Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-virus > 02 > 110057.html (Request Expert securityfocus.com Support)

RE: how broken are antivirus products?

From: Schmehl, Paul L <pauls(at)utdallas.edu>
Date: Tue Nov 26 2002 - 15:03:17 EST


It all depends what "slightly modified" means. If it no longer replicates, then it isn't a virus. Even in those cases *some* av products may still detect them. (McAfee, for example, will report a virusname.dam for a virus that's been altered so it no longer replicates but still has some of the telltale signs.)

Not to pick on you, but what we *believe* an av product will do is irrelevant. Proper testing tells us what an av product *will* and *won't* detect, and that is information we can bank on. Joe Schmo saying, "product A didn't detect this blither virus, but Product B did" is essentially meaningless. We'd have to know all the conditions of the test, and we'd have to know that it really *was* the blither virus before we can even judge if what Joe said is right.

I can identify certain viruses simply by their filename (for example, I can tell you that a filename with eight random alpha characters where the final two are identical to the first two, and the extension is .exe, is Hybris), but my judgment in those cases would be worthless for testing purposes.

There's lots of expectations out there regarding what certain av products will or won't do, much of it the result of the av vendors' advertising. Those expectations don't always line up with reality. That's why, in an enterprise setting at least, one should rely on competent testing to decide which products to use.

Paul Schmehl (pauls@utdallas.edu)
TCS Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

> -----Original Message-----
> From: E M [mailto:rdnktrk@hotmail.com]
> Sent: Tuesday, November 26, 2002 1:50 PM
> To: Schmehl, Paul L; focus-virus@securityfocus.com
> Subject: RE: how broken are antivirus products?
>
>
> While I agree with your logic I believe that the heuristics of an A/V
> Scanner should be able to pick up a textbook virus as well as
> one that has
> been slightly modified with the intent of obfuscation. If the
> A/V Scanner
> doesn't pick it up then although the original functionality
> of the scanner
> isn't "broken" per say, the intended functionality I expect
> sure as heck is.
Received on Tue Nov 26 16:57:17 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library