Re: System Calls

And verily, didst Karthik Balaguru <> hastily babble thusly:
> [Karthik Balaguru]
> So, does it imply that the virus scanners check for
> malicious system calls from malicious applications
> in Windows ? Are there any opensource implementation
> of those virus scanners that check for malicious
> system calls from certain applications in Windows ?

No, it means the virus scanners don't scan running processes.
They scan files on hard disk and in e-mails/other network related stuff that
are destined for transfer to windows based networks/machines... and then
quarantine anything that matches a virus profile.

--
| | "I'm alive!!! I can touch! I can taste! |
| Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel and |
| in | get out the puncture repair kit!" |
| Computer Science | Arnold Judas Rimmer- Red Dwarf |

From: <>

| And verily, didst Karthik Balaguru <> hastily babble thusly:
>> [Karthik Balaguru]
>> So, does it imply that the virus scanners check for
>> malicious system calls from malicious applications
>> in Windows ? Are there any opensource implementation
>> of those virus scanners that check for malicious
>> system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "Karthik Balaguru" <>

| On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
| wrote:
>> From: <spi...@freenet.co.uk>

>> | And verily, didst Karthik Balaguru <karthikbalagur...@gmail.com> hastily babble
>> thusly:

>> >> [Karthik Balaguru]
>> >> So, does it imply that the virus scanners check for
>> >> malicious system calls from malicious applications
>> >> in Windows ? Are there any opensource implementation
>> >> of those virus scanners that check for malicious
>> >> system calls from certain applications in Windows ?

>> | No, it means the virus scanners don't scan running processes.
>> | They scan files on hard disk and in e-mails/other network related stuff that
>> | are destined for transfer to windows based networks/machines... and then
>> | quarantine anything that matches a virus profile.

>> McAfee scans running processes.


| Interesting. So, does McAfee also check for malicious calls from
| malicious applications ?

| But, i think McAfee is not an opensource software.So,
| any other open source virus scanner that supports the
| feature of checking the malicious calls from malicious
| applications ?

| Thx in advans,
| Karthik Balaguru


Define: "malicious calls"

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On 03/14/2010 09:57 AM, Karthik Balaguru wrote:
> On Mar 14, 6:08 am, "David H. Lipman"<DLipman~nosp...@Verizon.Net>
> wrote:
>> From:<spi...@freenet.co.uk>
>> | And verily, didst Karthik Balaguru<karthikbalagur...@gmail.com> hastily babble thusly:
>>>> [Karthik Balaguru]
>>>> So, does it imply that the virus scanners check for
>>>> malicious system calls from malicious applications
>>>> in Windows ? Are there any opensource implementation
>>>> of those virus scanners that check for malicious
>>>> system calls from certain applications in Windows ?
>> | No, it means the virus scanners don't scan running processes.
>> | They scan files on hard disk and in e-mails/other network related stuff that
>> | are destined for transfer to windows based networks/machines... and then
>> | quarantine anything that matches a virus profile.
>>
>> McAfee scans running processes.

> Interesting. So, does McAfee also check for malicious calls from
> malicious applications ?
>
> But, i think McAfee is not an opensource software.So,
> any other open source virus scanner that supports the
> feature of checking the malicious calls from malicious
> applications ?

Last I heard, McAfee looks at discovered viruses, finds patterns in them and
then scans for that pattern. This works as once a new nasty exploit is
discovered it spreads with minor changes around the core exploit like which IP
to go to for instructions.

I have not heard of anyone being able to predetermine what to scan for in
applications as something one does not want. Were that the case, all
formatting programs are trojans and all updating software are making
unauthorized calls to MS or yum repositories.

--
Before the Gaza massacre Israel was given the benefit of the doubt.
With Gaza Israel removed all doubt.
-- The Iron Webmaster, 4237
http://www.giwersworld.org/antisem/ Antisemitism a10
Mon Mar 15 02:37:47 EDT 2010

"Karthik Balaguru" <> wrote in message
news:4ddd456e-dd1c-4e5c-8d14-...
On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: <spi...@freenet.co.uk>
>
> | And verily, didst Karthik Balaguru <karthikbalagur...@gmail.com>
> hastily babble thusly:
>
> >> [Karthik Balaguru]
> >> So, does it imply that the virus scanners check for
> >> malicious system calls from malicious applications
> >> in Windows ? Are there any opensource implementation
> >> of those virus scanners that check for malicious
> >> system calls from certain applications in Windows ?
>
> | No, it means the virus scanners don't scan running processes.
> | They scan files on hard disk and in e-mails/other network related
> stuff that
> | are destined for transfer to windows based networks/machines... and
> then
> | quarantine anything that matches a virus profile.
>
> McAfee scans running processes.
>

Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Readers of this thread might also find this interesting:
http://vx.netlux.org/lib/afc08.html

"Karthik Balaguru" <> wrote in message
news:29fb3a70-3eae-4d12-ab20-...

