X-Recipient: archive-cygwin@delorie.com X-SWARE-Spam-Status: No, hits=-0.8 required=5.0 tests=AWL,BAYES_00,SPF_NEUTRAL X-Spam-Check-By: sourceware.org Message-ID: <4F4E3784.9030909@cs.utoronto.ca> Date: Wed, 29 Feb 2012 09:34:44 -0500 From: Ryan Johnson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: BLODA detection code in latest snapshot References: <20120227122614.GB31025@calimero.vinschen.de> <4F4C41B5.7040804@acm.org> <4F4C51D0.70307@acm.org> <20120228094024.GD23052@calimero.vinschen.de> <16210489654.20120229024137@mtu-net.ru> <20120229085527.GO23440@calimero.vinschen.de> <835563459.20120229162253@mtu-net.ru> In-Reply-To: <835563459.20120229162253@mtu-net.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Delivered-To: mailing list cygwin@cygwin.com On 29/02/2012 7:22 AM, Andrey Repin wrote: > do you filter by DLL name or it's full path? > Because, %SystemRoot%\system32\shlwapi.dll is likely to be harmless. > But same name DLL inserted from any other place... That would be moving beyond mere BLODA and into malware territory. At that point, just because it's in %SystemRoot% doesn't mean it's safe, either. In fact, we can't really even be sure a well-known dll name in %SystemRoot% is safe if the machine is infected with something. I don't think we're trying to play virus scanner here, so dll name should suffice. $.02 Ryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple