|
|
On 06/06/2011 09:02 PM, Darren New wrote:
> On 6/6/2011 11:22, Orchid XP v8 wrote:
>> ...which the on-demand scanner is *still* going to detect...
>
> Again, the on-demand scanner is the worst possible way, efficiency-wise,
> to detect such things. Where "efficient" means "minimal impact to actual
> users." It should be a last resort, not a primary mechanism.
You have a point. Scanning a file after each time it's modified would
seem the best approach, but I'm not aware of any product that does this yet.
>> Heheh. These are the people who thought "hey, let's make it so that every
>> home user has full admin rights by default". Yes, I'm sure they know a
>> thing
>> or two about security. ;-)
>
> I'm sure they do. And I'm sure every programmer in Microsoft *wanted* to
> not make that the default. That business cases mean you lessen security
> doesn't mean the security team doesn't know how to do security.
OK, how about this:
This is the company that produced a web server where you can completely
defeat all access controls and fetch files you don't have permission to
fetch just by using backslashes in the URL rather than forward slashes.
This works because:
1. The server neglects to check for invalid characters in the URL (such
as backslashes).
2. The server uses a list to determine file access rather than
properties of the files themselves (e.g., FS-level file security).
3. The server blacklists files that you can't access rather than
whitelists files that you can access, causing it to fail-open rather
than fail-closed.
4. Because the restricted URLs have forward slashes and the user typed
an equivalent path with backslashes, a textual match routine returns no
matches, and the URL is allowed. (This also means that any /other/ way
to generate a semantically equivalent but textually distinct URL would
/also/ bypass all security.)
Yes, /clearly/ MS knows how to design systems that are fundamentally secure.
>>>> That's a valid argument for a file server. But even in that case,
>>>> you (or
>>>> somebody else) still has to *access* the file.
>>>
>>> But the other person might not have a virus scanner.
>>
>> If the file is on a file server, then each time you try to access it,
>> the AV
>> product on the server will perform an on-demand scan.
>
> Sorry? What file server?
If the file exists on another PC and that PC has an on-demand virus
scanner, than whatever way you access that file, it's going to trigger
that PC to perform an on-demand scan. So I'm not seeing how a file on a
PC with an AV product can pose a threat to other systems.
Post a reply to this message
|
|