So it's a performance optimization? Once an executable image is first cleared by the virus scanner, it doesn't have to check the file for viruses again until the file is written to. I would imagine that any mature virus scanner would keep track of files that were recently scanned so it doesn't have to scan them again.
Casper
-----Original Message----- From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of Sarocet Sent: 16. november 2005 17:26 To: ReactOS Development List Subject: Re: [ros-dev] Security Suite
I had an idea about virus propagation. As we'll have added attribs on FS, i'd implement the eXecution flag. No program could be run without it. If a DLL were loaded it'd have that flag would automatically set (if allowed). If you try to run a program, the explorer.exe or whatever else program tha tried to call it must ask the user for permission or handle the adding in an efficient way. If you modify, append, or in whatever method change a file, the +x would be reseted. Any program can set that flag on, BUT if before it gets set, the system calls a DLL (could be an exe, but it should stay in memory as it can be very frequently called...) that checks it for virus. If it's ok, it allows the flag. If not, the flag is not set (it doesn't remove it, as it have never been set). Then the DLLs can be very different, they can check it into an internal virus database, ask about it at the ROS website (the problem'd be to determine what it can give apart of a hash, that not reveals personal informetion, a filename or path can reveal too much), give it happily (first implementation), ask the user if (s)he's experienced (if not, the dll loads can be very annoying :D)...
As that flag can be set to any file, programs that use macros, must then -to be compliant- confirm before that the file has +x. If not, load without macros, ask the user, not load... That aplies to WSH, Java, Flash, Php, shell scripts...
FS like FAT would have then an index file with the programs with +x, some kind of system to emulate it. Removable devices (USB sticks, CD-ROMs, floppy-disk...) must not have +x flags. A remote computer can think it's secure but our computer (note that we can't be sure we're the same, everything can be faked) must not trust on it. +x should only stay per session, not allowing the user to set it. If a +x flag is found set, the system must ignore it.
The system'd be more secure and only executable files get scanned, and only once so it's fast (by the way, i have to disable my antivirus before updating svn, as it tries to scan them all, so it slows a lot). If you think you've a virus, or simply monthly, for example, you can ask a program to reset all +x flags (no check is done to remove it), so your programs will be scanned next time :-)
The benefit of this is that as it'd be implemented at low level (driver, or between driver and system), it can be more secure, with less work.
----- Original Message ----- From: "David Hinz" post.center@gmail.com Sent: Tuesday, November 15, 2005 9:25 PM Subject: [ros-dev] Security Suite
As recently the discussion about a firewall and a virus-scanner came up again, I thought of a new thing, that is a bit different than the already known things.
My idea is not to use a firewall and a virus-scanner, I want to create a new service, that may be configured by a gui, a console app or by other apps, that might use some of its features. This service should do the following things:
- Having a look at the network traffic, which includes the following:
- Controlling, which application may use the network connections
- Controlling, how many traffic they cause, which could warn the user
about suspicious actions
- Watching the running processes for unusual events
- Checking every file that is read or written for viruses
- Scanning the http-traffic for ads and viruses
But the most important thing for me is that if this service is shutdown without the user agreeing to that, which may be checked by ntoskrnl, the user should be informed about it and nearly all network traffic should be blocked. Then the network-card should be deactivated, all userprocesses should be paused and all drives should be checked for viruses.
I think this is hard, but it will make it much harder for worms to spread, as they don't have the chance to deactivate our securitysuite and so they will be detected within two days and if they try to shutdown the securitysuite they have no chance to spread. That would be more secure than any other existing OS.
This are just a few thoughts, feel free to change it the way you like it.
Greets,
David Hinz
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev