home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!yale.edu!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Newsgroups: comp.virus
- Subject: Re: Filler virus (PC)
- Message-ID: <0010.9212151931.AA10887@barnabas.cert.org>
- Date: 11 Dec 92 17:44:46 GMT
- Sender: virus-l@lehigh.edu
- Lines: 85
- Approved: news@netnews.cc.lehigh.edu
-
- mcafee@netcom.com (McAfee Associates) writes:
-
- > Considering that the other anti-viral program appeared several years
- > after VIRUSCAN was released, I think it is fair to say that SCAN does
- > not contain a "shoddy scan string,"
-
- I disagree. It absolutely doesn't matter when the anti-virus program
- has been released. What does matter is (1) when the program has been
- updated to detect this virus, (2) when did the virus appear, and (3)
- are there any other possible scan strings for that virus.
-
- If a virus like Cascade appears tomorrow, and if it uses variable
- encryption, so that the only possible scan string is the (short)
- decryptor in the beginning, guess what will both McAfee Associates and
- any other anti-virus company pick as a scan string...
-
- > rather, (1) the other program was
- > not adequately tested against existing anti-viral programs for
- > compatibility problems before release; (2) the other program does not
- > cipher its virus search strings, opening the possibility of false alarms
- > with other anti-viral programs which use the same search strings, and
-
- Now, -that- is definitively fair to say. Any scanner-like anti-virus
- program that doesn't do the above (and that doesn't clean up the
- memory after itself upon termination) is plain silly.
-
- > (3) this problem is not adequately documented in the other programs'
- > documentation.
-
- Well, in this particular case, it is documented... :-) They just tell
- you in the docs that their program is incompatible with any other
- anti-virus software... :-))
-
- > In one of my chats with the other programs' technical support staff, I
- > was told that the problem should be fixed in the new version of their
- > software. Hopefully, this problem will disappear as users upgrade to
- > the current version of the program.
-
- [rumors mode ON]
-
- Allegedly, a version of the product mentioned will be included in
- MS-DOS 6.0. Allegedly, this particular problem has been already fixed
- in that particular version.
-
- [rumors mode OFF]
-
- > When a new anti-viral program is brought to market, who should be
- > responsible for compatibility-testing it to ensure that no false
- > alarms exist with existing programs? And to what extent should
- > testing be done? And who should be responsible for fixing any
- > incompatibilities? Comments, anyone? <G>
-
- That's a really good idea... As Dr. Solomon says, it's very easy to
- create the perfect virus detector. It will achieve 100% detection rate
- when tested with -any- virus collection. It can be just a short .BAT
- file. Here it is:
-
- echo %1 is a virus.
-
- (or something similar, to include the boot sectors testing, but you
- get the idea).
-
- Unfortunately, such program has no practical use, since it gives an
- infinite number of false positives. The tough problem is to create a
- scanner that still has a good enough detection rate, but has no false
- positives...
-
- Unfortunately, there is no simple way to test a scanner for false
- positives... False negatives are easy - you just get a huge virus
- collection and count how many viruses the scanner -doesn't- detect...
- I really don't know how a reliable false positive test should be
- performed... One idea is to get all the MS-DOS software from Simtel20
- (it is available on CD-ROM), unpack it and run the scanners on all the
- executable files. Another idea is to run each scanner on a wide range
- of other anti-virus programs, maybe even including itself. At the
- VTC-Hamburg we are working on a test protocol about how anti-virus
- tests should be performed, so any ideas are welcome.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
-