I think, REMUS(Kernel module for Linux) helps in identification of
the incorrect parameters, access rights by interaction with the
AccessControl Database managed by the sysctl command,
but not sure if it would be help in identifying whether the system
calls have been tweaked.

***
It looks for suspicious activity regarding programs using legitimate
calls in a suspicious (possibly malicious) manner. Some attack patterns
are known to use certain combinations of calls, any program using that
certain combination of calls will be suspect. The calls themselves are
not malicious. See
http://www.pdf-tube.com/download/ebo...y9yZW11cy5wZGY
***

And verily, didst David H. Lipman <DLipman~nospam~@verizon.net> hastily babble thusly:
> From: <>
>
> | And verily, didst Karthik Balaguru <> hastily babble thusly:
>>> [Karthik Balaguru]
>>> So, does it imply that the virus scanners check for
>>> malicious system calls from malicious applications
>>> in Windows ? Are there any opensource implementation
>>> of those virus scanners that check for malicious
>>> system calls from certain applications in Windows ?
>
> | No, it means the virus scanners don't scan running processes.
> | They scan files on hard disk and in e-mails/other network related stuff that
> | are destined for transfer to windows based networks/machines... and then
> | quarantine anything that matches a virus profile.
>
> McAfee scans running processes.

McAfee wuns on linux now?

--
| |What to do if you find yourself stuck in a crack|
| |in the ground beneath a giant boulder, which you|
| |can't move, with no hope of rescue. |
| Andrew Halliwell BSc |Consider how lucky you are that life has been |
| in |good to you so far... |
| Computer Science | -The BOOK, Hitch-hiker's guide to the galaxy.|

From: <>


>> McAfee scans running processes.

| McAfee wuns on linux now?

http://www.mcafee.com/us/enterprise/...nuxshield.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"Karthik Balaguru" <> wrote in message
news:b13f8cf1-84f4-4396-ab3d-...
On Mar 16, 5:09 pm, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:
> "Karthik Balaguru" <karthikbalagur...@gmail.com> wrote in message
>
> news:29fb3a70-3eae-4d12-ab20-...
>
> I think, REMUS(Kernel module for Linux) helps in identification of
> the incorrect parameters, access rights by interaction with the
> AccessControl Database managed by the sysctl command,
> but not sure if it would be help in identifying whether the system
> calls have been tweaked.
>
> ***
> It looks for suspicious activity regarding programs using legitimate
> calls in a suspicious (possibly malicious) manner. Some attack
> patterns
> are known to use certain combinations of calls, any program using that
> certain combination of calls will be suspect. The calls themselves are
> not malicious.
> Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced...
> ***


Yeah, i do find that malicious calls have different views.

From the REMUS document from the link provided by you
it seems that malicious calls also include -
- Illegal invocation of critical system calls that could
cause hijacking of control of any privileged process.
- In efficient check of the argument values of the system calls

The remus homepage link was actually breaking and
hence i was collecting information by searching in internet -
http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf
Thx for providing the link. I will check it out.

[...]

***
It might be worth pondering that viruses, in particular, don't generally
need to exploit software flaws. REMUS seems to be a good enhancement for
the OS, but AV has (or had) a different goal.
***

"Karthik Balaguru" <> wrote in message
news:8c6fb9df-042a-42b4-90f0-...
On Mar 17, 6:46 am, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:

> ***
> It might be worth pondering that viruses, in particular, don't
> generally
> need to exploit software flaws. REMUS seems to be a good enhancement
> for
> the OS, but AV has (or had) a different goal.
> ***

Interesting to know that generally viruses do not exploit this flaw.

***
Or rather, that they don't *need* to exploit *any* flaw. REMUS helps
protect the OS from privilege escalation attacks against software flaws.
***