North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: IRC bots...
- From: Florian Weimer
- Date: Sun Mar 20 16:26:18 2005
* Martin Hannigan:
> Who's got time for all that? Chase the controller, shut down
> the user until they buy some AV software.
That should read "AV software from at least three vendors, with direct
contacts to research staff of at least one of them", or something like
that. While it's very likely that there is at least one vendor which
ships signatures that already recognizes the malware you are
experiencing, it's far less likely that the single scanner/signature
combination you've chosen for desktop installation catches it.
Standard, out-of-the-box AV software (with signature updates, of
course) is no longer an option for fixing infected machines, at least
not without qualified support and independent verification of the
results. It's long been said that you shouldn't rely on AV software
for recovering from infections (and curiously enough, this was never
the way people dealt with UNIX breakins). We are now at a point where
the automated tools actually fail, and not just for some philosophical
reason (e.g. the bot has got a download component and you just can't
know what further malware has been downloaded).
(And there's the problem that the users can't get online updates
without the Internet connection you've taken away, and AV vendors do
not permit mirrors of signature definitions on your network.)