It's not dead...
It's just shifted slightly. Better stateful packet filtering and correct rights limiting for user accounts is all that's needed.
Its down to OS developers to get these things right. It always has been.
Grisoft is to acquire Exploit Prevention Labs, a maker of software that gauges the safety of websites before end-users visit them. Grisoft will fold the technology into its AVG family of security software. The acquisition, which is expected to close by the end of the month, will help Grisoft compete against its three bigger …
[quote]LinkScanner sits on a user's computer and monitors the outside world for exploits. When it detects one, it drops the connection, which prevents the attack from succeeding. It then reports the incident back to a central database so it can warn users who try to visit the same destination.[/quote]
I'm curious though how the connection can be dropped while still being able to report to a database? Don't you mean that the access to that specific site is blocked? Without a connection it's kind of impossible to report to an external anything.
PS: el Reg can't handle accents in usernames .. tsk tsk
"We're moving away from just protecting your laptop after you've been infected."
Well, maybe Grisoft's product tries to protect their users' laptops *after* they have been infected, but most other AV companies strive to do it *before* this happens. That's what on-access scanners are for.
And adding a scanning of Web pages for known exploits is no different from the usual AV model based on blacklisting.
I've always thought that fixing an infection after the event is poor doctoring, especially when a new virus/trojan is released. Horse - door - bolted springs to mind. The AV companies have been making a very nice living, thank you very much.
This sounds like a Good Idea, perhaps others with more knowledge of these products have other ideas.
"I'm curious though how the connection can be dropped while still being able to report to a database?"
Yes, on first read it's easy to make that mistake, but I presume that what is meant is the individual TCP connection on which the SPI detects badness, not the network connection.
Different layers, innit.
Um isn't that what your firewall is for? To block ports and therefore traffic outside those ports that are needed and to detect suspicious activity on ports that are required to be open?
I've no objection to a package that closes ports, sniffs packets, predicts viruses, blocks spam and anything else I've missed. Not quite sure why anyone thinks this might be new news.. as far as users rights are concerned, Windows doesn't offer nearly enough in my opinion, even if logged on as a super-admin your Internet experience should be carried out in a secure user environment, clicking on a website shouldn't be able to install a trojan.
Your average firewall will indeed block access to ports from the outside world, however that is not what is being discussed here since your browser has already made a connection(or several) to a web site through the firewall. What the link scanner is doing is monitoring the high level content of the HTTP data stream scanning for known exploits against browser vulnerabilities. It also sounds like it is injecting its own HTML into the returning data from web servers so that it can add cues to search results. Some of this technology could be described as a sort of high level stateful inspection, but the rest goes beyond normal firewall behaviour.
I've no idea how LinkScanner does it, but I think there should be a big bat handle toggle switch on the front of the computer. Up - red light - network connected. Down - green light - ethernet clock pulse only; no external connection.
One switch for every NIC in the box. (Remember the reset switch? And how invaluable it was for software debugging? Sometimes the mobo circuitry is there but the box builder omitted the switch/wires/connector to cut costs.)
Anyway, LinkScanner could use multiple NICs paired with multiple web connections and multiple browser instances (even dial-up) to accomplish scanning in a honeypot. One issue is malware targeting specific countries that wouldn't be triggered if you were coming from the wrong country code, and I'm sure there are additional issues because several people think the current trend of these "safe site" apps are rather worthless.
It misses obfuscated browser threats. Thats because its looking at the TCP stream an therefore it has to be its own JScript/VBScript emulation in order to decrypt current browser attacks, and thats next to impossible to get it right.
So if you are running NIS2008 or higher you already have better protection.
"most other AV companies strive to do it *before* this happens."
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
*ahem* Doctor, don't make me laugh like that, it hurts!
Grisoft's just diversifying their portfolio, that's all. At least they're prepared to admit up front what the rest of the AV industry knew since 1999, since Melissa:
Popular anti-virus software failed to do its job.
It's called Melissa's Ultimate Lesson. Google that some time.
>made a connection(or several) to a web site through the firewall. What the link
>scanner is doing is monitoring the high level content of the HTTP data stream
>scanning for known exploits against browser vulnerabilities
sites serving up malware via SSL will be an interesting problem then......