funsec mailing list archives
Re: Via Slashdot: Antivirus Vendors Head to Court
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 9 Jul 2007 08:37:45 -0400
On 7/9/07, David Harley <david.a.harley () gmail com> wrote:
> I do. The user always has the option to uninstall the > offending app and switch to a competitor. True. (Though SAV, among others, can leave dirty footprints in your registry when you remove it.)
Try nonav.bat from the symantec /nosupport directory. IMO its the best product symantec has written to date..
> I didnt mean any offence, its just that AV scanners will take > up more cycles and memory than most other applications on a > standard desktop. No offence taken. But we're off the point here. I've already said that I wouldn't normally run two on-access scanners at the same time. All they're taking up is disk space and I have lots of that. What I'm saying is that I think your point about excluding other AV programs (and the comments in the original news article) are based on a somewhat outmoded view of the technology.
That makes some sense. You just want to be able to scan from multiple products to do testing or some such. Will the fact that more than one of these AV vendors will try to hook into ring0 be an issue when testing their functionality? If you only test the scanner, then you are only testing the detection of viruses, not the ability of the program to stop them. Everyone can beat AV detection: Take your keylogger, chop in half with the hex editor, then scan each half to see which is detected, rince and repeat to find the .sig then alter that part of your code and recompile. Only good heuristics (like NOD32 will stop these simple steps. So now that we know detection is easy to beat, the remaining question is: how hard is it to disable the av or stop a future update from detecting your app? (editing the systems hosts files, fusking up the ACL's in the AV dir, closing a port, etc) This is where the real battle is these days..
You've evidently read my signature, since you commented on its length. Can you think of any reason why a security researcher specialising in malware might have multiple scanners on some machines, apart from paranoia? ;-)
Maybe a virustotal-like box? I hope thats not to test the "effectiveness" of the app, because, as I mentioned above, detection is only half the battle for AV scanners. Also, the signature would be an easier read if you threw a few jokes in between advertisements :-)
> If you are having that many issues with AV, try switching to > a whitelisting programme. I'm not having issues with AV. As it happens, I'm doing quite nicely out of it at the moment, thank you. And I'm one of those strange individuals who believe that in general that AV, while the concept of virus-specific detection may be "crappy", does its job surprisingly well. Whether it's the -right- job is another debate. (Actually, whitelisting makes a lot of sense. But -that- isn't the magic bullet, either.)
No, the magic bullet is being cautious and informed (plus using noscript :) but I also agree that AV does protect end users who are click happy. IMO there are better ways to protect them (ACL's, read only system drives, SMTP attachment filtering, winmail.dat removal, public humilation, etc,) but that is OT.
> There are plenty of apps that you cant run in conjunction > with competing products (ever see an SAP system running > MAS200?), I dont see where this would become a legal issue > unless the operating system was doing the removal. I've seen many curious contentions in my time. And some major app contentions that have nothing to do with AV. But not many where a competing product accuses another of being malware and insists on deleting it. Usually when these things occur with AV, the companies concerned seem anxious to sort it out. I can think of potentially valid reasons for a company going the litigation route. I don't know whether they apply in this case, though.
True, not working together is different than actively removing the competitor.. Good point.
> -JP<who wishes his signature was that long.. hmmm> Dude > VanWinkle A+, AKA Rufus Homeless Bum/4mm Dat Tape Changing > Junior Technician SelfStarters Guide to Stunt Bumming: > http://tinyurl.com/38f4bh Ah. A purist. I used to be one of those. In fact, you may notice that my signature is still 4 lines long, even though I doubt if the length of my signature has much impact on anyone's system in this century, and I don't run the gauntlet of flamers and nitpickers in USENET any more.
-JP<who is not a purist, just a person who likes parody and jokes> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Via Slashdot: Antivirus Vendors Head to Court Richard M. Smith (Jul 08)
- Re: Via Slashdot: Antivirus Vendors Head to Court Dude VanWinkle (Jul 08)
- RE: Via Slashdot: Antivirus Vendors Head to Court David Harley (Jul 08)
- Re: Via Slashdot: Antivirus Vendors Head to Court Dude VanWinkle (Jul 08)
- RE: Via Slashdot: Antivirus Vendors Head to Court David Harley (Jul 09)
- Re: Via Slashdot: Antivirus Vendors Head to Court der Mouse (Jul 09)
- RE: Via Slashdot: Antivirus Vendors Head to Court David Harley (Jul 10)
- Re: Via Slashdot: Antivirus Vendors Head to Court Dude VanWinkle (Jul 09)
- RE: Via Slashdot: Antivirus Vendors Head to Court David Harley (Jul 08)
- Re: Via Slashdot: Antivirus Vendors Head to Court Dude VanWinkle (Jul 08)