[EMAIL PROTECTED] wrote: > > creating an excellent anti-virus scan engine is NOT really that difficult. > creating a pattern file standard to work w/ that scan engines is also not > that difficult. > both the above requirements for a GPL'd anti-virus alternative is more than > doable. > I agree. BUT.......... #ifdef RANTMODE > so what's the catch? > you have to have an army of antivirus specialists who will take in samples, > analyze them, > create a test pattern for them, run the test pattern on all known OS and > hardware combinations > and finally publish the finished pattern. > There is no catch. This is like using a Model T to run the Indy 500. C'mon, string scanning has been used since the advent of computing. The same thing can be done by creating a decent data file then feeding the strings and the files to be scanned to grep, but then this should take ages to execute. Besides, this is just one way to do it. Even Mcafee's "heuristics" does the same thing! Heuristic scanning is a way to analyze a file for viruses rather than just blindly search for specific strings. It should be similar to a human analyzing a file for infection. Let's take the simplest infection vector, a DOS .com file, since Linux/Unix has companion viruses and are a little more tricky to analyze. Anyone with a little AV experience could look at a file's hex dump and tell whether it's possibly infected or not, by reading the first few bytes. He first looks for a jump (jmp) command. If the code simply tries to skip the data area and proceeds to the executable code area of the file, then it's ok. But if the code jumps to end of the file, something's fishy. In addition, if there IS code at the supposed end of the file, then you have a whopper. Did the human have to memorize 60,000 patterns? No. Did it take him long? No. How many steps less is this than string scanning? It's more complex. You need a code analyzer to begin with. As I said in another post, Mcafee's 'heuristics' is just a clone of Dr. Solomon's. Their engine is so much similar to Dr. Solomon's that it even has the same undocumented switches. It doesn't count as a real heuristic scanner. It still uses strings or patterns and this causes it to SLOW DOWN when heuristics is enabled. This caused their fiasco last May when their scanner said Sophos was infected by Anna Kournikova. Even Norton suffered the same problem a while back. OBTW, you don't need an army of antivirus specialists for your samples. Tap the VX scene on the web. The VX people are virus collectors and traders. Through them, I learned that some AV companies are also getting their samples from the VX scene as well. AVP is one of them. Anyone else tried the Linux version? > also you have to have another army of application programmers to create > system programs that > takes advantage of your scan engine and pattern for a variety of platforms. > and another army > to support/maintain these programs. > The army of application programmers part is a given for open source software. Taking advantage of your scan engine and pattern is another matter. Doing so will make your scanner/cleaner executable dependent on the pattern file. It should use a modular approach to its utilities and have a separate scanner, code emulator, cleaner, etc. TBAV was modular. Mcafee and Dr. Solomon onced used a modular approach as well. > once you have that, i believe there will arise an excellent free anti-virus > alternative. > in the meantime, people pay for the services AV companies. > People pay for the _signature_ collection services of AV companies. Mcafee once had the capability for a user to add signatures in its version 1.xx engines. That feature quickly disappeared. When TBAV came out, it became the pariah of the AV industry because it's techniques made fun of everybody else's signature collection departments. The last data file was released in April of 2000, yet in its short five year, (or so), life, it never had to hurry and create a new data file for every new virus that came out. TBAV had to update its data file only when a new type of virus or infection method appeared. It was an amazing piece of work. The tbscan.def data file is all you needed to download to scan and clean the latest critters. Take note of its size. I stand corrected when I said it was 300 kb in another post. Welcome to the Norman BV Anonymous FTP Archive! Up to higher level directory .welcome 48 bytes Thu May 28 00:00:00 1998 README.TXT 177 bytes Mon Feb 08 00:00:00 1999 Plain Text TBSCAN.DEF 180 Kb Wed Apr 26 00:27:00 2000 #endif RANTMODE I'm just an amateur in the AV industry. You're the pro. Enlighten me if I'm on the dark side of the force here. -- Paolo Infoweb Telecom (Global) Limited POT: (852) 2388-1168/1053/1476 or 2625-1688 loc 127 FAX: (852) 2625-1501 7B CNT Tower, 338 Hennessy Road, Wanchai, Hong Kong, SAR, China 852 _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
