Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tavis Ormandy ports Windows Defender to linux


  • Please log in to reply
5 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,610 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 23 May 2017 - 06:17 PM

https://twitter.com/taviso/status/867134496935563264   



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:57 AM

Posted 23 May 2017 - 07:51 PM

Why oh why!?!!??

 

7e5f2ec90125c8cf6ac109a7e3b774b5.jpg



#3 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 24,610 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 23 May 2017 - 07:59 PM

He gave his reason on github.

 

https://github.com/taviso/loadlibrary

 

Why?

Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.

This is less of a problem on Linux, but I've found that porting components of Windows Antivirus products to Linux is often possible. This allows me to run the code I’m testing in minimal containers with very little overhead, and easily scale up testing.

This is just personal opinion, but I also think Linux has better tools. ¯\_(ツ)_/¯

 


Edited by JohnC_21, 23 May 2017 - 07:59 PM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:05:57 AM

Posted 23 May 2017 - 08:14 PM

Ah, ok... it's just for testing. He's not planning on releasing his Frankencode. :wink:



#5 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:03:57 PM

Posted 24 May 2017 - 05:54 AM

In all honesty, Defender, like just about every other AV product relies heavily on "definitions".  Definitions of known malware, either tight (pick up a single strain) or loose (to pick up families), plus other behaviorial rules (realtime).  Behavior may prove interesting cross-platform,  definitions when statically scanning files, but definitions that are looking for other behavior (I don't imagine a syscall to erase shadow volume copies would work on Linux) are not likely to be useful.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#6 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:03:57 PM

Posted 28 May 2017 - 08:49 AM

In all honesty, Defender, like just about every other AV product relies heavily on "definitions".


Exactly. Traditional AVs are becoming pretty useless. Most good malware coders are gonna get around them. Plus all you have to do is run it through a program so that its signature isn't known and it won't get picked up.

The "Next gen" AVs with machine learning algorithms are where the future is at.

OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users