[Previous entry: "Checksumming on all supported versions of Oracle"] [Next entry: "11g is here"]
Are security tools a virus or a trojan or even a danger?
August 6th, 2007 by Pete
Post to del.icio.us
Post to Furl
I got an email from someone a couple of weeks or so ago about the fact that he had downloaded Patrik Karlsson's excellent OAT (Oracle Auditing Tools) software and that it had been flagged as a virus by the security department. He is a DBA and wanted to use the tools to provide security auditing and protection; the main aim of the tools. He asked me to corroborate his assertions that these tools are actually safe and are not a virus.
I downloaded them again myself and Windows Defender baulked and said there was a severe danger as "it can capture passwords". I then ran Norton anti-virus scanner against the zip file and it reported three problems; 2 for PWDump and 1 for Netcat. Is the anti-virus software correct to mark OAT as a virus? - this is debatable. In their own right PWDUmp and Netcat could and should be marked as dangerous if they were downloaded to a users PC as part of an email or other surupticious way of getting them onto the PC. A user not expecting to get these tools on hos PC would want them marked. They are not however virus's or trojans in my opinion. In the context of OAT though they are not a virus either or dangerous as the context must be taken into account. OK, in this case a DBA had downloaded an Oracle security toolkit - no danger, what if OAT had been deployed as a payload to an unsuspecting persons PC would it then be classed as dangerous? - not sure, the targetting of a zip of an Oracle audit toolkit would need extra "features" to enable the attacker to do something with it and also the PC infected would need to be specifically targetted. So should anti-virus software and spam/spyware tools such as defender find OAT dangerous? - they should detect netcat and most likely PWDump but should then detect when part of a toolkit such as OAT? - probably? - does this mean the future for free security tools is changing, if they are being marked as dangerous - viri, trojans or spyware? - probably?
August 7th, 2007 at 12:11 am
Random says:
Rootkit get detected as virii all the time because people take the rootkit and alter them for harmful uses. Its the same thing here.