Re: AV companies better hire good lawyers soon.

[Mister Coffee <live4java () stormcenter net>]

On Tue, Sep 14, 2004 at 03:12:31PM -0400, Barry Fitzgerald wrote:
> Mister Coffee wrote:
>
> > Making it the other guy's fault doesn't wash.  It's more bad QC on the AV 
> > vendor's part.  But as you mentioned previously, they'll get pounced if 
> > zome 0day gets past them and some clown loses his data.  It's a thankless 
> > task.  But it's _far_ more reasonable for them to err on the side of 
> > "Physician, do no harm" and miss the first day of an outbreak than it is 
> > for them to rush out and -break existing programs- because they were in 
> > such a hurry to "Be first to recognize ScatMaster () w32 MM!!"
> I'm not sure I entirely agree with that.
In some situations, I'm not sure I agree with it either.  And I wrote it.

Just goes to show how convoluted the issue is, eh?

> If AV vendors were physicians and operating system/application 
> combinations biological entities, I might agree.
>
> However, if XYZ AV program blows away a copy of c0rph0re.exe thinking 
> its "scatmaster", it's not nearly as bad as if "scatmaster" were allowed 
> to spread and cause other damage to people's PCs.  A compromised system 
> can cause considerable problems for an organization, not to mention 
> damage programs and files. 
I suppose it would depend on the relative damage scatmaster would cause versus the criticality of c0rph0re.

Wax a mission critical app because AV thought it was a lame, no payload, worm?
 
> It can be assumed that if said person has c0rph0re.exe on his system, 
> he/she should be able to reinstall it should it get blown out of the 
> water.  Recovery in this situation is relatively simple.  Recovery in 
> the case of, say, a keylogger or a backdoor or a rootkit is not nearly 
> so simple.
Are your users that bright?  Mine weren't!  If VirusMuncher 2.0 waxed c0rph0re on our systems because it thought it was 
scatmaster, the users would panic.  They'd panic whether it c0rph0re was an electronic post-it-note app or their 
dedicated VPN config app to reach the secure gizmo distribution system.

Users are dumb.

(What's that line from Men in Black?  "A person can be smart.  But 'people' are stupid."  It applies to users.)

As for recovery, no argument at all.  It's usually a couple of orders of magnitude easier to replace a broken app than 
stand off and nuke the workstation from orbit to make sure you got all the malware.
 
> I would definately err on the side of caution here.
Ultimately, so would I.  Better safe then sorry.

Too bad we can't get the drones to install FBSD or something...

And here, having the AV software configured to Delete Without Warning rather than quarentine or ask for user 
intervention is pretty bad.  The bottom line is A: False positives will happen.  B: Virii will get through.  C: Users 
will do stupid things (open attachments, go to malware sites, what have you.) D: If it can be mis-configured, someone 
will misconfigure it.

When it comes to this specific case (regardless of whether the software that got waxed was any good or not) the AV 
falsed on legitimate software and, in at least some cases, was configure to auto-delete and thus cost the software 
company and users of the software time and money.  There's no simple blame here, really.  The delete without asking 
was, IMHO, an over-aggressive config.  That's an Admin/User problem, unless it was the default behavior of the AV 
product.  The false positive was almost inevitibly the AV vendor's problem.  Do AV vendors check against every "known 
good" program they've ever had submitted before every signature release?  I've got no idea.  

Should they?  I'd say yes.  If you can't trust your AV software to not break your system, then you can't trust your AV 
software.

Will they?  Some will.  Some won't.  It costs them time and money, and I can't imagine them spending as much on "play 
nice" as they do on "Kill Virii!"

>                -Barry

Cheers,
L4J

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html