• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    8
    ·
    3 months ago

    I think it’s important to be clear about the difference between antivirus, and an in resident black box agent.

    An antivirus that you run on static files, is perfectly fine in any environment. t’s controllable it’s known you know the inputs you know the outputs. You know what you’re exposing to it. Even if the antivirus itself is a black box, you spin up a VM with the files you want to scan, you get the output of the scan, you destroy the virtual machine. So you don’t leak anything

    An agent that stays with privileged access to the machine, is basically a root kit, and they’re often black boxes. So a black box root kit is a huge security risk, especially if that black box needs to phone home to a service outside of your network. That’s just crazy. That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

    • flying_sheep@lemmy.ml
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      3 months ago

      Very true. I doubt the researcher in question would object to use a virus scanner like you described.

      Every consumer antivirus software works like the black box rootkit you described, AFAIK.

    • stringere@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      That’s more than an antivirus, that is I don’t even know the right word, but it’s a lot.

      I think SIEM is what you’re looking for: Security Information and Event Monitoring