This will be an ongoing problem for several reasons: 1. The sheer volume of malware -- most vendors are dealing with 10,000 to 15,000 samples daily. That many samples, that much work, mistakes are bound to happen. 2. The types of malware. There's lots of malware out there that is "normal" software, in that they use 3rd party libraries, Installshield, etc. (unlike, for example, the delicately coded file-infecting viruses of past infamy). This can confuse researchers who are building definitions. Massive whitelisting is a pretty critical part of all this. But there are other things that need to be done as well. I think something that's surprising a lot of vendors is the amount of staffing, hardware and other resources required these days to be a successful antimalware company. It is certainly not like the old days. Alex
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitsune Sent: Friday, December 21, 2007 10:33 AM To: [email protected] Subject: shit happens, et tu, AVG? was Re: [funsec] Kaspersky strikes again AVG did something similar a few days ago, but not windows core, at least. On 12/13/2007, AVG (free v7.5.516) detected a file in MS VS 2003 as PSW.Ldpinch.RXL. c:\%programfiles%\Microsoft Visual Studio .NET 2003\Vc7\bin\rc.exe (resource compiler). c:\%programfiles%\Microsoft Visual Studio .NET 2003\Common7\Tools\bin\rc.exe (resource compiler). They fixed the def's on the next update, but never meantioned it, other than other poor souls complaining on the forums. Luckly for most that auto-empty is not the default. ----- Original Message ----- From: Richard M. Smith <mailto:[EMAIL PROTECTED]> To: [email protected] Sent: Friday, December 21, 2007 6:11 AM Subject: [funsec] Kaspersky strikes again Kaspersky false alarm quarantines Windows Explorer Accidents will happen By John Leyden <blocked::http://forms.theregister.co.uk/mail_author/?story_url=/2007/12 /20/kaspersky_false_alarm/> 20 Dec 2007 17:00 http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/ <http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/> A faulty signature update from Kaspersky Lab on Wednesday flagged up Windows Explorer (explorer.exe) as infected with a low-risk virus, Huhk-C. As a result the core Windows component was quarantined or worse. Kaspersky released a revised update alongside advice on how to recover legitimate system and application files from quarantine (the default setting) within two hours. But that's not much consolation for users that had set their software to auto-delete infected files, who found themselves with hosed systems. Among those affected was Reg reader Carl. "A false positive caused the deletion of explorer.exe.," he reports. "It would have only caused problems for companies performing their network scan during the hours that the dodgy update was present - which included me, unfortunately. I was working out of hours to fix the previous Kaspersky update problem. I finally finished sorting it all at 5am.". ... ________________________________ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
