HP Shelves Virus Throttler Program

longlanekid writes "Though HP has apparently designed a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities."

/. worthy?

[wo1verin3]

This is a product that was intended for use on Windows, they obviously couldn't get it working on Windows. Don't start blaming MS for this one...

That aside, any coincedence that the vice president and chief technology officer of HP is named Tony Redmond? :) j/k

Re:/. worthy?

[gbjbaanb]

The technology notices changes in host machine behavior, which indicates a virus infection. It then chokes off the attack by limiting the frequency of outbound communications from the host machine to "throttle" communications with other hosts on the network

yeah? So HP is saying they can't get it to run on Windows because they can't alter the networking code? WTF? Have they never heard of firewalls, that happily block network connections, even on Windows.

Perhaps they've altered the HP network stack so that if you make a connection, it is held until the flurry of connection attempts are reduced. Somwthing that is not likely if you're infected with a worm; so maybe it delays the connect attempt for a short amount of time - big deal if you're infected as the connection will succeed eventually. Could this be the real reason why it's been shelved - it doesn't work to actually do much of anything?

I really don't understand why this is such a 'Windows is rubbish' and not a 'HP programmers don't understand how to code properly' story.

oh, except usual slashdot bias. Silly me, I forgot that for a moment.

Re:/. worthy?

[The Bungi]

Really? That's funny. I have this thing, you know, a software firewall? It intercepts every single network call (heck, it will even plug the loopback if you tell it to) and it works fine, 100% of the time. If it can pop up a dialog asking me if I want ApplicationX to contact a given domain (or IP address) I figure it could also throttle the connection. Any connection.

I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.

So enlighten me again - what does this have to do with Windows being a "closed proprietary OS" again?

And BTW, this is something already built into XP, as you can tell from the many comments in this article.

Pre-emptive better than reactive? Sence when?

[Derivin]

First off, this is not a troll.
Im my experience it has always been easier to sell reactive solutions to DDoS, worms, and virii.

Working on OpenVision*SecureMAX and Securify(kerberos) back at OpenVision (bought by veritas, products sold to PlatniumGroup, then who knows where), we had a very very hard time selling our prevenative security software (for all the *nix platforms of the time and Windows NT). Everyone wanted virus removal software. Even when Satan was released, people didn't want to have an audit of which machines were vulnerable in the company.

I left the computer security buisness back in '97. At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks? Or did veritas make a huge mistake is selling off its aquired security products when it did?

Re:Viruses vs virii

[shawn(at)fsu]

How many people use the word ain't?
How many people use alot?

Just because many poeple use the word doesn't make it proper and all my English teachers have proven this to me when they used to take points away from my papers for using words that were infact not words.

IMHO virii is a word construted by nerds here at /. to make themsleve appear smarter than the average person., but like I said thats just IMHO

What so special

[neopara]

Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html [honeynet.org] Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.

Looks like a kludge anyway

[Ozwald]

Slowing the OS? Sounds like that's already in XP SP2... kidding.

But really, I believe the concept of virus scanners and throttler's such as this are a temporary patch to a problem, not a solution. What if instead of putting on a governor on the IP stack, the OS or a router down the line detects these types of problems. The infected OS is alerted and optionally suspends the attacking process until it is cleared by the user or administrator.

Some ISP's do something simular. One emails the user saying that they may have a virus because of large number of SMTP connections. I think that's a decent start.

Oz

Re:Looks like a kludge anyway

[tiger99]

Good point. I wish all ISPs would be required by law to do something like that because it would catch the spammers as well as certain types of virii and trojans.

It is a bit like the algorithms used by some mobile phone networks to detect that your phone has been stolen, and block its use, by detecting a very abnormal usage pattern.

But the ultimate answer is to sub-contract the suppression of virii etc to the RIAA, after all they have shown how (not!) to tackle minor amounts of illegal file copying.....

:-)

Re:Wait just a minute...

[Ark42]

Last I checked winpcap could be installed without a reboot or any user intervention via a silent option to the installer, at least under 2000/XP. I know for a fact you can construct raw packets however you want with winpcap since I use it in my tunneling program.
I don't really see what would stop somebody from embeding winpcap or something similar and spewing out garbage completely bypassing windows tcp/ip stack. Other then size of course, it would be a large worm to include a bunch of dlls just for that.

Already in XP

[coolsva]

This feature is already in XP SP2 here [microsoft.com] Basically, if a program demonstrates worm like behavious, windows makes the network connectivity slower. One of the many steps in the right direction (I'm a very happy linux user, but don't want to always blame MS for all evil).
Perhaps, HP got it a bit too late, unfortunately, thats how software market is. Unless HP was sure they have a better product, no point in competing with something the OS offers now.

Just let me throw out an idea

[Anonymous Coward]

Why not sell a $60 network card that has a built in hardware firewall that could do something like this?

