Statefull Packer Inspection against any kind of Malware!

Fri Aug 13 01:47:00 EEST 2004

On Wed, Aug 11, 2004 at 11:49:28AM +0000, beatnik wrote:
> Lets assume that i do not want to run critical security updates (patches) 
> by Micro$oft.
> a) I was wondering if just a firewall can save my ass without even using 
> AV.

se sigkekrimenes mono periptoseis 8a "sosei to kwlo soy" opws les.

> b) If there is one, then i would like it also that firewall to inspect each 
> incoming packet to my network interface and if the data portion of the 
> packet matches a virus/trojan/worm/ or anykind of malware packet then 
> simply it will have to drop it of.

The "data portion". Malista, e.. exeis katalabei oti ayto einai stin
ousia ena antivirus; To Norton Antivirus sta agaphmena soy windows,
mporei na ginei setup na elegxei otidhpote grafetai ston sklhro disko
kai profanws prin treksei.

Den mporw na siniditopoiisw pws kati tetoio mpori na soy fenetai
anasfales mprosta stin idea poy esy eixes. Giati na kaneis analisi sta
paketa apo to irc kai to ka8e http otan eisai apla enas desktop user? 

Oi providers 8a ebriskan xrhsimi tin idea soy. Kai ayto giati den exoyn
tropo <<fysikhs>> epafhs me ta arxeia, se anti8esh me esena. Poy ksereis
ti trexeis (8eoritika).

> That way even if i deliberately choose to open a virus infected link or a 
> worm infected attachment my OS still be in no danger at all even without 
> running an AV or Pacthes!

An eixes ena worm attachment sto local mailbox soy, pws akribws enas packet
filter 8a to ekobe;

> I think this is a logical demand and we dont have to search every day for 
> pacthes to secure our holes in our OS instead will leave the firewall to 
> update his database automatically.

Opws akribos o average-Joe kanei automatic updates sto Norton Antivirus
e;

> Antivirus Packages after all dont work as they should in my opinion!. They 
> wait for your machine to get infected 

Ayto einai stegna la8os. Ena sosto antivirus den perimenei pote na ginei
infected to OS. Ayto poy ennoeis einai oti afhnei executables na eggrafoyn
sto disko, opws les parakato. _PWS AKRIBWS_ ayto einai pio anasfales apo
ena packet filter poy isws den exei updated virus definition dbase; kai
_PWS AKRIBWS_ einai  anasfales ena antivirus poy _EXEI_ updates virus dbase
kai afhnei ta executables na eggrafoyn sto disko;

> with a virus which is stored in a hdd 
> file and then because they have a scannable object in their hands, only 
> then, they can delete the damn thing.... 

E, ksana8eto tin erotish me th kainoyrgia soy skopia, pws akribos einai
pio anasfales ena tetoio antivirus me updated virus dbase  apo ena packet
filter poy den exei updated virus dbase?

> I beleive Statefull Packer Inspection by examining the contents of the ip 
> packets data portion against a malware(trojan/worm/virus) database that 
> would update it self periodically would be a far more secure approach. 
> No?!?!

No. Se periptoseis mazikwn elegxwn - praktika gia xrhsh netadmins - nai,
exei kapoia bash diati _AN_ exeis tin analogh ypologistikh isxh, kai
_AN_ exeis tin analogh updated virus dbase, tote mporeis na exeis kapoia
meiwsh toy traffic kai ligotera calls of dispair.

Par'ola ws lysh genikotera, den ksefeygei ton kindino toy na perasei enas
ios otan den exeis kanei update thn (xilioeipomenh se ayto to mynhma)
virus dbase. 

H opoia polypo8ith enhmerwmenh virus dbase se ena antivirus poy sebetai
ton eayto toy kai gia thn sygkekrimenh xrhsh se Microsoft Windows (TM)
(esy thn aneferes), den exei kanena logo na se apogoiteyei.

Bye,
	fs