Re: Trojan horse Downloader.Generic.ML
From: kurt wismer (kurtw_at_sympatico.ca)
Date: 06/22/05
- Next message: Leythos: "Re: Hardware Firewall with blacklist"
- Previous message: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
- In reply to: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Next in thread: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Reply: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Jun 2005 22:58:54 -0400
Zvi Netiv wrote:
> kurt wismer <kurtw@sympatico.ca> wrote:
>>Zvi Netiv wrote:
>>[snip]
>>>What prevented Integrity Master, and checkers in the same category (e.g. CRC,
>>>MD5, etc.), from becoming widely used in AV, are the following reasons:
>>>
>>>1. Plain integrity ("plain" here refers to the processing of the entire file,
>>>not to the method used) is useless for AV purposes as it's unable to
>>>discriminate between legitimate changes and malware related changes.
>>
>>as malware can make arbitrary changes, processing the entire file is
>>required... if you're only worried about parasitic infection then sure,
>>for some types of files you may only need to check a subset of the
>>entire file, but integrity checkers aren't *just* for detecting that
>>sort of thing...
>
> Malware doesn't make arbitrary changes, full stop.
so data diddlers don't exist?
> That's a fallacy that has
> been nurtured by ignorance, fools (e.g. Lambdin, with his unsolicited CRCs), and
> AVers that had an interest that users assimilate that nonsense.
what i said is technically correct... malware *can* make arbitrary
changes - there may not yet be a malware instance that changes bytes X,
Y, or Z in a file but there's nothing preventing one from being made...
there is malware the corrupts and/or destroys data - you can contest the
existence of such malware if you like, but you'd be tilting at windmills...
>>of course we've had this disagreement for a good long time now... you
>>feel integrity checkers should behave like your product but your product
>>has been highly specialized/optimized for detecting infection... plain
>>integrity checkers detect a broader range of changes and, correctly or
>>incorrectly, leave the interpretation of those changes up to a
>>non-autonomous agent also known as the user (which is the real reason
>>the non-technical majority never adopted them)...
>
> You are actually saying the same thing, but from a different angle: Users were
> incapable to tell on base of the plain integrity change whether it was caused by
> virus or was benign.
actually, i don't think they are the same thing... i don't believe users
are incapable of such, i believe they are unwilling...
>>>2. Integrity records obtained by IM and its likes were useless in restoring
>>>modified objects to their original state. This last capability is now less
>>>important due to the complexity in restoring 32 bit objects from an "integrity
>>>signature" (the size of the signature required for that is prohibitively large),
>>>but was cardinal in the days of DOS.
>>
>>there are those who feel that programmatically restoring
>>infected/corrupted objects to their original state is a losing
>>proposition... some anti-virus vendors (like sophos) don't offer virus
>>disinfection for most file infecting viruses because of this philosophy...
>
> Again, part of the above is propaganda, that was cultivated by interested
> parties.
sophos used propaganda to justify being a less attractive option? that
really doesn't make a whole lot of business sense... you (the general
you) can't claim that action X can't be done satisfactorily so you won't
do it and expect potential customers to accept that when most other
vendors provide products that do perform action X...
> The fact is that DOS objects, all types, were recovered through
> integrity methods to their *exact* original state, to the byte, including the
> time and date stamp.
you can't recover overwritten objects merely from an integrity
fingerprint...
[snip]
>>while the average joe may certainly prefer a magic bullet (and there are
>>plenty of examples of people expressing exactly that), i'm not about to
>>penalize a technology for failing to be a panacea - i'd rather penalize
>>a proponent of it for falsely leading users to believe it is a panacea...
>
> I hope that you don't point to me as I never made such claim. Which didn't
> prevent professional bashers from pretending that I did.
i was not pointing at you... i was merely stating a preference... while
i can recall plenty of things you've said that i disagreed with, i can't
recall you directly saying anything that was blatantly snake-oil...
>>plain integrity checkers are purely detective mechanisms... they do not
>>prevent and they do not restore, but they are (when used properly)
>>practically infallible at detecting change...
>
> Let's extend the above now: Real-time AV optimized integrity checkers can
> detect an infection and block execution of that object. When implemented
> properly, real-time integrity monitoring is nearly infallible at detecting viral
> changes in monitored files.
i'm afraid i'm not yet convinced of that...
-- "they threw a rope around yer neck to watch you dance the jig of death then left ya for the starvin' crows, hoverin' like hungry whores one flew down plucked out yer eye, the other he had in his sights ya snarled at him, said leave me be - i need the bugger so i can see"
- Next message: Leythos: "Re: Hardware Firewall with blacklist"
- Previous message: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
- In reply to: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Next in thread: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Reply: Zvi Netiv: "Re: Trojan horse Downloader.Generic.ML"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
