Forgot your password?
typodupeerror
Security Worms

HP Shelves Virus Throttler Program 277

Posted by timothy
from the simply-too-arcane-and-complicated dept.
longlanekid writes "Though HP has apparently designed a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities."
This discussion has been archived. No new comments can be posted.

HP Shelves Virus Throttler Program

Comments Filter:
  • /. worthy? (Score:3, Interesting)

    by wo1verin3 (473094) on Wednesday August 25, 2004 @06:08PM (#10072888) Homepage
    This is a product that was intended for use on Windows, they obviously couldn't get it working on Windows. Don't start blaming MS for this one...

    That aside, any coincedence that the vice president and chief technology officer of HP is named Tony Redmond? :) j/k
    • by Handpaper (566373) on Wednesday August 25, 2004 @06:10PM (#10072913)
      Confused me, too:
      '"we don't own Windows," Redmond says.'
      WTF?

    • Re:/. worthy? (Score:2, Insightful)

      by MikeMacK (788889)
      I blame them only in so much as the REASON HP couldn't get it to work was because Windows is a closed, proprietary OS. You would think that MS would WANT stuff like this to work on Windows with their "Trustworthy Computing" initiative.
      • Re:/. worthy? (Score:4, Interesting)

        by The Bungi (221687) <thebungi@gmail.com> on Wednesday August 25, 2004 @06:26PM (#10073040) Homepage
        Really? That's funny. I have this thing, you know, a software firewall? It intercepts every single network call (heck, it will even plug the loopback if you tell it to) and it works fine, 100% of the time. If it can pop up a dialog asking me if I want ApplicationX to contact a given domain (or IP address) I figure it could also throttle the connection. Any connection.

        I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.

        So enlighten me again - what does this have to do with Windows being a "closed proprietary OS" again?

        And BTW, this is something already built into XP, as you can tell from the many comments in this article.

        • Re:/. worthy? (Score:3, Interesting)

          by Zakabog (603757)
          I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.

          I'm pretty sure you're right. And I'm also pretty sure Tiny Personal Firewall doesn't come close to doing what the software from HP would do (I think it checks for the activity of worms or viruses and throtles their usage to "block" DoS attacks or something like that.) Anyone can write a firewall, it's a bitch writing software to throttle network and CPU usage for a particular process.

          So enlight
      • Re:/. worthy? (Score:3, Insightful)

        by fitten (521191)
        I didn't see anywhere in there that said they even asked Microsoft to do anything about it or that Microsoft had refused to do anything about it.

        I could just as easily write a program that won't run on Windows and not even try to port it to Windows and start claiming that Windows won't run it because it isn't Open.

        Until I see something that says that Microsoft refused to make changes to Windows that HP suggested, I'll chalk this up to a publicity campaign by HP to join the M$ bashing bandwagon and make th
    • Re:/. worthy? (Score:3, Interesting)

      by gbjbaanb (229885)
      The technology notices changes in host machine behavior, which indicates a virus infection. It then chokes off the attack by limiting the frequency of outbound communications from the host machine to "throttle" communications with other hosts on the network

      yeah? So HP is saying they can't get it to run on Windows because they can't alter the networking code? WTF? Have they never heard of firewalls, that happily block network connections, even on Windows.

      Perhaps they've altered the HP network stack so th
    • You fail it! RTFA (Score:4, Informative)

      by temojen (678985) on Wednesday August 25, 2004 @06:24PM (#10073031) Journal

      No.

      HP got it to work on Linux and HPUX, but didn't have the source to Windows XP, and so couldn't implement it for windows.

      Someone else asks if they've ever heard of firewalls, but this technology is intended to stop worms once they're inside your lan.

