[plug] [OT] heuristics (was: Rewinding word)
Christian
christian at amnet.net.au
Sat Mar 23 09:18:37 WST 2002
On Wed, Mar 20, 2002 at 10:55:51PM +0800, Anthony Jones wrote:
> Code and data are stored in the same memory space. The program has the
> ability to modify or execute any data in it's memory space. It is therefore
> possible to produce code at runtime which was not present in the binary
> executable file.
Or download the code... I assume that on most Windows systems the virus
definitions are stored world-readable somewhere. I wonder if it would
be possible to generate a "new" virus at runtime based on combining
information contained these definitions. <Insert a million other
possibilities that I haven't thought of but all those virus and worm
writers will.>
> * A virus scanner can only detect known identified viruses.
> It is not possible to determine what the executable code is going to do by by
> inspection, and inspection is exactly what virus scanners do. It is therefore
> only possible to recognise already identified viruses scanners.
People will answer "heuristics" and you'll say their wrong. The answer
is, as usual, somewhere in between. Virus scanners provide some
protection but they are increasingly ineffective and outgunned. In the
end it will come down to a race condition between the virus scanners
(and their makers) and the next Warhol worm. I know who I'm putting
money on.
> Discussion:
> Many virus scanners allow you to block executables in addition to their
> "virus scanning". Some even come with partial sandboxing which prevent some
> but not all harmful activities.
Like (I suspect) you, I'm not really convinced by this. If user
Joe Schmoe has no idea what constitutes a dangerous or "suspicious"
attachment when he receives one in his morning email, how is he to
decide whether the binary object his virus scanner has quarantined is
safe to execute? The only protection a virus scanner gives in this
situation is to prevent some bloated, overly virus^H^H^H^H^Huser
friendly email client from executing it automatically for him. The
other alternative is a genuine quarantine whereby the attachment remains
isolated and unrunnable for some fixed period of time (i.e., 1-2 months)
during which, if the binary contains a "virus" then this will be
discovered and the scanner will be updated to detect it. Kind of
reduces the usefulness of email and the Internet, doesn't it? This
above anything demonstrates how virus scanners are, at best, a very
limited, temporary solution.
--
DSA 0x2A0F80F3: 39F3 4E10 9BE9 E728 A9EE 029C D51D EE53 2A0F 80F3
More information about the plug
mailing list