So it's a performance optimization? Once an executable image is first
cleared by the virus scanner, it doesn't have to check the file for
viruses again until the file is written to. I would imagine that any
mature virus scanner would keep track of files that were recently
scanned so it doesn't have to scan them again.
Casper
-----Original Message-----
From: ros-dev-bounces(a)reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of
Sarocet
Sent: 16. november 2005 17:26
To: ReactOS Development List
Subject: Re: [ros-dev] Security Suite
I had an idea about virus propagation. As we'll have added attribs on FS,
i'd implement the eXecution flag. No program could be run without it. If a
DLL were loaded it'd have that flag would automatically set (if allowed).
If you try to run a program, the explorer.exe or whatever else program tha
tried to call it must ask the user for permission or handle the adding in an
efficient way.
If you modify, append, or in whatever method change a file, the +x would be
reseted.
Any program can set that flag on, BUT if before it gets set, the system
calls a DLL (could be an exe, but it should stay in memory as it can be very
frequently called...) that checks it for virus. If it's ok, it allows the
flag. If not, the flag is not set (it doesn't remove it, as it have never
been set).
Then the DLLs can be very different, they can check it into an internal
virus database, ask about it at the ROS website (the problem'd be to
determine what it can give apart of a hash, that not reveals personal
informetion, a filename or path can reveal too much), give it happily (first
implementation), ask the user if (s)he's experienced (if not, the dll loads
can be very annoying :D)...
As that flag can be set to any file, programs that use macros, must then -to
be compliant- confirm before that the file has +x. If not, load without
macros, ask the user, not load...
That aplies to WSH, Java, Flash, Php, shell scripts...
FS like FAT would have then an index file with the programs with +x, some
kind of system to emulate it.
Removable devices (USB sticks, CD-ROMs, floppy-disk...) must not have +x
flags. A remote computer can think it's secure but our computer (note that
we can't be sure we're the same, everything can be faked) must not trust on
it. +x should only stay per session, not allowing the user to set it. If a
+x flag is found set, the system must ignore it.
The system'd be more secure and only executable files get scanned, and only
once so it's fast (by the way, i have to disable my antivirus before
updating svn, as it tries to scan them all, so it slows a lot).
If you think you've a virus, or simply monthly, for example, you can ask a
program to reset all +x flags (no check is done to remove it), so your
programs will be scanned next time :-)
The benefit of this is that as it'd be implemented at low level (driver, or
between driver and system), it can be more secure, with less work.
----- Original Message -----
From: "David Hinz" <post.center(a)gmail.com>
Sent: Tuesday, November 15, 2005 9:25 PM
Subject: [ros-dev] Security Suite
As recently the discussion about a firewall and a
virus-scanner came up
again, I thought of a new thing, that is a bit different than the already
known things.
My idea is not to use a firewall and a virus-scanner, I want to create a
new service, that may be configured by a gui, a console app or by other
apps, that might use some of its features.
This service should do the following things:
- Having a look at the network traffic, which includes the following:
- Controlling, which application may use the network connections
- Controlling, how many traffic they cause, which could warn the user
about suspicious actions
- Watching the running processes for unusual events
- Checking every file that is read or written for viruses
- Scanning the http-traffic for ads and viruses
But the most important thing for me is that if this service is shutdown
without the user agreeing to that, which may be checked by ntoskrnl, the
user should be informed about it and nearly all network traffic should be
blocked.
Then the network-card should be deactivated, all userprocesses should be
paused and all drives should be checked for viruses.
I think this is hard, but it will make it much harder for worms to spread,
as they don't have the chance to deactivate our securitysuite and so they
will be detected within two days and if they try to shutdown the
securitysuite they have no chance to spread.
That would be more secure than any other existing OS.
This are just a few thoughts, feel free to change it the way you like it.
Greets,
David Hinz
_______________________________________________
Ros-dev mailing list
Ros-dev(a)reactos.org
http://www.reactos.org/mailman/listinfo/ros-dev