BLODA detection code in latest snapshot
Ryan Johnson
ryan.johnson@cs.utoronto.ca
Wed Feb 29 14:45:00 GMT 2012
On 29/02/2012 7:22 AM, Andrey Repin wrote:
> do you filter by DLL name or it's full path?
> Because, %SystemRoot%\system32\shlwapi.dll is likely to be harmless.
> But same name DLL inserted from any other place...
That would be moving beyond mere BLODA and into malware territory. At
that point, just because it's in %SystemRoot% doesn't mean it's safe,
either. In fact, we can't really even be sure a well-known dll name in
%SystemRoot% is safe if the machine is infected with something.
I don't think we're trying to play virus scanner here, so dll name
should suffice.
$.02
Ryan
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list