This is the mail archive of the cygwin-talk mailing list for the cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: The Big List of Dodgy Apps

From: Igor Peshansky <pechtcha at cs dot nyu dot edu>
To: The Cygwin-Talk Maiming List <cygwin-talk at cygwin dot com>
Date: Wed, 21 Mar 2007 09:23:11 -0400 (EDT)
Subject: RE: The Big List of Dodgy Apps
References: <03c901c76afe$2987edc0$2e08a8c0@CAM.ARTIMI.COM> <20070320170301.GC27840@trixie.casa.cgf.cx> <000c01c76b14$892ca1b0$2e08a8c0@CAM.ARTIMI.COM>
Reply-to: The Cygwin-Talk Maiming List <cygwin-talk at cygwin dot com>
Reply-to: The Cygwin-Talk Maiming List <cygwin-talk at cygwin dot com>

On Tue, 20 Mar 2007, Dave Korn wrote:

> On 20 March 2007 17:03, Christopher Faylor wrote:
>
> > On Tue, Mar 20, 2007 at 02:43:45PM -0000, Dave Korn wrote:
>
> >> Windows Defender
> >
> > Funny but I didn't notice any problems when I was running Windows
> > Defender.
>
>   I got that from this post:
> http://www.cygwin.com/ml/cygwin/2007-01/msg00742.html
>
>   It's not fully explained in the event log but it looks like it checks the
> executables that implement services and warns/blocks if it looks like the file
> has been altered.
>
> > It sure would be nice (tm pending) if we had some way of detecting
> > these problematic applications automatically.  It would be even nicer
> > if we had someone who was dedicated to making cygcheck be all that
> > it could be wrt detecting potential sources of problems and, even,
> > suggesting solutions.
>
>   <nods sagely> I'll try and find some tuits.  If nothing else it might
> save a lot of time just to have the information listed in cygcheck.  We
> probably want to give it the ability to detect that a badware exists or
> is installed by looking for 1) registry keys that would indicate it has
> been installed 2) presence of named executables in known (i.e. default
> install) locations and 3) presence of named executables in list of
> current running tasks.
>
>   Anyone can suggest any other useful detection mechanisms?

Not a mechanism per se, but it would be great if this were designed to be
pluggable.  E.g., there's a list of functions that should be run to detect
conflicting software, and someone who writes a new detector should be able
to write his own function and add it to the list, and cygcheck would
automatically run it and report that the software is detected.  It could
even, perhaps, be couched in a form similar to longopts -- i.e., an
array of structs with the program name, a pointer to the detection
function, and some other attributes, to standardize the output format.

As for something you missed in your list, how about 4) look in the table
of installed services for those that correspond to known offenders, e.g.,
ZoneAlarm...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_	    pechtcha@cs.nyu.edu | igor@watson.ibm.com
ZZZzz /,`.-'`'    -.  ;-;;,_		Igor Peshansky, Ph.D. (name changed!)
     |,4-  ) )-,_. ,\ (  `'-'		old name: Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Freedom is just another word for "nothing left to lose"...  -- Janis Joplin

Follow-Ups:
- RE: The Big List of Dodgy Apps
  - From: Dave Korn

References:
- The Big List of Dodgy Apps
  - From: Dave Korn
- Re: The Big List of Dodgy Apps
  - From: Christopher Faylor
- RE: The Big List of Dodgy Apps
  - From: Dave Korn

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]