[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[exelist] Re: sdw386 v. 1.71

To: exelist@egroups.com
Subject: [exelist] Re: sdw386 v. 1.71
From: "Andreas Lange" <iceman42@...>
Date: Fri, 12 Mar 1999 09:56:36 CET
Delivered-to: listsaver-of-exelist@egroups.com
Delivered-to: listsaver-egroups-exelist@egroups.com
Mailing-list: contact exelist-owner@egroups.com
Reply-to: exelist@egroups.com

>
>People maybe it's better to fix _ALL_ false positives from virus
>scanners
>before posting your stuff here. We AV plz have to fix your False
>Positives which consumes a lot of unnecessary time. On the other hand
>your stuff won't be distributed at all if there's a "virus" inside!
>
>Please fix the following FP:
>

Hi!

Is it really a problem of us to write protectors in a way that
every stupid AV scanner doesn't recognize it as a virus?
I don't think so. I know how hard or maybe impossible it is to
write a heuristic virus scanner which doesn't give false alarms.

But look at the definition of a virus:
It's not some code which is defined as being polymorph, encrypted
or something like that; ok most viruses are; they are also not 
defined as being destructive, although most viruses destroy.
What i want to say is that a virus is defined as SPREADING ITSELF
by infecting other files etc. ... Protectors don't act like this,
so i don't think it's the problem of the protector that it is 
recognized as suspicious virus. Indeed, it's a fault of a bad
designed Scanner.

Regards,
iceman

ps: Maybe i'm announcing a new way of virus scanning here; i'm not
very familiar with AV stuff, but i think one safe way would be
to create a so called "Sandbox" or "Container", which is the 
environment in which we run the "maybe-infected file" and call,
open, read, etc. another dummy files there.
If we hooked the filesystem on the lowest layer (to avoid 
manipulating this by a virus, do it polymorphically), we know that
something modified the dummy file and can be SURE that it's a virus.
I've never seen this technique, but i think as an add-on it beats
a lot of other techniques like string-scan, heuristic scan, code 
analysis, correlation scanning, etc. etc.

pps: The AV technology described in this mail is patent pending in
the United States of America and Europe. 


------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/list/exelist
Free Web-based e-mail groups by eGroups.com

Follow-Ups:
- [exelist] Re: sdw386 v. 1.71
  - From: jvp@...
- [exelist] Re: sdw386 v. 1.71
  - From: "Bluefish [@ home]" <11a@...>

Prev by Date: [exelist] Re: sdw386 v. 1.71
Next by Date: [exelist] Re: sdw386 v. 1.71
Previous by thread: [exelist] Re: sdw386 v. 1.71
Next by thread: [exelist] Re: sdw386 v. 1.71
Index(es):
- Date
- Thread