Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Shelves Virus Throttler Program

Posted by timothy on from the simply-too-arcane-and-complicated dept.

longlanekid writes "Though HP has apparently designed a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities."

36 of 277 comments (clear)

  1. /. worthy? by wo1verin3 · · Score: 3, Interesting

    This is a product that was intended for use on Windows, they obviously couldn't get it working on Windows. Don't start blaming MS for this one...

    That aside, any coincedence that the vice president and chief technology officer of HP is named Tony Redmond? :) j/k

    1. Re:/. worthy? by Handpaper · · Score: 4, Funny
      Confused me, too:
      '"we don't own Windows," Redmond says.'
      WTF?

    2. Re:/. worthy? by gbjbaanb · · Score: 3, Interesting

      The technology notices changes in host machine behavior, which indicates a virus infection. It then chokes off the attack by limiting the frequency of outbound communications from the host machine to "throttle" communications with other hosts on the network

      yeah? So HP is saying they can't get it to run on Windows because they can't alter the networking code? WTF? Have they never heard of firewalls, that happily block network connections, even on Windows.

      Perhaps they've altered the HP network stack so that if you make a connection, it is held until the flurry of connection attempts are reduced. Somwthing that is not likely if you're infected with a worm; so maybe it delays the connect attempt for a short amount of time - big deal if you're infected as the connection will succeed eventually. Could this be the real reason why it's been shelved - it doesn't work to actually do much of anything?

      I really don't understand why this is such a 'Windows is rubbish' and not a 'HP programmers don't understand how to code properly' story.

      oh, except usual slashdot bias. Silly me, I forgot that for a moment.

    3. Re:/. worthy? by jdhutchins · · Score: 4, Funny

      Yes, HP's Unix may be closed, but seeing as how HP is developing this, they just might be able to get a hold of the source for their own operating system.

    4. Re:/. worthy? by The+Bungi · · Score: 4, Interesting
      Really? That's funny. I have this thing, you know, a software firewall? It intercepts every single network call (heck, it will even plug the loopback if you tell it to) and it works fine, 100% of the time. If it can pop up a dialog asking me if I want ApplicationX to contact a given domain (or IP address) I figure it could also throttle the connection. Any connection.

      I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.

      So enlighten me again - what does this have to do with Windows being a "closed proprietary OS" again?

      And BTW, this is something already built into XP, as you can tell from the many comments in this article.

    5. Re:/. worthy? by fitten · · Score: 3, Insightful

      I didn't see anywhere in there that said they even asked Microsoft to do anything about it or that Microsoft had refused to do anything about it.

      I could just as easily write a program that won't run on Windows and not even try to port it to Windows and start claiming that Windows won't run it because it isn't Open.

      Until I see something that says that Microsoft refused to make changes to Windows that HP suggested, I'll chalk this up to a publicity campaign by HP to join the M$ bashing bandwagon and make themselves look better to the F/OSS community.

  2. I get it. by Alcimedes · · Score: 5, Funny

    So it throttles Windows in general, thereby slowing the spread of viruses! I like it!

    Take out Windows, and you take out the problem. Go HP!

  3. Need more details... by Nos. · · Score: 5, Insightful

    I'd like to know what the problems are with Windows machines. If you're router/gateway/firewall is limiting outgoing connections, your OS should be able to handle it. Even if it does cause problems, how often does the throttle kick in where there isn't a worm/virus present on the host machine? If this false positive rate is low enough then I'd implement it anyways.

    1. Re:Need more details... by mrchaotica · · Score: 5, Funny
      I'd like to know what the problems are with Windows machines.
      You must be new here ; )
      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  4. My favorite quote.... by Megaslow · · Score: 5, Funny

    ...because "we don't own Windows," Redmond says.

    1. Re:My favorite quote.... by drinkypoo · · Score: 4, Funny

      No, but every skript kiddie from here to Sasketchewan does...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Impeccable logic… by Izago909 · · Score: 4, Insightful

    It's not compatible with windows, so let's not even try getting MS to make newer versions compatible, or spend resources writing a virtual device driver. They argue that defense is better than treatment, but forget that a 2 pronged attack is better than pure defense. Even the best firewall and antivirus programs can be worked around. What happens when the next virus or worm comes out and antivirus and firewall manufacturers are caught with their pants down again? Do they plan on letting it spread freely until someone makes a removal tool?

