funsec mailing list archives

RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again

From: Drsolly <drsollyp () drsolly com>
Date: Sat, 22 Dec 2007 00:20:46 +0000 (GMT)

On Fri, 21 Dec 2007, Alex Eckelberry wrote:

This will be an ongoing problem for several reasons:
 
1. The sheer volume of malware -- most vendors are dealing with 10,000
to 15,000 samples daily.   That many samples, that much work, mistakes
are bound to happen. 
 
2. The types of malware.  There's lots of malware out there that is
"normal" software, in that they use 3rd party libraries, Installshield,
etc. (unlike, for example, the delicately coded file-infecting viruses
of past infamy).  This can confuse researchers who are building
definitions.
 
Massive whitelisting is a pretty critical part of all this.  But there
are other things that need to be done as well.  
 
I think something that's surprising a lot of vendors is the amount of
staffing, hardware and other resources required these days to be a
successful antimalware company.  It is certainly not like the old days.


They shouldn't be surprised. I told them this would happen in a conference 
in 1990 or thereabouts.

Massive automation of the database creation would help. But I still can't 
see any answer other than, "User is not able to install *any* software".

Like grannyx

Alex
 

________________________________

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Kitsune
Sent: Friday, December 21, 2007 10:33 AM
To: funsec () linuxbox org
Subject: shit happens, et tu, AVG? was Re: [funsec] Kaspersky strikes
again


AVG did something similar a few days ago, but not windows core, at
least.
 
On 12/13/2007, AVG (free v7.5.516) detected a file in MS VS 2003 as
PSW.Ldpinch.RXL.
 
c:\%programfiles%\Microsoft Visual Studio .NET 2003\Vc7\bin\rc.exe
(resource compiler).
 
c:\%programfiles%\Microsoft Visual Studio .NET
2003\Common7\Tools\bin\rc.exe (resource compiler).
 
They fixed the def's on the next update, but never meantioned it, other
than other poor souls complaining on the forums. Luckly for most that
auto-empty is not the default.

      ----- Original Message ----- 
      From: Richard M. Smith <mailto:rms () computerbytesman com>  
      To: funsec () linuxbox org 
      Sent: Friday, December 21, 2007 6:11 AM
      Subject: [funsec] Kaspersky strikes again

      Kaspersky false alarm quarantines Windows Explorer
      Accidents will happen
       
      By John Leyden
<blocked::http://forms.theregister.co.uk/mail_author/?story_url=/2007/12
/20/kaspersky_false_alarm/>  
      20 Dec 2007 17:00
      
http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/
<http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/> 

      A faulty signature update from Kaspersky Lab on Wednesday
flagged up Windows Explorer (explorer.exe) as infected with a low-risk
virus, Huhk-C. As a result the core Windows component was quarantined or
worse.

      Kaspersky released a revised update alongside advice on how to
recover legitimate system and application files from quarantine (the
default setting) within two hours. But that's not much consolation for
users that had set their software to auto-delete infected files, who
found themselves with hosed systems.

      Among those affected was Reg reader Carl. "A false positive
caused the deletion of explorer.exe.," he reports. "It would have only
caused problems for companies performing their network scan during the
hours that the dodgy update was present - which included me,
unfortunately. I was working out of hours to fix the previous Kaspersky
update problem. I finally finished sorting it all at 5am.".

      ...

      
________________________________


      

      _______________________________________________
      Fun and Misc security discussion for OT posts.
      https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
      Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Kaspersky strikes again, (continued)
- - - Re: Kaspersky strikes again coderman (Dec 21)
    - Re: Kaspersky strikes again silky (Dec 21)
    - Re: Kaspersky strikes again Drsolly (Dec 22)
    - Re: Kaspersky strikes again silky (Dec 22)
    - RE: Kaspersky strikes again Alex Eckelberry (Dec 21)
    - RE: Kaspersky strikes again Peter Kosinar (Dec 21)
- RE: Kaspersky strikes again Young, Keith (Dec 21)
  - RE: Kaspersky strikes again Hubbard, Dan (Dec 21)
- shit happens, et tu, AVG? was Re: Kaspersky strikes again Kitsune (Dec 21)
  - RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Alex Eckelberry (Dec 21)
    - RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Drsolly (Dec 21)
    - Re: shit happens, et tu, AVG? was Re: Kaspersky strikes again Valdis . Kletnieks (Dec 21)
    - RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again David Harley (Dec 22)
    - RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Drsolly (Dec 22)
    - RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again David Harley (Dec 23)
    - Re: shit happens, et tu, AVG? was Re: Kaspersky strikes again Dude VanWinkle (Dec 22)
  - RE: [stuff] happens, et tu, AVG? was Re: Kaspersky strikes again Young, Keith (Dec 21)
- RE: Kaspersky strikes again Daniel H. Renner (Dec 21)
- RE: Kaspersky strikes again Thomas Raef (Dec 23)
  - RE: Kaspersky strikes again Larry Seltzer (Dec 23)
    - RE: Kaspersky strikes again Alex Eckelberry (Dec 23)

(Thread continues...)