World's most popular travel blog for travel bloggers.

Can file snapshots aid in detecting malware?

, , No Comments
Problem Detail: 

I noticed certain programs have a feature that can have a 'snapshot' of a file from a certaim time and compare it to a more recent snapshot of the file. If one's system has a snapshot of a program when 'first' downloaded and it can compare this to the program 'as it is now' and if there are any changes this might indicate the file is corrupt and it could be marked for possible removal. So could this comparison feature be used to determine if a file is corrupt?

Asked By : user128932
Answered By : D.W.

This is not likely to be very effective in practice. Malware might corrupt the file before you were first able to take a snapshot... or, more realistically, it might corrupt the snapshot you have taken, so that the snapshot matches the current version of the file. It is difficult to defend against that attack.

So, while your idea is not a bad one, it has significant limitations that might render it not terribly useful in practice.

This also assumes that the underlying file is one that should never change. Of course, in practice, for any given file, there are valid circumstances when the file should be allowed to change. So this means you'd need some way to recognize valid, legitimate changes to the file. This starts to get a bit more complex to implement.

You might take a look at Tripwire, which is a system that does something like this -- except it keeps only a cryptographic hash of each monitored file, rather than a full copy of the file.

Best Answer from StackOverflow

Question Source : http://cs.stackexchange.com/questions/30315

3200 people like this

 Download Related Notes/Documents

0 comments:

Post a Comment

Let us know your responses and feedback