      • Re:You fail it! RTFA (Score:2, Informative)

        by TheSunborn (68004)
        Zonealarm don't have any problem with blocking connections from the inside. It really don't require access to the source of windows.
        • outbound connections per second? No, it doesn't, does it? That why they didn't just invent ZoneAlarm. It's not doing the same thing. Pretty obvious, really.
        • the problem is that zonealarm is a software that runs on top of the os and can therefor be bypassed by another bit of os if it gets the chance, this is why only a dedicated hardware firewall is realy any good as there is no multitasking os to compromise and infect.

          there have allready been developed worms that disable norton products when it infects a windows pc.

          this trys to look for insane traffic patterns that you only get from a worm and kill it on a kernel level.

          question is, could they develop this as
      • And the best way to keep viruses off your LAN in the first place is by creating a second network for PHBs and salesdorks with laptops. :-)
    • shhhhhhhhhhhhh
      pay no attention to the man behind the curtain.

      The longer reason is because it isn't compatible with Windows [and Linux doesn't need it].


      ______________________________________
      My Trunk Monkey can beat up your Trunk Monkey.
      http://www.suburbanautogroup.com/ford/trunkmonkey. html
    • Did you read the article? They had it working on Linux and HPUX! So it wasn't just intended for Windows.

      Next, so what? Whether you can "blame" MS or not has nothing to do with /.worthiness.

      My favproite quote was ``"...we don't own Windws'', says Redmond.''

      My next favorite:
      ``Virus Throttling only springs into action after a virus has penetrated an organization's network, which made it "more difficult to sell," he says.''

      It's not a hard sell to a company that's just been brought to its knees! I was at
  • I get it. (Score:5, Funny)

    by Alcimedes (398213) on Wednesday August 25, 2004 @06:08PM (#10072889)
    So it throttles Windows in general, thereby slowing the spread of viruses! I like it!

    Take out Windows, and you take out the problem. Go HP!
    • So it throttles Windows in general, thereby slowing the spread of viruses! I like it!

      It could be vaporware, but there are things that exist currently that do the same thing:

      Seti@home, Folding@home, Slashdotting, and Windowsupdate during a scare...for instance.

      Heck, even I've done it...of course the switch misconfiguration was a coincidence. :P
    • by jez9999 (618189)
      You're confusing it with Service Pack 2.
  • by Nos. (179609) <andrew@NospaM.thekerrs.ca> on Wednesday August 25, 2004 @06:09PM (#10072898) Homepage
    I'd like to know what the problems are with Windows machines. If you're router/gateway/firewall is limiting outgoing connections, your OS should be able to handle it. Even if it does cause problems, how often does the throttle kick in where there isn't a worm/virus present on the host machine? If this false positive rate is low enough then I'd implement it anyways.
    • by mrchaotica (681592) on Wednesday August 25, 2004 @06:12PM (#10072930)
      I'd like to know what the problems are with Windows machines.
      You must be new here ; )
    • The problem is that in a corperate setting even the best firewalls can't prevent a sloppy third-party service tech with an infected laptop [for example] from hosing your network... once one PC INSIDE the firewall is infected you're toast. Windows INSIDE a company is an open book to viruses...they use the very same ports and protocols that all the cool network administration tools use...When you have 200+ PCs you can't NOT use the admin tool... there are no programs that prevent a compromised PC from infec
  • by Megaslow (694447) * on Wednesday August 25, 2004 @06:09PM (#10072899) Homepage
    ...because "we don't own Windows," Redmond says.
  • It's funny when you read a sentence like
    "we don't own Windows," Redmond says. and do a double take, thinking it's coming from Microsoft...
    • Re:It's funny when (Score:3, Insightful)

      by tiger99 (725715)
      They don't own Windows, it is a generic term in trademark law in any civilised English-speaking country.

      And yes, the juxtaposition of the unfortunate person's name is very funny.