It could run embedded linux on a very low cost, low power embedded processor.

If Microsoft was wiling to actually fix Windows...

[argent]

Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.

HP could have done it by implementing their own network stack, the way VPN and private firewall software vendors do, but it would be much easier if Microsoft was willing to play along.

But then if Microsoft was willing to work with anyone else on fixing Windows, they'd be better of if they started with the many many features of Windows that actively encourage the spread of viruses instead of messing about with half-measures like this. Instead of crippling the OS so it can't do occasionally useful and sometimes vital operations (as Microsoft themselves are doing in XP SP2, don't forget) they should start by splitting IE into a safe HTML-rendering engine and a web-browser that uses it but takes control of its own security...

Re:Yes, it is. For several reasons.

[Anonymous Coward]

You're kidding right? You're completely neglecting the low-end server market that is dominated (as far as HP is concerned) by PA-RISC systems running HPUX.

Fair enough,

[b00m3rang]

I just have a hard time believing that if it were that easy that HP couldn't figure it out. Companies I've worked for in the past have had to completely re-engineer a Kernel to gain all the functionality required to manipulate all aspects of the IP implementation and the way it interacts with the other layers of the OS to achieve the performance, security, routing, etc. required for the application. This isn't possible without Windows source code, which is not available. I wouldn't think the scenario they describe is out of the realm of reasonability.

Re:Need more details...

[sh!va]

The problem is that in a corperate setting even the best firewalls can't prevent a sloppy third-party service tech with an infected laptop [for example] from hosing your network.

Sigh. When will 12 yr olds without any experience about corporate LANs stop ranting? Oh wait, its slashdot! If anyone got an infected computer on a corporate LAN (and this happens _all_ the time), it will simply attempt to infect all other computers on the LAN. Remember, corporate LANs are one step in the whole security setup, not the final line of defense. This is where a personal firewall, which you obviously have not heard of before, comes in. And yes, its available for free with XPSP2 and you'll find a bunch of vendors that have better or more sophistacated implementations for nominal amounts.

once one PC INSIDE the firewall is infected you're toast.

No you're not. Read above.

Windows INSIDE a company is an open book to viruses...they use the very same ports and protocols that all the cool network administration tools use...

What are you ranting about? WHY WAS THIS PERSON MODDED INSIGHTFUL? What "cool" network administration tools are you talking about? Again, get a personal firewall and block your ports that you don't need other people to access. If your admin tool uses a particular service that exposes a port, then assume its okay unless there is a known remote exploit for that service and then take measures until a fix is available. Note that this is NOT specific to windows.

IN a corperate setting you need better than that...because inter-network communication is essentially "trusted" so it moves very fast...often faster than the virus scanners can keep up!

What are you ranting about? Again: why was this person modded up +2 insightful??? LANs operate at higher speeds than the internet. Typically, at least. This has nothing to do with making them inherently more vulnerable and they're certainly not faster than the network stack on a given computer (which is roughly how fast your kernel mode virus scanners work).

I've seen PCs reinfect each other right after the virus scanner stopped! short of pulling the plugs and going PC-to-PC by hand and that can be brutal!!

I just feel sorry for the company that pays you for system administration. It is clear that you know nothing about security and much less than nothing about administration.

Re:/. worthy?

[Zakabog]

I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.

I'm pretty sure you're right. And I'm also pretty sure Tiny Personal Firewall doesn't come close to doing what the software from HP would do (I think it checks for the activity of worms or viruses and throtles their usage to "block" DoS attacks or something like that.) Anyone can write a firewall, it's a bitch writing software to throttle network and CPU usage for a particular process.

So enlighten me again - what does this have to do with Windows being a "closed proprietary OS" again?

HP owns HP Unix, they can modify the source any way they want to. Linux is open source, so again HP can modify the source any way they want to. Windows is closed source, HP cannot modify the source (I don't know what they have to do, but they can't do it no matter if the firewall is enabled or not) so they cannot get their software to work on Windows.

And BTW, this is something already built into XP, as you can tell from the many comments in this article.

Yes, a firewall is built into windows, but it's nothing like the software HP is trying to create.

I understand why you want to defend microsoft (well not really) but at least RTFA next time.

Re: Viruses vs virii

[gidds]

That's a little different, though. That case was knowing, deliberate, playful -- an 'in joke' if you like. The users knew its standard English plural perfectly well, but chose to resurrect an older English plural form for interest's sake.

Rather different from this case, which seems to result from pure ignorance.

Personally, what really irks me is the use of a Latinate plural for a naturalised English word. English already has a perfectly good mechanism for indicating a plural, one that's used by the huge majority of its words. 'Virus' may have originated (in some form) in Latin, but it's been used in English for over half a millennium! Can't we consider it naturalised enough to take an English plural?