[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[exelist] Re: sdw386 v. 1.71

To: exelist@egroups.com
Subject: [exelist] Re: sdw386 v. 1.71
From: "Bluefish [@ home]" <11a@...>
Date: Sun, 14 Mar 1999 12:39:50 +0100 (CET)
Delivered-to: listsaver-of-exelist@egroups.com
Delivered-to: listsaver-egroups-exelist@egroups.com
In-reply-to: <19990312085637.15739.qmail@...>
Mailing-list: contact exelist-owner@egroups.com
Reply-to: exelist@egroups.com

> ps: Maybe i'm announcing a new way of virus scanning here; i'm not
> very familiar with AV stuff, but i think one safe way would be
> to create a so called "Sandbox" or "Container", which is the 
> environment in which we run the "maybe-infected file" and call,
> open, read, etc. another dummy files there.

look at tbclean. It contains a sandbox environment, however unsecure.

Btw, way back I did experiments on DrSolomon, and I must say it was
impressive, it appears to be able to decrypt just about anything (however,
it's heuristics on the decrypted viruses is severly lame and could easily
be fooled)

The problem is of course that to implement "Sandbox" scanning in general
AVs arises the problems with debugger traps, and if running within a VM
it also araises the questions of undocummented CPU features, detection of
the sandbox, etc. And a definite question is speed of the scanning and how
to handle delayed TSRs. Another is the problem with TbClean, you must be
able to garantuee that it is impossible to exploit the sandbox and escape
it.

> I've never seen this technique, but i think as an add-on it beats
> a lot of other techniques like string-scan, heuristic scan, code 
> analysis, correlation scanning, etc. etc.

somehow this brings my mind to a quote by Bruce Scheiner, which mainly
pointed out that every now and then there comes someone unknown to the
science of security and thinks his idea is the finnal solution, without
even investigating the science or doing background research...

it appears to me as you people should be among those most aware of the
problems; if there was a simple sandbox solution which solved everything,
you should code it and use it in your unpackers :)

> pps: The AV technology described in this mail is patent pending in
> the United States of America and Europe. 

by who? is there any online references to the patent?

[icq.im.away] 611251
[email.ilove] ealliance$hotmail.com || 11a$gmx.net 
[web.we.rock] http://194.236.13.242/11a/index.html
[web.we.rock] http://home.swipnet.se/~w-12702/11A/


------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/list/exelist
Free Web-based e-mail groups by eGroups.com

References:
- [exelist] Re: sdw386 v. 1.71
  - From: "Andreas Lange" <iceman42@...>

Prev by Date: [exelist] Re: sdw386 v. 1.71
Next by Date: [exelist] Which PE compressor/protector?
Previous by thread: [exelist] Re: sdw386 v. 1.71
Next by thread: [exelist] Re: sdw386 v. 1.71
Index(es):
- Date
- Thread