  • Interesting (Score:2, Insightful)

    by CypherXero (798440)
    This is a pretty interesting idea, I only wish I worked. Of course, the only thing that DOES work in Windows, is everything that you DON'T want to work, such as...you guessed it...viruses.
  • by Izago909 (637084) * <<moc.liamg> <ta> <dogsiuat>> on Wednesday August 25, 2004 @06:10PM (#10072912)
    It's not compatible with windows, so let's not even try getting MS to make newer versions compatible, or spend resources writing a virtual device driver. They argue that defense is better than treatment, but forget that a 2 pronged attack is better than pure defense. Even the best firewall and antivirus programs can be worked around. What happens when the next virus or worm comes out and antivirus and firewall manufacturers are caught with their pants down again? Do they plan on letting it spread freely until someone makes a removal tool?
    • The article didn't say anything to that effect. Maybe they did try, and Microsoft was uncooperative. Is it beyond the realm of possibility that Microsoft would be uncooperative in revamping their TCP/IP implementation?
    • by drdrea (89814)
      It isn't in any way "incompatible with windows". You could write an NDIS Intermediate Driver that its under TCP and above the network adapters and implement any security policy you want. It would have to be designed carefully to avoid too much overhead though. See the passthru sample in the DDK.

      It seems the market for this is corporate networks, so they could release a product that is useful without being bundled with windows.

      -Drea-
    • For all we know, Microsoft said that they're not planning on making MORE changes to their OS, even for such a good cause.

      They may have said, "See you in 2005-2006" and that's why HP put it back in the lab, instead of just outright cancelling the project and deleting the source code. (Which is the implication your post makes.)
  • why not? (Score:5, Funny)

    by sometwo (53041) on Wednesday August 25, 2004 @06:10PM (#10072914)
    If it has these bugs, why not release the program? Then the machines will BSOD and they'll stop spreading viruses. Goal achieved!
  • Anti-P2P Tool (Score:5, Insightful)

    by SkunkAh (633183) on Wednesday August 25, 2004 @06:12PM (#10072926)
    I'm afraid that this tool will also affect P2P tools which connect to many hosts every second aswell. Novice users will stop using P2P cause they don't understand why it isn't working.
    • Re:Anti-P2P Tool (Score:4, Insightful)

      by Izago909 (637084) * <<moc.liamg> <ta> <dogsiuat>> on Wednesday August 25, 2004 @06:21PM (#10073011)
      Novice users will stop using P2P cause they don't understand why it isn't working.

      Many of the problems of p2p stem from novice users. I really don't care if there are a few thousand less people spreading the latest teeny-bop tracks or infected files.
    • Not necessarily (Score:3, Informative)

      by b00m3rang (682108)
      It detects /changes/ in the traffic patterns. If your computer sends thousands of packets per second to port 6346, it can probably identify that as your usual traffic. If you suddenly start sending millions of packets to port 25 on various machines, that's out of the ordinary and can be throttled.
    • then the new kashaa/limewire/winmx or whatever will have a starter screen instructing how to turn it to ignore said program.

      never underestimate what people will go through to get something for free!
  • by LostCluster (625375) * on Wednesday August 25, 2004 @06:12PM (#10072934)
    From the article...
    Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.

    Wait a second. This doesn't really protect internal networks as much as it protects the Internet from your-machine-gone-mad. That is to say, this product's operation assumes your anti-virus security measures have already failed you, and you've got a server making attack attempts outbound on the world at large. This would kick in and shut down that server's attempted attacks.

    That'd be a great thing for all of us to be running to be good citizens of the Internet... but who'd buy such a thing? Afterall, you have to admit that your existing security products may occasionally fail you before you can even start to explain what this thing will do. And, after such a failure, you're already 0wned. So, you really have nothing internal left to protect at that point, and all there is to protect is the outside world. If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?

    Pointing to the fact that this would require some changes to Windows is a nice excuse, but anybody can get Microsoft to do anything when they come equipped with a truckload of money. I think the realization that people would run this if it was free, but no business in their right mind is going to buy it. I think HP realized that, and that's why they spiked this product. HP, afterall, is a business and can't afford to spend too much money on a research project that isn't going to lead to a profitable product.

    I wonder if there are any academic groups working on similar projects who might be able to finish the work on this one...
    • by gbjbaanb (229885) on Wednesday August 25, 2004 @06:21PM (#10073007)
      true - it protects the internet at large from you. By limiting the number of connection attempts per second.

      So, once you're infected, your server fails to spread at a rate of 10,000 connection attempts per second, instead it spreads slowly, maybe 100 attempts per second? Would this actually do anything besides give your sysadmins a few extra seconds to patch your system?

