Next: Access Control Shells Up: General Purpose Monitors Previous: Selection Factors

Summary

Monitoring software may be difficult to use but may detect some new viruses that scanning does not detect, especially if they do not use new techniques.

These monitors produce a high rate of false positives. The users of these programs should be equipped to sort out these false positives on their own. Otherwise, the support staff will be severely taxed.

Monitors can also produce false negatives if the virus doesn't perform any activities the monitor deems suspicious. Worse yet, some viruses have succeeded in attacking monitored systems by turning off the monitors themselves.


konczal@csrc.ncsl.nist.gov
Fri Mar 11 21:26:02 EST 1994