0.02 kroner coming up :) > From: Gadi Evron > > 2. In a broader view, notifications ARE currently the > problem rather than a solution. I think we all recognize the fundamental truth that AV notifications are pure marketing. They contain no instructions on removing the virus and only serve to spread FUD. Somewhere sometime, a marketer at an AV company thought "hey, let's get new customers by notifying people that send the virus!", implemented it and everybody followed suit since "everybody is doing it, we might as well also". AV notifications have degenerated from a misguided assistance to become an even worse problem than the viruses they are supposed to stop. > 3. I think we look at the whole problem in the wrong way, > allow me to elaborate: > The AV industry is built on reaction rather than prevention. > Adding new signatures is still the #1 tool in the fight against malware. I couldn't agree more. We should stop wasting time on detailing the subject lines of a new virus, what P2P folder the latest worm copies itself to or how the latest Blaster variant changes spread algorithms on the second Thursday of the month (provided it's raining in spain). All of this does nothing to prevent any future reoccurences of the same threats and is mainly of academic interest - if you're writing a paper on worm propagation techniques or a book about "The 1001 funniest virus subject lines". We're all curious beings, but having my mom know the subject lines of the 5 latest viruses does nothing to prevent her from opening attachments or being infected by Blaster. We need to change our mindsets fundamentally and approach these threats from a different angle. Instead of playing archeologists that are uncovering dinosaur bones and detailing their ridges we need to become bio engineers who analyze DNA mutation patterns and create strains of tomato plants that can endure cold winternights. It is essential that we invest serious time and money into analyzing and matrixing the common attack, spread and infection vectors of the threats that our corporate networks and public infrastructure encounter, and that we use that knowledge to create targetted counteractions and proactive theat mitigations that can hinder the spread or impact of generic types of threats - in advance. This is not just a philosophy but a viable approach to applicable crafting. We at PivX Solutions have been preaching Proactive Threat Mitigation for quite some time now. I have been speaking about it at conferences (blame canada), the panel members understood it when we explained it at the first National Cyber Security Summit and we integrated our initial efforts into Qwik-Fix which prevented dozens of threats in Q4 2003 (MiMail,lots of IE exploits,etc). I think we can all get lost in specifics from time to time, which is why it is important to remember that real security is all about risk management - how much time and money do we want to invest in lowering the inherent risk to an acceptable level? It is only when we start diverting those resources away from reactive solutions, such as antivirus that have not hindered any major virus outbreak but even created the far worse problem of AV notifications, and towards proactive appliances and proper risk management that we can minimize our risk and shorten our window of exposure to threats. > With spam and mass mailers clogging the tubes, causing us all to > waste money on bigger tubes, as well as our time dealing with the > annoyance (more money), shouldn't the problem be solved there > (at the main tubes themselves) rather than at the end user's desktop? > > They are right, it isn't currently demanded of them. ISPs and peering points should seriously consider the development and implementation of technologies that can unintrusively and anonymously detect threats and filter packets that meet certain risk criterias, before governmental agencies wake up and start addressing the issue by regulations and law that will inevitably limit their control of private property. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