      Wouldn't it be better to block the connection attempts instead, like with an outbound firewall? Maybe stop the app that was trying to connect unless authorised by the user (eg a P2P app)?
      • Actually, in a cyberverse where such connection rates are possible, slowing down the exponential spread, even if it only buys two or three seconds to get the system offline, would be somewhat effective in containing a worm or DDoS attack attempt. Those involved with network administration have to be quick on their feet anyway to unplug machines doing such things.

        Of course, the problem is that these machines have been comprimised, and it's damn near impossible to unpwn a machine without formatting the hard
    • And, after such a failure, you're already 0wned. So, you really have nothing internal left to protect at that point, and all there is to protect is the outside world. If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?

      Well, maybe only one machine on your LAN has been infected yet and you don't want them all to be.

    • If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?

      The neighborhood would want to pay for that. Really, we're talking about people who already can't figure out how to operate windows update or install firewalls of their own, they certainly aren't going to buy this because they don't care. But, when their ISP gives them a nice shiny CD that just happens to include this, they'll chuck it onto the machine with the rest of the
    • HP owns two class A networks (15.* is old HP's, and 16.* is old DEC's which came with the Compaq merger). If you have that much network of your own, you want to suppress infected machines in order to defend your own network. It's not the Internet they are trying to defend. Other companies with big networks may also have similar problems, so they are the potential customers for this technology.

      I suspect that the problem is not that HP can't get something to work on some particular Windows configuration, but

  • What a fantastically creative author that article has. To end every other paragraph with "Redmond/HP says"... Sheer brilliance. If only Shakespeare had thought of that.
  • In other news..... (Score:5, Insightful)

    by Concrete Nomad (777836) on Wednesday August 25, 2004 @06:13PM (#10072938)
    In other news a cure for cancer and AIDS is quietly being shelved. The medical wonder has incompatibilities with most HMOs . Maybe I just don't see the point or perhaps the technology really wasn't all that good.
  • by ... James ... (33917) on Wednesday August 25, 2004 @06:14PM (#10072946)
    Microsoft introduced similar functionality in Windows XP SP2:

    Limited number of simultaneous incomplete outbound TCP connection attempts
    Detailed description

    The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system's event log.
    • And can you still gain access to a raw socket and construct your own session? If so, this will stop VB-viruses from propagating (maybe), but nothing more sophisticated, which presumably will simply drop down to raw packet construction.

      • by shird (566377)
        No you cant actually, or at least not tcp packets. Of course you could install a packet driver and bypass tcpip.sys altogether, but that usually involves admin access, restarting etc.
        • by Ark42 (522144)

          Last I checked winpcap could be installed without a reboot or any user intervention via a silent option to the installer, at least under 2000/XP. I know for a fact you can construct raw packets however you want with winpcap since I use it in my tunneling program.
          I don't really see what would stop somebody from embeding winpcap or something similar and spewing out garbage completely bypassing windows tcp/ip stack. Other then size of course, it would be a large worm to include a bunch of dlls just for that.
    • by LostCluster (625375) * on Wednesday August 25, 2004 @06:52PM (#10073247)
      That's nice... but what's gonna prevent viruses from chosing UDP to send their attacks with? :)
    • by interiot (50685) on Wednesday August 25, 2004 @07:11PM (#10073470) Homepage
      And how long will it take until one of the smarter virus writers writes a patch for tcpip.sys, after which the hoard of stupid virus writers just include that in their programs?

      The throttling functionality really needs to reside on the router side, on routers that don't run Windows. Then every joe-shmoe virus/worm won't be able to bypass it easily.

  • by Numen (244707) on Wednesday August 25, 2004 @06:15PM (#10072955)
    I can just see me telling my boss...

    Me: "I had to shelve the clients project, sorry."
    Boss: "Why?!"
    Me: "Incompatabilities with Windows."

    My arse.
    • You dumbfuck (Score:3, Informative)

      by b00m3rang (682108)
      Let's see you reverse engineer Windows to the point where your program can integrate seamlessly and reliably with the OS kernel and the networking stacks without any documentation or help from Microsoft.

