RE: how broken are antivirus products?

> oh yeah, as an additional piece of data. i have obtained
I am looking forward to reading your book. Here are some thoughts regarding your research and questions:
- getting nMB mbox file that - according to your friends information - contain viruses and using it for scan engine rate detection isn't acceptable, unless you first replicated all the samples and took the mbox file from infected machine.

• there are couple of av test schemes used by third party - some of them were pointed in previous messages, so I will only point at one additional: Virus Bulletin (and it's 100% award). I don't see a lot of sense of designing the same or similar pattern to the one which is used already and has industry creditability, unless your method can reveal some new information. I am not trying to be the judge here... However I believe that some standards like sample replication must be used in any reasonable AV scan engine test.
• the problem of changing code by using different compilers on different hosts or using different compiler options (like code optimization techniques) to generate functionally identical, but different on opcode level binary is not a new problem. This could be solved with choosing correct signature in a place of code that should not change or by analyzing code characteristic / behavior during code emulation.
• the problem might be to detect viruses for X platform using Y platform. It takes some work to emulate system calls, libraries, memory layout etc.

Best Regards,
Aleksander Czarnowski
AVET INS Received on Wed Nov 20 00:49:04 2002