[Dshield] Now It's Postcard.Exe and New Signature

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Jan 31 22:02:47 GMT 2007


On Wed, 31 Jan 2007 15:41:31 EST, David Cary Hart said:
> On Wed, 31 Jan 2007 10:17:01 -0500, "Johannes B. Ullrich"
> <jullrich at sans.org> opined:
> > 
> > what we actually need is a postfix/procmail et al signature for .exe
> > files. Anything else is just a whack-the-mole band aid.
> > 
> Mime checks should eliminate all .exe file attachments. AVs should be
> able to check zips and tarballs for this kind of content.

The problem is that it's hard to actually implement this, because:

1) Not all executables have a .exe file extension
2) The concept of "executable" is very squishy in a world of active content.
HTML may have javascript on it, Word documents carry macros, and so on.

It's pretty easy to show that a Harvard computer architecture (the code is
the code, the data is the data, and never the twain shall meet) has some very
nice security properties.  Unfortunately, users really want their computers
to be von Neumann machines, where data and code are interchangable....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070131/30fe9f57/attachment.bin 


More information about the list mailing list