X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-0.8 required=5.0 tests=AWL,BAYES_00,SPF_NEUTRAL X-Spam-Check-By: sourceware.org Message-ID: <4F4E3784.9030909@cs.utoronto.ca> Date: Wed, 29 Feb 2012 09:34:44 -0500 From: Ryan Johnson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: cygwin AT cygwin DOT com Subject: Re: BLODA detection code in latest snapshot References: <20120227122614 DOT GB31025 AT calimero DOT vinschen DOT de> <4F4C41B5 DOT 7040804 AT acm DOT org> <4F4C51D0 DOT 70307 AT acm DOT org> <20120228094024 DOT GD23052 AT calimero DOT vinschen DOT de> <16210489654 DOT 20120229024137 AT mtu-net DOT ru> <20120229085527 DOT GO23440 AT calimero DOT vinschen DOT de> <835563459 DOT 20120229162253 AT mtu-net DOT ru> In-Reply-To: <835563459.20120229162253@mtu-net.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com On 29/02/2012 7:22 AM, Andrey Repin wrote: > do you filter by DLL name or it's full path? > Because, %SystemRoot%\system32\shlwapi.dll is likely to be harmless. > But same name DLL inserted from any other place... That would be moving beyond mere BLODA and into malware territory. At that point, just because it's in %SystemRoot% doesn't mean it's safe, either. In fact, we can't really even be sure a well-known dll name in %SystemRoot% is safe if the machine is infected with something. I don't think we're trying to play virus scanner here, so dll name should suffice. $.02 Ryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple