanctuary alone secures exposed machines and prevents execution of any malware

From the testing conducted within the documented lab settings and with the outlined methodology, it appears that the Sanctuary Application Control suite was effective at blocking the execution of the spyware and other forms of malicious content (malicious ActiveX, mobile code, JavaScript, Executables etc) encountered during testing. The machines running the protection software had no other forms of protection enabled with the exception of system patching.

Despite the absence of anti-spyware and anti-virus products, the Sanctuary Application Control suite machines remained completely unaffected. The unprotected machine was however, significantly compromised." }-

http://www.securewave.com/request_form.jsp?id=32856&metadataId=32856


StevieO

I've heard good things about Winsonar - Chris #### uses it, if I remember.

I thought it was a process monitor. Can you post a screenshot showing blocking of an unknown executable?

Rmus

You can choose WinSonar to, kill all unknown processes while connected, online, and/or offline too. If you try to run an unknown process whilst WinSonar is in either mode, then it kills it in milliseconds.

If you are offline and havn't selected the kill mode, when you first launch something new, then you will an alert like this instead

http://img339.imageshack.us/img339/8922/wsalert7fi.png (http://imageshack.us)

You can select to include it in the whitelist or reject it, or ignore it for now. But you will get a new alert every time you try to run it again.

http://img468.imageshack.us/img468/2037/ws7zl.png (http://imageshack.us)

As well as the above it has a very good selection of tools built in, including a port scanner which can always be on alert if you choose. Here's some of the options etc

http://img468.imageshack.us/img468/7516/wsoptions7ek.png (http://imageshack.us)

Homepage of the free program http://digilander.libero.it/zancart/winsonar.html


StevieO

Thanks, StevieO for the informative post and screen shots!

I noticed this statement in the Security Absurdity article ronjor linked in another thread:

-{ Quote: " The conventional signature-based approach, which involves maintaining a library of characteristics of each and every malicious attack, is fast falling behind. It is completely reactive.
" }-

Winsonar is a product worth checking out.