      You think you're cute, but you're not.
      • Re:You dumbfuck (Score:3, Informative)

        by MerlynEmrys67 (583469)
        Easy enough to do...

        Their networking stack is fully documented (much better than Linux thank you very much) - All that is needed is a simple filter driver to catch packets going in/out - apply a policy to them, and poof - off you go.

        Anyone can go out and get a hold of the Windows DDK DDK Order Page [microsoft.com]

        It contains all the docs that you should need to do pretty much anything you need in the windows kernel. Now lets see you do the same thing with Linux - heck there isn't even a decent kernel debugger, unless

        • Fair enough, (Score:3, Interesting)

          by b00m3rang (682108)
          I just have a hard time believing that if it were that easy that HP couldn't figure it out. Companies I've worked for in the past have had to completely re-engineer a Kernel to gain all the functionality required to manipulate all aspects of the IP implementation and the way it interacts with the other layers of the OS to achieve the performance, security, routing, etc. required for the application. This isn't possible without Windows source code, which is not available. I wouldn't think the scenario the
  • by keiferb (267153) on Wednesday August 25, 2004 @06:15PM (#10072962) Homepage
    SP2, from what I understand, limits the number of outgoing connections a PC can make. Could it be that HP was just a bit too slow to market on this one? Why pay for a product that does something your OS is about to start doing for free?
  • Viruses vs virii (Score:4, Informative)

    by leathered (780018) on Wednesday August 25, 2004 @06:16PM (#10072966)
    Can we settle this once and for all?

    Virii is not a word in the English language; or any other language as far as I know.

    I recommend correctional facilities for those using the word 'virii'.
    • I don't know your education, but in mine learning the difference between a worm and a caterpillar came a good few years before any option of learning Latin. If the choice of the brand new icon for articles involving worms is anything to go by, I doubt we are going to be seeing accurate Latin in stories anytime soon... ;)
    • by Mr. Bad Example (31092) on Wednesday August 25, 2004 @06:41PM (#10073165) Homepage
      > I recommend correctional facilities for those using the word 'virii'.

      I think you mean "facilitii".
    • by Repton (60818) on Wednesday August 25, 2004 @08:28PM (#10074182) Homepage

      Remember --- one virus, two virii, three viriii, four viriv ...

      Latin is easy!

    • Dictionary.com agrees with you!!

      http://dictionary.reference.com/search?q=virus

      virus
      n. pl. viruses

      http://dictionary.reference.com/search?q=virii

      No entry found for virii.

  • Not just HP.... (Score:3, Informative)

    by XavierItzmann (687234) on Wednesday August 25, 2004 @06:16PM (#10072969)
    Though Apple has apparently designed a great OS for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows IT staff job security.

    This is what today's Wall Street Journal said:
    So how can you get rid of spyware and how can you avoid it in the first place? One nearly surefire cure is to dump your Windows machine and buy an Apple Macintosh.
    http://ptech.wsj.com/archive/report-200408.html [wsj.com]

  • a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities.


    So, they are starting their own GNU/Linux distribution?

    Feel ready to own one or many Tux Stickers [ptaff.ca]?
  • There's something amiss here:
    HP got Virus Throttler to work well in its labs with products using operating systems like HP-UX and
    Linux (news - web sites). However, the technology required changes to the way those operating systems run that HP couldn't duplicate on Windows systems, because "we don't own Windows," Redmond says.

    Does that imply that HP thinks they own Linux? I think we just figured out their new strategy to generate revenue in the future.

    • Re:Uh oh... (Score:3, Informative)

      by rusty0101 (565565)
      Nope. It means HP feels that since Linux is Free Software (as in speach) and they do own HP-UX, they have every right to go through the Operating System source code, write and compile tht tools, utilities, and features they are interested in testing for both Linux and HP-UX, but they are unable to do the same for Windows, because Windows is neither their own product, nor is it an Open Source product that they can do these things with.

