[plug] [OT] heuristics (was: Rewinding word)

Anthony Jones ajones at clear.net.nz
Wed Mar 20 22:55:51 WST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 On Tuesday 19 March 2002 23:17, Peter J. Nicol wrote:
>> A virus scanner does not provide
>> any sort of technical impediment to me writing a piece of software which
>> erases all the files on your hard disk and posting it to you in the hope
>> that you'll try to open it.
> 
> Not always correct.  Many virus scanners employ heuristics that detect
> virus like behaviour.

Definitions:

A virus scanner - a piece of software which reads files and determines 
(without executing them) and decides whether they are "safe" to pass through.

A sandbox - an isolated program space which allows the execution of a program 
that is granted limited access to system resources.

PART 1 - Executables

* It is not possible to determine what executable code is going to do by 
inspection.

Te only way to find out what code is going to do is to execute it either in a 
simulator, in a sand-box or running it in the wild.

Code and data are stored in the same memory space. The program has the 
ability to modify or execute any data in it's memory space. It is therefore 
possible to produce code at runtime which was not present in the binary 
executable file.

* A virus scanner can only detect known identified viruses.

It is not possible to determine what the executable code is going to do by by 
inspection, and inspection is exactly what virus scanners do. It is therefore 
only possible to recognise already identified viruses scanners.

Discussion:

Many virus scanners allow you to block executables in addition to their 
"virus scanning". Some even come with partial sandboxing which prevent some 
but not all harmful activities.

Recommendation:

Do not run untrustworthy executeables. If you must run executables then run 
them in a sand box. Partial sandboxing is inadequate - sandbox properly.

PART 2 - Scripting languages and Java

Discussion:

Many scripting languages such as Javascript and VB script are sandboxed. Java 
applets are sandboxed. Script viruses rely on security faults in the 
sandboxing. Some scripting languages don't support self modifying code and 
some do. (I can't claim to be an expert on scripting languages).

Some of the recent viruses (or at least the last ones I've heard of - seeing 
I use Linux I don't get viruses so I don't hear about them) exploit security 
flaws in the sandboxing (or lack thereof) in Outlook, Word and just about 
every other product that M$ have ever made.

Many virus scanners allow you to block scripts in addition to their "virus 
scanning". Some even come with partial sandboxing which prevent some but not 
all harmful activities.

Recommendation:

The sandboxing in your email client, browser, word processor, etc. can't be 
trusted. You should sandbox all of these applications. Partial sandboxing is 
inadequate - sandbox properly.

Here's a comparison:

Virus scanner
Pros:
* Can detect known viruses.
* Can block executables.
* Sometimes offers low grade sandboxing.
* Is easy to set up and install
Cons:
* Gives false sense of security
* Offers little defence against unknown viruses.
* Does not allow you to see all of your email attachments.
* Is a no brain solution

Sandbox
Pros:
* Does not allow viruses to do any harm.
* Allows you to see your all of your email attachments
Cons:
* Does not detect viruses.
* Can take some thought and effort to set up.
* If badly set up can make it difficult to transfer information from one 
place to another.
* High grade sandboxing can sometimes be resource hungry

> At risk of starting an offtopic thread, it is a show stopper!

Peter - can you please explain to me why in an adequately sandboxed system 
not having a virus scanner is a show stopper?

Anthony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8mKL4hwVaoilFPn0RArT8AJ9Kl57qL7/vRnIdOZBRP1HSvlbdeACfVBR9
w67l7AAu+CguLbNm20BcgN0=
=yGIN
-----END PGP SIGNATURE-----



More information about the plug mailing list