Re: eEye Enters Antivirus Business with Blink Suite

[InfoSec News <alerts () infosecnews org>]

Forwarded from: Simson Garfinkel <simsong (at) acm.org>

> http://www.betanews.com/article/
> eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333
> ...
>
> Rather than scan everything all the time, however, the new Blink will 
> scan newly discovered executables, and may perhaps rescan them if, for 
> instance, their patterns or file size appears to have changed. But if 
> it's the same executable, by default, Blink will only scan it once.

Presumably the Blink anti-virus technology is only performing this kind 
of in-depth scan using a virtual machine because the scan is slow. 
However, the potential virus writer has many options for avoiding this 
technology. For example, the "virus" (really a trojan) could simply 
perform its malicious activity only if it receives user input (which it 
is unlikely to receive in a virtual machine, but likely to receive if it 
pops-up a window.) Or the virus could simply check to see if it is 
running in a virtual machine using technology that is now readily 
available.

Back in the early 1990s anti-virus software used this approach of trying 
to watch the behavior of a virus. They gave up on it in favor of the 
current signature-based approach because it was prone to false positives 
and because it didn't catch many known viruses.

Of course, it's theoretically impossible to look at a program and figure out
what it's going to do. Even running the program in a virtual machine won't tell
you want its going to do once you run it in the wild.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn