funsec mailing list archives

Re: another VX site?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Jan 2006 10:41:56 +1300

Drsolly to me:

Of course, whether an AV product _need_ detect, or need deetct _and 
inform the user_, of the precise variant when, despite the malwares' 
program logic and/or expression differences, their _effective 
behaviour_ is the same, is another question.  AV uber-purists have 
(mostly) always aimed for "exact identification" whereas others have 
tended to go for "if the functionality is about the same such that 
disinfection is the same we need not be too fussy about identifying 
precise variants" and a few have always been so sloppy that it matters 
not what they call something as half its detects are guaranteed to be 
entirely unrelated and some/many not even malware (for example, some AV 
-- I forget which offhand -- has a generic "unwanted file" or similar 
detection for _any file_ it does not have more precise identification 
of that is packed with FSG).


Internally, though, if the product is going to do repair, then exact 
identification is extremely important. I agree, you don't need to tell the 
user that it's jerusalem.h or jerusalem.m if those have the same payload, 
but there's not big downside in displaying that info.


Some would still argue (and have implemented their products thus) that 
that level of detection is not always necessary, _even when you are 
doing repair/disinfection_.  For parasitic malware it is understandable 
that you should need as precise detection as possible, but with so much 
of today's malware being either non-replicative (Trojan, adware, 
spyware, "hacking tool", etc, etc) or monolithic replicators, where the 
"repair" is "delete the file and its associated registry entries", some 
have become fairly keen on "close enough is good enough" for their 
detection capabilities (dressed up for marketing under fancy-sounding 
names like "generic detection", "advanced heuristics" and so on...).

Just called my sisters wife, ...


It's not germane to this conversation, but I was not aware lesbian 
marriage was possible/legal anywhere in the US...


Maybe they got married in the UK, where we now have same-sex "Civil
union", which is (loosely) called "marriage".



Or here -- NZ has had such civil unions for about a year (??) now...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: another VX site?, (continued)
- - - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 07)
    - Viruseseseseses Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 08)
    - Re: Viruseseseseses TheGesus (Jan 08)
    - Re: Viruseseseseses Drsolly (Jan 08)
    - Re: Viruseseseseses Valdis . Kletnieks (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Nick FitzGerald (Jan 07)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 07)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? Nick FitzGerald (Jan 08)
    - Re: another VX site? Drsolly (Jan 09)
    - Re: another VX site? Valdis . Kletnieks (Jan 09)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)
    - Re: another VX site? Drsolly (Jan 08)
    - Re: another VX site? dudevanwinkle () gmail com (Jan 08)

(Thread continues...)