Re: Oops: McAfee Update Exterminates Excel

[Drsolly <drsollyp () drsolly com>]

On Tue, 14 Mar 2006, Joe Jaroch (Tera Innovations, Inc.) wrote:

> I don't really see why these companies can't do testing before releasing 
> definitions. We test (and I'm sure others test) all of the definitions 
> before releasing them by updating our copies of our program internally, 
> and then using a network of ~20 high end computers to scan (on-demand 
> scan, which should really be almost exactly the same as an on access 
> scan in most cases)

Not quite. According to the info in the McAfee site, they decided to 
branch the driver for this virus between on-demand and on-access, and they 
got the logic of that wrong.

> a few million 'clean' files. With fast enough 
> computers that I'm sure McAfee could afford, this process takes just a 
> couple minutes.

More than a couple of minutes. But here I agree with you - given that 
there can be such a huge diference between on-demand and on-access, you 
have to test both, and it doesn't *matter* if you have to use a thousand 
computers to do it on.

Plus, you have to test not only for false alarms, you also have to test to 
see that it still detects all the viruses. And now and then, you need to 
check that repair still works.

Plus you have to do at least some checking on all the platforms you're 
supporting.

When I did this, our cycle was monthly, and we froze after two weeks, and 
spent the next two weeks QCing. With a daily cycle, I suppose that comes 
down to 12 hours and 12 hours.

> I'm imagining (or at least hoping) that well established 
> companies do this, and I don't see why they wouldn't. Even when a brand 
> new, global threat comes out, you NEED to test even the beta definitions 
> because if the cure is worse than the illness, we have a problem.
>
> I also wonder what definition they could have added which caused CTX to 
> be detected. Were they modifying the actual CTX detection, or did they 
> find a new variant?
 
The virus drivers are written in Virtran, which is a fairly detailed
language (and a language in which it is very easy to make mistakes; it's
more like Fortran II than Perl), including conditional branching on
various conditions. If you get the logic of the driver wrong (which is
what happened here) then you can get a big false alarm problem. They were
modifying the CTX driver, to pick up more new variants.

I'm pretty sure that this incident will have triggered a major review of 
how drivers are coded and tested.

Will this happen again?

I'd say yes, if you talk about *all* AV products. As long as you expect 
daily updates, you're saying that QC has to be compressed into a *very* 
short time, and major blunders will happen.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.