On Wed, 13 Dec 2000, Dave Mikulka wrote:
> Someone brought up a while ago that a real look to the future should be
> in prevention. To this day I still wonder why it is that the antivirus
> software vendors don't take more steps to PREVENTION.
That's a fair question. Two of the possible answers are:
* Adding detection for each virus as it appears is conceptually easy.
Detecting unknown viruses is a more complex issue than you think
(see below).
* There's a marketing advantage to having customers locked into an
update subscription cycle (this is less of an issue than it was
a few years ago, though).
> In addition to
> constantly updating their lists of known virus patterns, why aren't they
> spending some time and money to research new possible patterns and
> prevent them.
Sadly, that's an unfair question, based on a misunderstanding of how
anti-virus software works and what a pattern is.
You -could- generate a pattern file including every possible
scanstring of length 1 to n bytes. You could check every
infectable object in sight for any instance of one of those
strings. OTOH, you could just assume that -any- infectable
object is infected and save the processing time. Now,
instead of a variable percentage of known infected objects,
you have 100% of possibly infected objects and no means of
telling which are infected. Unless you use conventional
known-virus scanning, which puts you right back to square 1,
or run each program and see if it replicates. (Welcome to
the curious twilight world of anti-virus research.)
Cause lets be honest, if theres hackers out there who can
> come up with new trojans, then theres people out there who can be hired
> to create them ahead of time and prevent them as well.
Are you talking Trojans or viruses? The problems are quite
different: you can detect probable viruses (but not all viruses)
heuristically, but you can't do the same for Trojans.
Suppose I tell you that I've just written a program
that deletes an entire directory tree or subtree.
On the information I've given you, can you tell me
whether it's a Trojan?
> Checksum of programs on the client --- that is exactly what "Anti-virus"
> software is basically doing, scanning all files on a system and doing
> pattern matching.
Nope. Checksumming (like other forms of change detection) is
heuristic. "This object has changed, which may indicate a
virus infection." What you call pattern matching is more
exact. "This object seems to be infected with the XYZ.A virus."
Some anti-virus suites do include generic measures such as
change detection and heuristic analysis, but those methods
are quite different to what you've proposed above (and
considerably more effective).
--
David Harley <[EMAIL PROTECTED]><[EMAIL PROTECTED]>
Virus FAQs - http://www.sherpasoft.org.uk/
Email abuse FAQ - http://www.sherpasoft.org.uk/hoaxfaq/Mis-IT.html
Forthcoming books/publications - http://viruses-revealed.org.uk
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
