Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Speedy thing goes in... : Re: Speedy thing goes in... Server Time
30 Jul 2024 00:27:12 EDT (-0400)
  Re: Speedy thing goes in...  
From: Orchid XP v8
Date: 6 Jun 2011 13:29:10
Message: <4ded0e66@news.povray.org>
 
On 06/06/2011 05:44 PM, Darren New wrote:
> On 6/5/2011 14:38, Orchid XP v8 wrote:
>> Don't you just love the way most AV product insist on down periodic
>> manual scans?
>
> Security in depth.

Seems to me more like "useless busy-work to reassure the customer that 
we really are doing something".

I notice that Symantec AntiVirus Corporate Edition doesn't do scheduled 
scans at all by default. (Unless you explicitly ask it to.) Neither did 
Trend Micro, until our IT department turned it on. (Why?)

> Try Microsoft Security Essentials. It's really good.

It has "Microsoft" in the name. Why would it be good?

>> 1. If a file is never opened, it doesn't *matter* how's inside it. It
>> can't possibly run.
>
> But you still might propagate it to someone else, even if you don't run it.

That's a valid argument for a file server. But even in that case, you 
(or somebody else) still has to *access* the file.

While we're on the subject, almost all AV product claim to be able to 
detect "virus-like behaviour" even if they don't have signatures for it. 
But I've yet to see this actually work in practise...

> "I have an idea! Let's make the system seem more responsive by doing a
> scan of a file the very instant the person starts waiting for it to run!
> That'll have the double-good effect of loading every single page of the
> executable into RAM, bypassing that pesky demand-paging stuff."

It's an optimisation in that it only scans files which could actually 
harm the system, without wasting time scanning files which are never 
used. On the other hand, it also scans them at the worst possible time...

>> (Presumably because that
>> would make it too easy for a virus to slip past; just tweak the file
>> timestamp...)
>
> Don't use the timestamp. Use the USN journal. That's what it's for.

And how many 3rd parties know this exists? (Also, it only works for 
NTFS. Which should be a non-issue, because *nobody* should be using FAT 
by now...)

> Indeed, you can just do a lazy background scan of anything that might be
> an executable after whoever is writing to it finishes writing to it.

You might argue that you could also do lazy on-access scans by logging 
who's accessing stuff, and then checking after. Still, difficult to 
block access to a file after it's been accessed...

>> For that matter, I've yet to see an AV product that's any good at
>> *removing*
>> malware. Most of them will *detect* an infection, but they do an utterly
>> crap job of *removing* it.
>
> It depends on the malware. It's hard to "remove" an infection that has
> replaced valid code with virus code.

For example, when my laptop was infected by MS Blaster, McAfee correctly 
detected the virus file on disk, but was utterly unable to delete it. It 
kept complaining about "access denied", because the virus was still 
running. When *I* manually killed it in Task Manager and then deleted 
the file myself, it worked just fine. Now why the **** couldn't McAfee 
have done that for itself? Isn't that what we paid exorbitant sums of 
money for? So that people who aren't the IT System Administrator can 
clean malware off their systems?

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.