funsec mailing list archives
RE: Kaspersky strikes again
From: "Alex Eckelberry" <AlexE () sunbelt-software com>
Date: Fri, 21 Dec 2007 21:30:19 -0500
Larry is right to some degree. You can get away with being more sloppy on the gateway than on the client system. So a user doesn't get an email because of an FP -- that's not good, but it's not the same as blowing your entire desktop. Furthermore, you can always pull the email out of quarantine. Same goes for web surfing. As an example, WebWasher has a reputation in industry circles for high FPs, but consistently scores as a top gateway scanner (it is only a gateway scanner, not a client product): Example: http://winnow.oitc.com/AntiVirusPerformance.html That being said, Dr. Solly is right. The sheer volume puts an enormous strain on the system. A month of seasoning would be wonderful to reduce FPs. But that's occuring anyway; the beta testers are the users. Just download some of the more popular antispyware apps these days and see what "trojans" are found on your system (which sure helps them with their sales... but that's another discussion). Alex -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Friday, December 21, 2007 6:36 PM To: Drsolly Cc: funsec () linuxbox org Subject: RE: [funsec] Kaspersky strikes again Even so, there would be so much less testing to do, wouldn't there? After all, on an appliance users can't just arbitrarily install applications (not and expect support). Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: Drsolly [mailto:drsollyp () drsolly com] Sent: Friday, December 21, 2007 6:29 PM To: Larry Seltzer Cc: funsec () linuxbox org; Richard M. Smith Subject: RE: [funsec] Kaspersky strikes again On Fri, 21 Dec 2007, Larry Seltzer wrote:
Damn, I'm going to get a good column out of this. Doc: What about gateway appliances? Is a signature system more reasonable when you have a limited number of closed platforms?
You've misunderstood my concern. If you update your sigs hourly, then you have less than an hour to do all the testing. It doesn't matter how many computers are running the new version; they're all running something that has had less than an hour of testing, and I don't really want to run something that has been tested for less than an hour, on my systems. A month would probably be enough. A day would probably not be enough. Flagging "Explorer.exe" puts me in mind of when Fredrik issued a sig that false-alarmed on Command.com in the Virus Bulletin publication. We called that "The mother of all false alarms".
Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: Drsolly [mailto:drsollyp () drsolly com] Sent: Friday, December 21, 2007 5:52 PM To: Larry Seltzer Cc: Richard M. Smith; funsec () linuxbox org Subject: RE: [funsec] Kaspersky strikes again That's one of the big reasons why it isn't possible to write a signature-based antivirus these days. You're caught in the nutcracker of 1) need to update frequently and 2) need to test adequately. I don't see how it's possible to do daily updates, let along hourly. Even weekly updates sounds too difficult. On Fri, 21 Dec 2007, Larry Seltzer wrote:I remember years ago writing about the speed of updates necessary now for a/v vendors, and how kaspersky talked about how they do it
hourly.
It basically makes it impossible to do meaningful tests. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ <http://security.eweek.com/> <http://blogs.pcmag.com/securitywatch/> http://blogs.pcmag.com/securitywatch/ <http://blogs.pcmag.com/securitywatch/Contributing> Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com ________________________________ From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Friday, December 21, 2007 9:11 AM To: funsec () linuxbox org Subject: [funsec] Kaspersky strikes again Kaspersky false alarm quarantines Windows Explorer Accidents will happen By John Leyden <blocked::http://forms.theregister.co.uk/mail_author/?story_url=/200 7/ 12 /20/kaspersky_false_alarm/> 20 Dec 2007 17:00 http://www.channelregister.co.uk/2007/12/20/kaspersky_false_alarm/ <blocked::http://www.channelregister.co.uk/2007/12/20/kaspersky_fals e_ al arm/> A faulty signature update from Kaspersky Lab on Wednesday flagged up
Windows Explorer (explorer.exe) as infected with a low-risk virus, Huhk-C. As a result the core Windows component was quarantined orworse.Kaspersky released a revised update alongside advice on how to recoverlegitimate system and application files from quarantine (the default setting) within two hours. But that's not much consolation for users
that had set their software to auto-delete infected files, who found
themselves with hosed systems. Among those affected was Reg reader Carl. "A false positive caused thedeletion of explorer.exe.," he reports. "It would have only caused problems for companies performing their network scan during the hours that the dodgy update was present - which included me,
unfortunately.
I was working out of hours to fix the previous Kaspersky update problem. I finally finished sorting it all at 5am.". ...
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Kaspersky strikes again, (continued)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- RE: Kaspersky strikes again Drsolly (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- RE: Kaspersky strikes again Drsolly (Dec 21)
- RE: Kaspersky strikes again Larry Seltzer (Dec 21)
- Re: Kaspersky strikes again Dude VanWinkle (Dec 22)
- Re: Kaspersky strikes again coderman (Dec 21)
- Re: Kaspersky strikes again silky (Dec 21)
- Re: Kaspersky strikes again Drsolly (Dec 22)
- Re: Kaspersky strikes again silky (Dec 22)
- RE: Kaspersky strikes again Alex Eckelberry (Dec 21)
- RE: Kaspersky strikes again Peter Kosinar (Dec 21)
- RE: Kaspersky strikes again Hubbard, Dan (Dec 21)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Alex Eckelberry (Dec 21)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Drsolly (Dec 21)
- Re: shit happens, et tu, AVG? was Re: Kaspersky strikes again Valdis . Kletnieks (Dec 21)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again David Harley (Dec 22)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again Drsolly (Dec 22)
- RE: shit happens, et tu, AVG? was Re: Kaspersky strikes again David Harley (Dec 23)