  6. why not? by sometwo · · Score: 4, Funny

    If it has these bugs, why not release the program? Then the machines will BSOD and they'll stop spreading viruses. Goal achieved!

  7. Anti-P2P Tool by SkunkAh · · Score: 5, Insightful

    I'm afraid that this tool will also affect P2P tools which connect to many hosts every second aswell. Novice users will stop using P2P cause they don't understand why it isn't working.

    1. Re:Anti-P2P Tool by Izago909 · · Score: 3, Insightful

      Novice users will stop using P2P cause they don't understand why it isn't working.

      Many of the problems of p2p stem from novice users. I really don't care if there are a few thousand less people spreading the latest teeny-bop tracks or infected files.

  8. Microsoft's fault? More like the almighty buck's.. by LostCluster · · Score: 4, Insightful

    From the article...
    Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.

    Wait a second. This doesn't really protect internal networks as much as it protects the Internet from your-machine-gone-mad. That is to say, this product's operation assumes your anti-virus security measures have already failed you, and you've got a server making attack attempts outbound on the world at large. This would kick in and shut down that server's attempted attacks.

    That'd be a great thing for all of us to be running to be good citizens of the Internet... but who'd buy such a thing? Afterall, you have to admit that your existing security products may occasionally fail you before you can even start to explain what this thing will do. And, after such a failure, you're already 0wned. So, you really have nothing internal left to protect at that point, and all there is to protect is the outside world. If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?

    Pointing to the fact that this would require some changes to Windows is a nice excuse, but anybody can get Microsoft to do anything when they come equipped with a truckload of money. I think the realization that people would run this if it was free, but no business in their right mind is going to buy it. I think HP realized that, and that's why they spiked this product. HP, afterall, is a business and can't afford to spend too much money on a research project that isn't going to lead to a profitable product.

    I wonder if there are any academic groups working on similar projects who might be able to finish the work on this one...

  9. In other news..... by Concrete+Nomad · · Score: 5, Insightful

    In other news a cure for cancer and AIDS is quietly being shelved. The medical wonder has incompatibilities with most HMOs . Maybe I just don't see the point or perhaps the technology really wasn't all that good.

  10. Wait just a minute... by ...+James+... · · Score: 5, Informative

    Microsoft introduced similar functionality in Windows XP SP2:

    Limited number of simultaneous incomplete outbound TCP connection attempts
    Detailed description

    The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system's event log.

    --
    get nemulator
    1. Re:Wait just a minute... by LostCluster · · Score: 3, Insightful

      That's nice... but what's gonna prevent viruses from chosing UDP to send their attacks with? :)

    2. Re:Wait just a minute... by interiot · · Score: 5, Insightful
      And how long will it take until one of the smarter virus writers writes a patch for tcpip.sys, after which the hoard of stupid virus writers just include that in their programs?

      The throttling functionality really needs to reside on the router side, on routers that don't run Windows. Then every joe-shmoe virus/worm won't be able to bypass it easily.

  11. Or they couldn't get it to work.... by Numen · · Score: 5, Funny

    I can just see me telling my boss...

    Me: "I had to shelve the clients project, sorry."
    Boss: "Why?!"
    Me: "Incompatabilities with Windows."

    My arse.

  12. Sounds like something already in SP2. by keiferb · · Score: 3, Insightful

    SP2, from what I understand, limits the number of outgoing connections a PC can make. Could it be that HP was just a bit too slow to market on this one? Why pay for a product that does something your OS is about to start doing for free?

  13. Viruses vs virii by leathered · · Score: 4, Informative

    Can we settle this once and for all?

    Virii is not a word in the English language; or any other language as far as I know.

    I recommend correctional facilities for those using the word 'virii'.

    --
    For all intensive porpoises your a bunch of rediculous loosers
    1. Re:Viruses vs virii by Mr.+Bad+Example · · Score: 4, Funny

      > I recommend correctional facilities for those using the word 'virii'.

      I think you mean "facilitii".

    2. Re:Viruses vs virii by Anonymous Coward · · Score: 3, Insightful

      English may not be static, but that doesn't mean every moronic new word gets to go in the dictionary either.

    3. Re:Viruses vs virii by Repton · · Score: 4, Funny

      Remember --- one virus, two virii, three viriii, four viriv ...

      Latin is easy!

