A while back, um, quite a while back now [2nd Sept 2002],
I wrote a piece for Computer Weekly about how AV can't work perfectly.
As part of that, I said a little something about how an operating system should do more to protect the user - by
not automatically starting processes that the user hadn't authorized, e.g., say process A [which you trust] suddenly tries to start process B [which you don't trust] - well, the OS should tell you about this and ask for permission!
The bit of this - that made it through the editor's hands went like this:
"For a virus to work, it needs to be executed, either directly, or by some other process already in operation. Now, the operating system is the thing that creates processes. So, if the operating system were a more picky about what processes it'll start automatically - well, these things could be caught very effectively."
If you're interested, the original went like this:
"In order for a virus to work, it needs to be executed: either directly, or by some other already-executing-process. Now, the operating-system is the thing that creates processes. So, if the operating-system were a bit more picky about what processes it’ll start automagically, well ... these things could be caught very effectively.
"Imagine, you double-click what looks like an Excel file-attachment appearing in your email. However, the operating-system sees that the file is actually an executable. Next, it checks to see if this executable has been run on your machine before and, if it hasn’t, it simply asks you – “Are you sure you want to run this PROGRAM?”. You answer ‘no way’. Problem solved.
"Alternatively, this kind of approach – where the operating-system is rather more proactive - could be extended to anything that has write-access to your hard disk. After all, no write-access = no-damage!
I rather liked the
'if you haven't run this before' bit - and I wish Vista's UAC worked like this, e.g., why ask me every time if I trust something when I've already said 'Yes' 30 times before! What if the parameters have changed! Well, ok, how about if they haven't changed from the previous 29 runs, well,
please don't ask me *again* - it's ok!
Also - the no write access ... maybe a better version of UAC ought to get into this a bit more? E.g., how does this fly ... the OS says, you can run whatever you like, but, if that *thing* tries to output data, I'll ask you whether to permit it to continue or not?
If you think about it, protecting a user this way could make real sense - and, in doing so, not be SO annoying/intrusive! For example, what harm is there in running - or allowing to run - a process that you didn't know you were about to run - if it's sand-boxed, and cannot output anything ... it can read files 'til its heart's content, but it *cannot output anything* - not down-the-wire, not to the file system, not to the registry etc. Nitto, nothing! No writes of any kind = you're safe.
Anyway - can I sue ;-) Or, should I patent the no-write stuff :-)
Or,
would MS Research please hire me now please!
:-(