开发者

A different Approach for anti-virus . Am I going in the right direction?

I'm currently conceiving a system that works like an anti-virus, but also uses the White Listing i.e

Preventing Viruses from开发者_运维百科 Running by having a database of Known legitimate Programs

Yes , there is the Windows UAC, but still many viruses "work around" it. I'm planning on a more reliable system.

My system has also a database of known threats (cryptographic hash).

Is this approach viable,

What are the possible loop holes in this approach

I understand that there has been a lot of attempts at this. But still I want to try it out.

I'm planning to use C# and .Net for a prototype may be i'll move on to C++ for performance later

Update: Thank you all for your time and thoughts. I decided to do some more research in this area before actually designing something Espcially as pointd out below the Zeroday threat problem


What about DLLs used by executables? Do you hash them too? A virus can replace a DLL.


This has been brought up before, and there are products out there which do that. (Faronics Anti-Executable works like this)

There are two main problems with this approach:

  1. A virus can embed itself into any file; not just EXEs. Programs can load DLLs and other bits of code(macros, scripts, etc), and programs can contain bugs(such as buffer overflows) which can be exploited by malicious documents and other files.

  2. Every time you patch a system or otherwise legitimately modify the software, you also need to update the white list.


There is products like Appsense Application Manager that do this already. It was temporarily pitched as a security product but they changed tact and focused it on licensing. I think it's because it didn't work too well as a security product.


If you are planning to work with a limited set of applications and you can work with application developers you can use a code signing model. You can find a similar approach in most mobile operating systems. You have to sign all the executable modules including libraries and need to verify they have a valid signature and not modified using a root certificate.

If you are only planning to white list applications based on their hash value you need to make sure your white listed applications verify any modules they use before they load. Even if the applications/installation files are digitally signed it does not guarantee that a library will be modified later in a malicious way.

In reality, it is not even enough to only verify executables and libraries. For example, Xbox Linux hack utilizes a malicious save file. It is a specially prepared save file that causes a legitimate and signed application behave in unexpected ways. And, of course it is not possible to white list a save file based on its hash value.

Another problem with keeping a database is zero day attacks. You need to be ahead of the curve for creating hash values for new attacks and propagating these updates to your users otherwise they will be vulnerable all new attacks. Unless you only allow only white listed applications to be executed and that would be really restrictive.

IMHO, it is really difficult build such a system on open platfom. Good luck with it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