Re: Via Slashdot: Antivirus Vendors Head to Court

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/9/07, David Harley <david.a.harley () gmail com> wrote:
> > I do. The user always has the option to uninstall the
> > offending app and switch to a competitor.
>
> True. (Though SAV, among others, can leave dirty footprints in your registry
> when you remove it.)

Try nonav.bat from the symantec /nosupport directory. IMO its the best
product symantec has written to date..

> > I didnt mean any offence, its just that AV scanners will take
> > up more cycles and memory than most other applications on a
> > standard desktop.
>
> No offence taken. But we're off the point here. I've already said that I
> wouldn't normally run two on-access scanners at the same time. All they're
> taking up is disk space and I have lots of that. What I'm saying is that I
> think your point about excluding other AV programs (and the comments in the
> original news article) are based on a somewhat outmoded view of the
> technology.

That makes some sense. You just want to be able to scan from multiple
products to do testing or some such. Will the fact that more than one
of these AV vendors will try to hook into ring0 be an issue when
testing their functionality? If you only test the scanner, then you
are only testing the detection of viruses, not the ability of the
program to stop them.

Everyone can beat AV detection: Take your keylogger, chop in half with
the hex editor, then scan each half to see which is detected, rince
and repeat to find the .sig then alter that part of your code and
recompile. Only good heuristics (like NOD32 will stop these simple
steps.

So now that we know detection is easy to beat, the remaining question
is: how hard is it to disable the av or stop a future update from
detecting your app? (editing the systems hosts files, fusking up the
ACL's in the AV dir, closing a port, etc) This is where the real
battle is these days..

> You've evidently read my signature, since you commented on its length. Can
> you think of any reason why a security researcher specialising in malware
> might have multiple scanners on some machines, apart from paranoia? ;-)

Maybe a virustotal-like box? I hope thats not to test the
"effectiveness" of the app, because, as I mentioned above, detection
is only half the battle for AV scanners. Also, the signature would be
an easier read if you threw a few jokes in between advertisements :-)

> > If you are having that many issues with AV, try switching to
> > a whitelisting programme.
>
> I'm not having issues with AV. As it happens, I'm doing quite nicely out of
> it at the moment, thank you. And I'm one of those strange individuals who
> believe that in general that AV, while the concept of virus-specific
> detection may be "crappy", does its job surprisingly well. Whether it's the
> -right- job is another debate. (Actually, whitelisting makes a lot of sense.
> But -that- isn't the magic bullet, either.)

No, the magic bullet is being cautious and informed (plus using
noscript :) but I also agree that AV does protect end users who are
click happy. IMO there are better ways to protect them (ACL's, read
only system drives, SMTP attachment filtering, winmail.dat removal,
public humilation, etc,) but that is OT.


> > There are plenty of apps that you cant run in conjunction
> > with competing products (ever see an SAP system running
> > MAS200?), I dont see where this would become a legal issue
> > unless the operating system was doing the removal.
>
> I've seen many curious contentions in my time. And some major app
> contentions that have nothing to do with AV. But not many where a competing
> product accuses another of being malware and insists on deleting it. Usually
> when these things occur with AV, the companies concerned seem anxious to
> sort it out. I can think of potentially valid reasons for a company going
> the litigation route. I don't know whether they apply in this case, though.

True, not working together is different than actively removing the
competitor.. Good point.

> > -JP<who wishes his signature was that long.. hmmm> Dude
> > VanWinkle A+, AKA Rufus Homeless Bum/4mm Dat Tape Changing
> > Junior Technician SelfStarters Guide to Stunt Bumming:
> > http://tinyurl.com/38f4bh
>
> Ah. A purist. I used to be one of those. In fact, you may notice that my
> signature is still 4 lines long, even though I doubt if the length of my
> signature has much impact on anyone's system in this century, and I don't
> run the gauntlet of flamers and nitpickers in USENET any more.

-JP<who is not a purist, just a person who likes parody and jokes>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.