[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[exelist] Re: sdw386 v. 1.71

To: exelist@egroups.com
Subject: [exelist] Re: sdw386 v. 1.71
From: jvp@...
Date: Fri, 12 Mar 1999 23:20:46 +0000
Delivered-to: listsaver-of-exelist@egroups.com
Delivered-to: listsaver-egroups-exelist@egroups.com
In-reply-to: <19990312085637.15739.qmail@...>
Mailing-list: contact exelist-owner@egroups.com
Organization: TEU (http://members.xoom.com/jvp/)
Priority: normal
Reply-to: exelist@egroups.com

iceman wrote:

> ps: Maybe i'm announcing a new way of virus scanning here; i'm 
not
> very familiar with AV stuff, but i think one safe way would be
> to create a so called "Sandbox" or "Container", which is the 
> environment in which we run the "maybe-infected file" and call,
> open, read, etc. another dummy files there.
> If we hooked the filesystem on the lowest layer (to avoid 
> manipulating this by a virus, do it polymorphically), we know that
> something modified the dummy file and can be SURE that it's a virus.
> I've never seen this technique, but i think as an add-on it beats
> a lot of other techniques like string-scan, heuristic scan, code 
> analysis, correlation scanning, etc. etc.

But think of slow infecting viruses. They only infect on maybe every 
1000 runs to avoid fast detection. So you can spend very much 
time using  your sandbox and even do not recognize it as a virus.

JVP

--------------------------------
TEU
what do YOU want to crack today?

http://members.xoom.com/jvp/

------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/list/exelist
Free Web-based e-mail groups by eGroups.com

References:
- [exelist] Re: sdw386 v. 1.71
  - From: "Andreas Lange" <iceman42@...>

Prev by Date: [exelist] Re: sdw386 v. 1.71
Next by Date: [exelist] Re: sdw386 v. 1.71
Previous by thread: [exelist] Re: sdw386 v. 1.71
Next by thread: [exelist] Re: sdw386 v. 1.71
Index(es):
- Date
- Thread