North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Michael.Dillon
  • Date: Tue Feb 21 08:03:02 2006

> > Offer them a free windows 
> > infection blocker program that imposes the quarantine
> > itself locally on the user's machine. This program
> > would use stealth techniques to hide itself in the
> > user's machine, just like viruses do.

> As the defense is local to the user's machine, the attacker can just 
> kick it away.

How are they going to identify the code to throw
away? I believe that the state of the art for 
AV software is to create randomly named EXE files
so that attackers cannot delete the running process,
and then the EXE file ensures that the installed
program and startup config are not tampered with.

If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?

--Michael Dillon