Jay Woody wrote:
>
> I am not trying to be weird here, but all any scanner can do is check to see if the
>known things about the virus are true. I want to know if a backdoor is there. I
>don't care if it was Nimda or CDII that put it there or even if it was something else.
Yeah, you're getting a little weird here. Or at least I compeletely failed to
get my point across .. ;-)
Err, for example, the sadmind worm is well known enough to be one of many
hints for eEye to know that the mere existance of a cmd.exe backdoor is not
proof for CodeRed. It is suspicious, obviously, but if there is no way to
conclusively identify a CR2 infection, no scanners should loudly proclaim that
a box is identified with CR2 and instead detail what exactly it found that was
bad and hint at the potential causes if they desire to do so. No matter if
they're free or not. Particularly if they receive the publicity eEye's tool
received.
Case and point, eEye's public scanner release said "Code Red 2 detected
(backdoor found!)" or something to that effect.
[..]
> There is no way to keep a FREE scanner up-to-date and EXACTLY right for all
>instances.
I never said that it should be.
> I would MUCH rather have 2 false positives than 2 false negatives. The scanner
>basically says, "either the worm has hit you or a moron setup your box and did X".
Not really, it says it found CodeRed2 when all it found was the backdoor which
could be a variety of things.
I'm asking for accurate reporting. Not miracles. And I'm certainly not
interested in bashing eEye, I'm trying to provide constructive criticism as to
what sort of things are not helpful.
Cheers,
Chris
