i understand your rant and on some points i do agree that there can be more
that could be done to establish an opensource AV solution.
sample collection -- there is already a lot of avenues to do this. even AV
companies have formal agreements when it comes to sample collection.
pattern matching vs sandboxing (binary heuristic analysis) -- pattern
matching
turned out to be more precise and (arguably) faster than doing binary
heuristic
analysis. otherwise, pattern matching would have gone the way of the
dinosaur.
cleaning an infection is also easier/faster if the exact strain is
known/detected.
and this can only be achieved w/ a database of pattern files.
having said that, i believe that there's still a lot of things that haven't
been
tried or given much priority as far as AV technologies go. if there is
going
to be a REAL and COMPREHENSIVE initiative to establish an opensource AV
solution
there are a lot of us from the inside who would gladly help out.
personally, i believe that opensource solutions and commercial solutions to
the
same problems will always have a place in this world.
-marlon
-----Original Message-----
From: Paolo [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 04, 2001 3:34 PM
To: [EMAIL PROTECTED]
Subject: Re: [plug] Sophos pricing for Amavis-type applications (long)
[EMAIL PROTECTED] wrote:
>
> creating an excellent anti-virus scan engine is NOT really that difficult.
> creating a pattern file standard to work w/ that scan engines is also not
> that difficult.
> both the above requirements for a GPL'd anti-virus alternative is more
than
> doable.
>
I agree.
BUT..........
#ifdef RANTMODE
> so what's the catch?
> you have to have an army of antivirus specialists who will take in
samples,
> analyze them,
> create a test pattern for them, run the test pattern on all known OS and
> hardware combinations
> and finally publish the finished pattern.
>
There is no catch.
This is like using a Model T to run the Indy 500.
C'mon, string scanning has been used since the advent of computing. The
same thing can be done by creating a decent data file then feeding the
strings and the files to be scanned to grep, but then this should take
ages to execute.
Besides, this is just one way to do it. Even Mcafee's "heuristics" does
the same thing!
Heuristic scanning is a way to analyze a file for viruses rather than
just blindly search for specific strings.
It should be similar to a human analyzing a file for infection.
Let's take the simplest infection vector, a DOS .com file, since
Linux/Unix has companion viruses and are a little more tricky to
analyze.
Anyone with a little AV experience could look at a file's hex dump and
tell whether it's possibly infected or not, by reading the first few
bytes.
He first looks for a jump (jmp) command. If the code simply tries to
skip the data area and proceeds to the executable code area of the file,
then it's ok.
But if the code jumps to end of the file, something's fishy. In
addition, if there IS code at the supposed end of the file, then you
have a whopper.
Did the human have to memorize 60,000 patterns? No.
Did it take him long? No.
How many steps less is this than string scanning? It's more complex. You
need a code analyzer to begin with.
As I said in another post, Mcafee's 'heuristics' is just a clone of Dr.
Solomon's. Their engine is so much similar to Dr. Solomon's that it even
has the same undocumented switches. It doesn't count as a real heuristic
scanner. It still uses strings or patterns and this causes it to SLOW
DOWN when heuristics is enabled.
This caused their fiasco last May when their scanner said Sophos was
infected by Anna Kournikova. Even Norton suffered the same problem a
while back.
OBTW, you don't need an army of antivirus specialists for your samples.
Tap the VX scene on the web. The VX people are virus collectors and
traders. Through them, I learned that some AV companies are also getting
their samples from the VX scene as well. AVP is one of them. Anyone else
tried the Linux version?
> also you have to have another army of application programmers to create
> system programs that
> takes advantage of your scan engine and pattern for a variety of
platforms.
> and another army
> to support/maintain these programs.
>
The army of application programmers part is a given for open source
software.
Taking advantage of your scan engine and pattern is another matter.
Doing so will make your scanner/cleaner executable dependent on the
pattern file.
It should use a modular approach to its utilities and have a separate
scanner, code emulator, cleaner, etc.
TBAV was modular. Mcafee and Dr. Solomon onced used a modular approach
as well.
> once you have that, i believe there will arise an excellent free
anti-virus
> alternative.
> in the meantime, people pay for the services AV companies.
>
People pay for the _signature_ collection services of AV companies.
Mcafee once had the capability for a user to add signatures in its
version 1.xx engines. That feature quickly disappeared.
When TBAV came out, it became the pariah of the AV industry because it's
techniques made fun of everybody else's signature collection
departments.
The last data file was released in April of 2000, yet in its short five
year, (or so), life, it never had to hurry and create a new data file
for every new virus that came out. TBAV had to update its data file only
when a new type of virus or infection method appeared.
It was an amazing piece of work. The tbscan.def data file is all you
needed to download to scan and clean the latest critters.
Take note of its size. I stand corrected when I said it was 300 kb in
another post.
Welcome to the Norman BV Anonymous FTP Archive!
Up to higher level directory
.welcome 48 bytes Thu May 28 00:00:00 1998
README.TXT 177 bytes Mon Feb 08 00:00:00 1999 Plain Text
TBSCAN.DEF 180 Kb Wed Apr 26 00:27:00 2000
#endif RANTMODE
I'm just an amateur in the AV industry. You're the pro.
Enlighten me if I'm on the dark side of the force here.
--
Paolo
Infoweb Telecom (Global) Limited
POT: (852) 2388-1168/1053/1476 or 2625-1688 loc 127 FAX: (852) 2625-1501
7B CNT Tower, 338 Hennessy Road, Wanchai, Hong Kong, SAR, China 852
_
Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