      The Network stack portion of Windows may be based upon one of the BSD var
    • HP know very well that they don't own Linux. It was simply a not very well put way of saying they can't change Windoze because they don't control the source, but they can change Linux, as indeed can anyone with a valid and sensible contribution to make.

      I don't think there is the slightest danger of HP becoming the next SCOundrel, unless they want their share price to go the same way...... The SCOundrel strategy failed to generate revenue except from a few idiots who paid up, it would not have paid for one m

  • by Jugalator (259273) on Wednesday August 25, 2004 @06:20PM (#10072996) Journal
    Some changes to combat DDoS attacks:

    - TCP data cannot be sent over raw sockets.
    - UDP datagrams with invalid source addresses cannot be sent over raw sockets.

    Some changes to combat worms:

    - Updated TCP/IP stack to limit the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. This only applies when connecting to unavailable hosts, for example worms like Sasser guessing where to spread to.
  • Shouldn't this be implemented at the switch or router? Thus making it impossible for the virus to disable (unless, of course, the computer being infected IS the router) and not requireing changes in workstation OSs?
    • the router as the offending machine? Could be many thousand.
      • If packets coming from the port the machine is on are slowed down, that means that they're slowed down before they get to the other ports on the router. And there are a lot more routers than you imagine- most likely less than 255 machines would be infected by packets stopped at the router (depending, of course, on the address segment that router covers), and all machines on a different router port would get the infection packets slowly, if at all. But this method is designed to slow virus proliferation,
  • ..perhaps one of those rare instances where the enabler technology (the OS in this case), has actually throttled innovation!
  • Open source it (Score:4, Insightful)

    by Hoodsen (751434) on Wednesday August 25, 2004 @06:27PM (#10073049)
    This seems like a good idea that they just couldn't get to work. If they're just going to shelve it and not make a penny anyway, how about releasing the source code and see what the community can do with it? HP makes the same amount of money on it either way ($0), but this way they can get open source brownie points and maybe start something that could be useful down the line.
  • by Derivin (635919) on Wednesday August 25, 2004 @06:27PM (#10073059)
    First off, this is not a troll.
    Im my experience it has always been easier to sell reactive solutions to DDoS, worms, and virii.

    Working on OpenVision*SecureMAX and Securify(kerberos) back at OpenVision (bought by veritas, products sold to PlatniumGroup, then who knows where), we had a very very hard time selling our prevenative security software (for all the *nix platforms of the time and Windows NT). Everyone wanted virus removal software. Even when Satan was released, people didn't want to have an audit of which machines were vulnerable in the company.

    I left the computer security buisness back in '97. At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks? Or did veritas make a huge mistake is selling off its aquired security products when it did?
    • At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks?

      I would venture so. Three or so major virus incidents (such that they noticibly slow the entire internet) per year for the last three years gets people thinking.

      Most people wouldn't believe there is a problem until it slaps them upside the head. Much like road commisions don't do risk assessments of intersections until after several people die in accidents. Only after then does th
  • Well, I guess HP could not understand that howto guide on TLDP either...
  • It was clear that the reason they couldn't make the technology work was because it required some changes to the core of various Windows operating systems. Will Microsoft make its own version of the technology?

    If so, will they patent it? :)

    I tend to think that the technology would be useful and should be implemented. Maybe HP can license the technology to Microsoft. Here's hopin'
  • I quit using diesel cause it wouldn't work in my gasoline engine.

  • by Photar (5491)
    See! I knew it they're in bed with the virus makers! And Halliburton too I bet!

    Its not hard to find the connections, you just have to google them!

    http://www.commondreams.org/news2004/0310-11.htm

    Seriously, someone needs to make a game called 6 degrees of Halliburton. That would rock.
  • What so special (Score:3, Interesting)

    by neopara (729457) on Wednesday August 25, 2004 @06:48PM (#10073221)
    Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html [honeynet.org] Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.
  • .... fairly inevitable that it was too difficult to make it work reliably under the vilest piece of closed-source trash ever written.