      --
      Repton.
      They say that only an experienced wizard can do the tengu shuffle.
  14. Not just HP.... by XavierItzmann · · Score: 3, Informative

    Though Apple has apparently designed a great OS for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows IT staff job security.

    This is what today's Wall Street Journal said:
    So how can you get rid of spyware and how can you avoid it in the first place? One nearly surefire cure is to dump your Windows machine and buy an Apple Macintosh.
    http://ptech.wsj.com/archive/report-200408.html

    --
    The next pasture is always greener
  15. Re:Redmond/HP says... by LostCluster · · Score: 3, Insightful

    Can anybody find the HP press release that clearly has to be the primary source behind the report? Having nearly every paragraph's main body be a quote attributed to the same source is the tell-tale sign that the report was based on information from a single source...

  16. Microsoft actually made some efforts in SP2 by Jugalator · · Score: 4, Informative

    Some changes to combat DDoS attacks:

    - TCP data cannot be sent over raw sockets.
    - UDP datagrams with invalid source addresses cannot be sent over raw sockets.

    Some changes to combat worms:

    - Updated TCP/IP stack to limit the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. This only applies when connecting to unavailable hosts, for example worms like Sasser guessing where to spread to.

    --
    Beware: In C++, your friends can see your privates!
  17. Re:Microsoft's fault? More like the almighty buck' by gbjbaanb · · Score: 4, Insightful

    true - it protects the internet at large from you. By limiting the number of connection attempts per second.

    So, once you're infected, your server fails to spread at a rate of 10,000 connection attempts per second, instead it spreads slowly, maybe 100 attempts per second? Would this actually do anything besides give your sysadmins a few extra seconds to patch your system?

    Wouldn't it be better to block the connection attempts instead, like with an outbound firewall? Maybe stop the app that was trying to connect unless authorised by the user (eg a P2P app)?

  18. You fail it! RTFA by temojen · · Score: 4, Informative

    No.

    HP got it to work on Linux and HPUX, but didn't have the source to Windows XP, and so couldn't implement it for windows.

    Someone else asks if they've ever heard of firewalls, but this technology is intended to stop worms once they're inside your lan.

  19. Open source it by Hoodsen · · Score: 4, Insightful

    This seems like a good idea that they just couldn't get to work. If they're just going to shelve it and not make a penny anyway, how about releasing the source code and see what the community can do with it? HP makes the same amount of money on it either way ($0), but this way they can get open source brownie points and maybe start something that could be useful down the line.

  20. Pre-emptive better than reactive? Sence when? by Derivin · · Score: 4, Interesting

    First off, this is not a troll.
    Im my experience it has always been easier to sell reactive solutions to DDoS, worms, and virii.

    Working on OpenVision*SecureMAX and Securify(kerberos) back at OpenVision (bought by veritas, products sold to PlatniumGroup, then who knows where), we had a very very hard time selling our prevenative security software (for all the *nix platforms of the time and Windows NT). Everyone wanted virus removal software. Even when Satan was released, people didn't want to have an audit of which machines were vulnerable in the company.

    I left the computer security buisness back in '97. At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks? Or did veritas make a huge mistake is selling off its aquired security products when it did?

  21. What so special by neopara · · Score: 3, Interesting

    Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.

    --
    Nothing more, For me to say; About my life, A life of dreams....
  22. Kind of Funny really by mr_z_beeblebrox · · Score: 3, Insightful

    A program to slow the spread of viruses and it does not work on Windows. So basically, if you can run this program you will (by nature of not running windows) not contribute to the spread of viruses and worms. BRILLIANT!

  23. Re:Here we go again: the virii-case. by Dirtside · · Score: 3, Insightful

    Virtually everyone who uses the word "virii" uses it because they misapplied the radius -> radii rule. Thus not admonishing people for using the word "virii" increases the general acceptance of misapplying language rules in ignorant or confusing ways.

    Now I understand that languages change; but saying "virii" instead of "viruses" is a STUPID change, and I want it to stop. I'm perfectly willing to let good changes come along (like being able to use "they" as the third-person non-gender-specific singular), but I'm going to do my damnedest to put a stop to "virii."

    To everyone who says "virii": You sound like an uneducated rube. It's "viruses," not "virii." Cut it out.

    Yes, languages change, and I have just as much right to try to stop people from changing the language as they do to try to change it. We'll see who wins.

    --
    "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased