RE: how broken are antivirus products?

On Tue, 19 Nov 2002, Aleksander P. Czarnowski wrote:

> - getting nMB mbox file that - according to your friends information -

manual inspection reveals they're of the same sigs i get all the time, too. his mbox was just a convenience (i collect different things in my mboxes and typically ditch my mail bourn malware).

> - there are couple of av test schemes used by third party - some of them

yeah, the goal was not to evaluate antivirus products, the goal was to give some sample output of how antivirus products work. i'm showing a lot of detection methods, i have to add those in. i'm certainly in no place with respect to time or materials to replicate the tests performed by AV labs.

thanks. the general gist of this thread has been interesting, to say the least. sophos had a poorly documented (not in the usage() output, didn't dig too deep into the manuals) -mime option to decode MIME attachments which catches one of the viruses in the mbox file (the first one). mad props to paul for his links, they've been helpful.

jose nazario, ph.d.			jose@monkey.org
					
http://www.monkey.org/~jose/