funsec mailing list archives
RE: Overloading AV software, was Question about Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 19:00:18 +0100 (BST)
On Fri, 7 Jul 2006, Richard M. Smith wrote:
But for the most part massimo is right, it's a dumb strategyHmm, what if the bad guys overloaded a user with virus warning messages as a stratergy to get people to turn off their AV software. For example, could a Web page download a few hundred image files with known virus signatures tacked on the end of each file in order to make AV software go nuts? Could the same trick be used in an HTML email message?
You have a fundamental (and very common) misunderstanding about "virus signatures". I can only talk authoritatively about my AV software design, but I think most AV software today works in a similar way. So. The problem is, you think there's something called a "virus signature". There is, indeed, an "Alan Solomon" signature, I write it on cheques and suchlike, and it's pretty much the same each time I write it, and you can reognise that it's my signature. But there is no similar "virus signature". What there is, is a sequence of bytes chosen from the body of the virus, that the AV uses to determine whether the virus is present or not. 1) Different AV products will choose different sequences as the thing they're looking for. 2) Certainly the AV I wrote (and it still works this way today), and (I think) most other AV products, only look for that byte sequence, in the place(s) that it would have to be if the file is infected. So, if you append that byte-sequence to the end of the file, the AV will, correctly, say that the file is not infected. So, your idea won't work.
I already have an HTML application that is triggering false positives in Symantec because Symantec thinks a bit of VBScript code I wrote is a malicious code.
That's a false alarm. Send Symantec the code you wrote, explain that it's generating false alarms, and wait for them to fix their product. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- Re: Question about Viruses <...> (Jul 07)