Re: Trojan horse Downloader.Generic.ML

From: kurt wismer (kurtw_at_sympatico.ca)
Date: 06/19/05


Date: Sun, 19 Jun 2005 17:24:21 -0400

Zvi Netiv wrote:
[snip]
> What prevented Integrity Master, and checkers in the same category (e.g. CRC,
> MD5, etc.), from becoming widely used in AV, are the following reasons:
>
> 1. Plain integrity ("plain" here refers to the processing of the entire file,
> not to the method used) is useless for AV purposes as it's unable to
> discriminate between legitimate changes and malware related changes.

as malware can make arbitrary changes, processing the entire file is
required... if you're only worried about parasitic infection then sure,
for some types of files you may only need to check a subset of the
entire file, but integrity checkers aren't *just* for detecting that
sort of thing...

of course we've had this disagreement for a good long time now... you
feel integrity checkers should behave like your product but your product
has been highly specialized/optimized for detecting infection... plain
integrity checkers detect a broader range of changes and, correctly or
incorrectly, leave the interpretation of those changes up to a
non-autonomous agent also known as the user (which is the real reason
the non-technical majority never adopted them)...

> 2. Integrity records obtained by IM and its likes were useless in restoring
> modified objects to their original state. This last capability is now less
> important due to the complexity in restoring 32 bit objects from an "integrity
> signature" (the size of the signature required for that is prohibitively large),
> but was cardinal in the days of DOS.

there are those who feel that programmatically restoring
infected/corrupted objects to their original state is a losing
proposition... some anti-virus vendors (like sophos) don't offer virus
disinfection for most file infecting viruses because of this philosophy...

while the average joe may certainly prefer a magic bullet (and there are
plenty of examples of people expressing exactly that), i'm not about to
penalize a technology for failing to be a panacea - i'd rather penalize
a proponent of it for falsely leading users to believe it is a panacea...

plain integrity checkers are purely detective mechanisms... they do not
prevent and they do not restore, but they are (when used properly)
practically infallible at detecting change...

-- 
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"


Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... > What prevented Integrity Master, and checkers in the same category (e.g. CRC, ... has been highly specialized/optimized for detecting infection... ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> discriminate between legitimate changes and malware related changes. ... > feel integrity checkers should behave like your product but your product ... > has been highly specialized/optimized for detecting infection... ... performed just as well as IV in restoring infected DOS files. ...
    (alt.computer.security)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> discriminate between legitimate changes and malware related changes. ... > feel integrity checkers should behave like your product but your product ... > has been highly specialized/optimized for detecting infection... ... performed just as well as IV in restoring infected DOS files. ...
    (comp.security.firewalls)