On Sun, 2008-05-18 at 14:22 +0100, Srdjan Todorovic wrote:
Which is a bit silly given that if you have a virus/spyware combo, the name of the binary could change and then the iptables rule will no longer be effective.
Ok fair point...it's the wrong way round. Drop everything and allow only known binaries that you have added rules for. Of course all this is irrelevant if the malware in question has managed to get root access as it can then flush/modify the rules
BTW some (if not all) versions of Norton Internet (in)Security have the same issue as their application rules are based on filename and location not signature so if you get enough privileges to write to a file that is likely to have been allowed though (like the Norton updater itself) then you can pass the firewall.
Anyway it is a moot point because general users will tend to click on allow in fear that denying access to something will break something. The number of times I have seen malware in the allowed list on Windows machines almost outnumbers the times I have seen critical things that do genuinely need to get to the Internet in the denied list. I mean in all honesty how is the end user supposed to know that wuauclt.exe should be allowed access and randomspyware.exe shouldn't.