21 Feb
2006
21 Feb
'06
8:03 a.m.
Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do.
As the defense is local to the user's machine, the attacker can just kick it away.
How are they going to identify the code to throw away? I believe that the state of the art for AV software is to create randomly named EXE files so that attackers cannot delete the running process, and then the EXE file ensures that the installed program and startup config are not tampered with. If AV software can protect itself this way, why would anyone build an infection blocker using any less protection? --Michael Dillon