System Calls
in [Viruses]
|
From: spike1 on 16 Mar 2010 15:42 And verily, didst David H. Lipman <DLipman~nospam~@verizon.net> hastily babble thusly: > From: <spike1(a)freenet.co.uk> > > | And verily, didst Karthik Balaguru <karthikbalaguru79(a)gmail.com> hastily babble thusly: >>> [Karthik Balaguru] >>> So, does it imply that the virus scanners check for >>> malicious system calls from malicious applications >>> in Windows ? Are there any opensource implementation >>> of those virus scanners that check for malicious >>> system calls from certain applications in Windows ? > > | No, it means the virus scanners don't scan running processes. > | They scan files on hard disk and in e-mails/other network related stuff that > | are destined for transfer to windows based networks/machines... and then > | quarantine anything that matches a virus profile. > > McAfee scans running processes. McAfee wuns on linux now? -- | |What to do if you find yourself stuck in a crack| | spike1(a)freenet.co.uk |in the ground beneath a giant boulder, which you| | |can't move, with no hope of rescue. | | Andrew Halliwell BSc |Consider how lucky you are that life has been | | in |good to you so far... | | Computer Science | -The BOOK, Hitch-hiker's guide to the galaxy.|
From: David H. Lipman on 16 Mar 2010 17:10 From: <spike1(a)freenet.co.uk> >> McAfee scans running processes. | McAfee wuns on linux now? http://www.mcafee.com/us/enterprise/products/system_security/servers/linuxshield.html -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: FromTheRafters on 16 Mar 2010 21:46 "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> wrote in message news:b13f8cf1-84f4-4396-ab3d-2a20cb7ff775(a)g8g2000pri.googlegroups.com... On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com... > > I think, REMUS(Kernel module for Linux) helps in identification of > the incorrect parameters, access rights by interaction with the > AccessControl Database managed by the sysctl command, > but not sure if it would be help in identifying whether the system > calls have been tweaked. > > *** > It looks for suspicious activity regarding programs using legitimate > calls in a suspicious (possibly malicious) manner. Some attack > patterns > are known to use certain combinations of calls, any program using that > certain combination of calls will be suspect. The calls themselves are > not malicious. > Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > *** Yeah, i do find that malicious calls have different views. From the REMUS document from the link provided by you it seems that malicious calls also include - - Illegal invocation of critical system calls that could cause hijacking of control of any privileged process. - In efficient check of the argument values of the system calls The remus homepage link was actually breaking and hence i was collecting information by searching in internet - http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf Thx for providing the link. I will check it out. [...] *** It might be worth pondering that viruses, in particular, don't generally need to exploit software flaws. REMUS seems to be a good enhancement for the OS, but AV has (or had) a different goal. ***
From: Karthik Balaguru on 17 Mar 2010 20:51 On Mar 17, 6:46 am, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:b13f8cf1-84f4-4396-ab3d-2a20cb7ff775(a)g8g2000pri.googlegroups.com... > On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> > wrote: > > > > > > > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > >news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com.... > > > I think, REMUS(Kernel module for Linux) helps in identification of > > the incorrect parameters, access rights by interaction with the > > AccessControl Database managed by the sysctl command, > > but not sure if it would be help in identifying whether the system > > calls have been tweaked. > > > *** > > It looks for suspicious activity regarding programs using legitimate > > calls in a suspicious (possibly malicious) manner. Some attack > > patterns > > are known to use certain combinations of calls, any program using that > > certain combination of calls will be suspect. The calls themselves are > > not malicious. > > Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > > *** > > Yeah, i do find that malicious calls have different views. > > From the REMUS document from the link provided by you > it seems that malicious calls also include - > - Illegal invocation of critical system calls that could > cause hijacking of control of any privileged process. > - In efficient check of the argument values of the system calls > > The remus homepage link was actually breaking and > hence i was collecting information by searching in internet -http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf > Thx for providing the link. I will check it out. > > [...] > > *** > It might be worth pondering that viruses, in particular, don't generally > need to exploit software flaws. REMUS seems to be a good enhancement for > the OS, but AV has (or had) a different goal. > *** Interesting to know that generally viruses do not exploit this flaw. Thx, Karthik Balaguru
From: Karthik Balaguru on 17 Mar 2010 21:27
On Mar 17, 2:10 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: <spi...(a)freenet.co.uk> > > >> McAfee scans running processes. > > | McAfee wuns on linux now? > > http://www.mcafee.com/us/enterprise/products/system_security/servers/... > But, it is not opensource :-( Karthik Balaguru |