plun said:
Maybe "guru" Bill have something more about this ?
I'm going to start lowercasing my name if you're going to assign me "guru"
status.
Fortunately, by the time I got to reading this thread, Steve Dodson has
already given me the right cue, so I don't have to put my foot in my mouth.
I think perhaps the designation of "winlog trojan" is confusing, but the
rest of the description and the default action seem appropriate to me.
As I understand it, the purpose of flagging this kind of code is simply to
alert the user to the presence of the tool on their workstation--so that
they know it is there, and that there could be risk associated with it. If
they installed it 7 months ago for a short project and haven't used it
since, maybe they'll blow it away, and have done their security good deed
for the day.
I agree with Steve--looks like the right description and right action
suggested. I do find the "winlog trojan" a bit of a false note, but maybe
this can get tuned as folks complain.