    But there might have been another way, after all Zone Alarm manages to insert itself between the core of Windoze and the outside world (as presumably do all software firewalls, even the ones that don't work properly, like Symantec). I guess that would need code so radically different from the *nix version that it would be an entirely different thing.

    On the other hand, if you w

  • by Ozwald (83516)
    Slowing the OS? Sounds like that's already in XP SP2... kidding.

    But really, I believe the concept of virus scanners and throttler's such as this are a temporary patch to a problem, not a solution. What if instead of putting on a governor on the IP stack, the OS or a router down the line detects these types of problems. The infected OS is alerted and optionally suspends the attacking process until it is cleared by the user or administrator.

    Some ISP's do something simular. One emails the user saying tha
    • Good point. I wish all ISPs would be required by law to do something like that because it would catch the spammers as well as certain types of virii and trojans.

      It is a bit like the algorithms used by some mobile phone networks to detect that your phone has been stolen, and block its use, by detecting a very abnormal usage pattern.

      But the ultimate answer is to sub-contract the suppression of virii etc to the RIAA, after all they have shown how (not!) to tackle minor amounts of illegal file copying.....

      :-)

  • This *always* happens on slashdot when 'virii' is mentionned. It's worth noting, however, that the protests when encountering the word 'virii' are getting less frequent and not as fast as they used to be. A tell-tale sign that, even here, it's slowly becoming accepted. After all, immer more artcles and posts make use of it, outside the pure scriptkiddie/leet speaking populace. Let's face it: it's getting commonly used and well on it's way to some day reach dictionary status. But in the meantime, you always
    • Virtually everyone who uses the word "virii" uses it because they misapplied the radius -> radii rule. Thus not admonishing people for using the word "virii" increases the general acceptance of misapplying language rules in ignorant or confusing ways.

      Now I understand that languages change; but saying "virii" instead of "viruses" is a STUPID change, and I want it to stop. I'm perfectly willing to let good changes come along (like being able to use "they" as the third-person non-gender-specific singular
  • by mr_z_beeblebrox (591077) on Wednesday August 25, 2004 @07:23PM (#10073615) Journal
    A program to slow the spread of viruses and it does not work on Windows. So basically, if you can run this program you will (by nature of not running windows) not contribute to the spread of viruses and worms. BRILLIANT!
  • Already in XP (Score:2, Interesting)

    by coolsva (786215)
    This feature is already in XP SP2 here [microsoft.com] Basically, if a program demonstrates worm like behavious, windows makes the network connectivity slower. One of the many steps in the right direction (I'm a very happy linux user, but don't want to always blame MS for all evil).
    Perhaps, HP got it a bit too late, unfortunately, thats how software market is. Unless HP was sure they have a better product, no point in competing with something the OS offers now.
  • Aoba: No it's taken over Melchior and it's hacking into Balthasar!
    Hyuga: Fast! Too fast!
    Aoba: The calculation speed is incredible!
    Ritsuko: Change the login mode! Change synchronisation code, to every fifteen seconds!
    Aoba: Roger.
    Hyuga: Yes ma'am.
    Fuyutsuki: How much time did we buy?
    Aoba: At least two hours, I think.
  • Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.

    HP could have done it by implementing their own network stack, the way VPN and private firewall software vendors do, but it would be much easier if Microsoft was willing to play along.

    But then if Microsoft was willing to work with anyone else on fixing Windows, they'd be better of if they started with the many many features of Windows that actively encourage the spread of viruses instead of messing about with half-measures like this. Instead of crippling the OS so it can't do occasionally useful and sometimes vital operations (as Microsoft themselves are doing in XP SP2, don't forget) they should start by splitting IE into a safe HTML-rendering engine and a web-browser that uses it but takes control of its own security...
  • If HP or somebody would modify the approach, it would work well in a home router, without having to modify any O.S. outside the router.

    The software would need to monitor every IP address on the LAN for viral indications, and then kick into throttle mode only for the indicated IP address.

    It wouldn't take too much CPU or memory to monitor 1-10 IP addresses, but it might be prohibitive for 100-1000.

No amount of genius can overcome a preoccupation with detail.

Working...