funsec mailing list archives
Re: Oops: McAfee Update Exterminates Excel
From: Drsolly <drsollyp () drsolly com>
Date: Tue, 14 Mar 2006 22:46:01 +0000 (GMT)
On Tue, 14 Mar 2006, Joe Jaroch (Tera Innovations, Inc.) wrote:
I don't really see why these companies can't do testing before releasing definitions. We test (and I'm sure others test) all of the definitions before releasing them by updating our copies of our program internally, and then using a network of ~20 high end computers to scan (on-demand scan, which should really be almost exactly the same as an on access scan in most cases)
Not quite. According to the info in the McAfee site, they decided to branch the driver for this virus between on-demand and on-access, and they got the logic of that wrong.
a few million 'clean' files. With fast enough computers that I'm sure McAfee could afford, this process takes just a couple minutes.
More than a couple of minutes. But here I agree with you - given that there can be such a huge diference between on-demand and on-access, you have to test both, and it doesn't *matter* if you have to use a thousand computers to do it on. Plus, you have to test not only for false alarms, you also have to test to see that it still detects all the viruses. And now and then, you need to check that repair still works. Plus you have to do at least some checking on all the platforms you're supporting. When I did this, our cycle was monthly, and we froze after two weeks, and spent the next two weeks QCing. With a daily cycle, I suppose that comes down to 12 hours and 12 hours.
I'm imagining (or at least hoping) that well established companies do this, and I don't see why they wouldn't. Even when a brand new, global threat comes out, you NEED to test even the beta definitions because if the cure is worse than the illness, we have a problem. I also wonder what definition they could have added which caused CTX to be detected. Were they modifying the actual CTX detection, or did they find a new variant?
The virus drivers are written in Virtran, which is a fairly detailed language (and a language in which it is very easy to make mistakes; it's more like Fortran II than Perl), including conditional branching on various conditions. If you get the logic of the driver wrong (which is what happened here) then you can get a big false alarm problem. They were modifying the CTX driver, to pick up more new variants. I'm pretty sure that this incident will have triggered a major review of how drivers are coded and tested. Will this happen again? I'd say yes, if you talk about *all* AV products. As long as you expect daily updates, you're saying that QC has to be compressed into a *very* short time, and major blunders will happen. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Oops: McAfee Update Exterminates Excel, (continued)
- Re: Oops: McAfee Update Exterminates Excel Axel Pettinger (Mar 13)
- RE: Oops: McAfee Update Exterminates Excel Larry Seltzer (Mar 14)
- RE: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Joe Jaroch (Tera Innovations, Inc.) (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Valdis . Kletnieks (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Valdis . Kletnieks (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Joe Jaroch (Tera Innovations, Inc.) (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Valdis . Kletnieks (Mar 17)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- RE: Oops: McAfee Update Exterminates Excel Nick FitzGerald (Mar 14)
- RE: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Valdis . Kletnieks (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Valdis . Kletnieks (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Nick FitzGerald (Mar 14)
- Re: Oops: McAfee Update Exterminates Excel Drsolly (Mar 15)