On Fri, 21 Dec 2007, Alex Eckelberry wrote: > This will be an ongoing problem for several reasons: > > 1. The sheer volume of malware -- most vendors are dealing with 10,000 > to 15,000 samples daily. That many samples, that much work, mistakes > are bound to happen. > > 2. The types of malware. There's lots of malware out there that is > "normal" software, in that they use 3rd party libraries, Installshield, > etc. (unlike, for example, the delicately coded file-infecting viruses > of past infamy). This can confuse researchers who are building > definitions. > > Massive whitelisting is a pretty critical part of all this. But there > are other things that need to be done as well. > > I think something that's surprising a lot of vendors is the amount of > staffing, hardware and other resources required these days to be a > successful antimalware company. It is certainly not like the old days.
They shouldn't be surprised. I told them this would happen in a conference in 1990 or thereabouts. Massive automation of the database creation would help. But I still can't see any answer other than, "User is not able to install *any* software". Like grannyx > Alex > > > ________________________________ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Kitsune > Sent: Friday, December 21, 2007 10:33 AM > To: [email protected] > Subject: shit happens, et tu, AVG? was Re: [funsec] Kaspersky strikes > again > > > AVG did something similar a few days ago, but not windows core, at > least. > > On 12/13/2007, AVG (free v7.5.516) detected a file in MS VS 2003 as > PSW.Ldpinch.RXL. > > c:\%programfiles%\Microsoft Visual Studio .NET 2003\Vc7\bin\rc.exe > (resource compiler). > > c:\%programfiles%\Microsoft Visual Studio .NET > 2003\Common7\Tools\bin\rc.exe (resource compiler). > > They fixed the def's on the next update, but never meantioned it, other > than other poor souls complaining on the forums. Luckly for most that > auto-empty is not the default. > > ----- Original Message ----- > From: Richard M. Smith <mailto:[EMAIL PROTECTED]> > To: [email protected] > Sent: Friday, December 21, 2007 6:11 AM > Subject: [funsec] Kaspersky strikes again > > Kaspersky false alarm quarantines Windows Explorer > Accidents will happen > > By John Leyden > <blocked::http://forms.theregister.co.uk/mail_author/?story_url=/2007/12 > /20/kaspersky_false_alarm/> > 20 Dec 2007 17:00 > > http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/ > <http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/> > > A faulty signature update from Kaspersky Lab on Wednesday > flagged up Windows Explorer (explorer.exe) as infected with a low-risk > virus, Huhk-C. As a result the core Windows component was quarantined or > worse. > > Kaspersky released a revised update alongside advice on how to > recover legitimate system and application files from quarantine (the > default setting) within two hours. But that's not much consolation for > users that had set their software to auto-delete infected files, who > found themselves with hosed systems. > > Among those affected was Reg reader Carl. "A false positive > caused the deletion of explorer.exe.," he reports. "It would have only > caused problems for companies performing their network scan during the > hours that the dodgy update was present - which included me, > unfortunately. I was working out of hours to fix the previous Kaspersky > update problem. I finally finished sorting it all at 5am.". > > ... > > > ________________________________ > > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
