Information Security News mailing list archives
Re: eEye Enters Antivirus Business with Blink Suite
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 31 Jan 2007 01:12:00 -0600 (CST)
Forwarded from: Simson Garfinkel <simsong (at) acm.org>
http://www.betanews.com/article/ eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333 ... Rather than scan everything all the time, however, the new Blink will scan newly discovered executables, and may perhaps rescan them if, for instance, their patterns or file size appears to have changed. But if it's the same executable, by default, Blink will only scan it once.
Presumably the Blink anti-virus technology is only performing this kind of in-depth scan using a virtual machine because the scan is slow. However, the potential virus writer has many options for avoiding this technology. For example, the "virus" (really a trojan) could simply perform its malicious activity only if it receives user input (which it is unlikely to receive in a virtual machine, but likely to receive if it pops-up a window.) Or the virus could simply check to see if it is running in a virtual machine using technology that is now readily available. Back in the early 1990s anti-virus software used this approach of trying to watch the behavior of a virus. They gave up on it in favor of the current signature-based approach because it was prone to false positives and because it didn't catch many known viruses. Of course, it's theoretically impossible to look at a program and figure out what it's going to do. Even running the program in a virtual machine won't tell you want its going to do once you run it in the wild. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- eEye Enters Antivirus Business with Blink Suite InfoSec News (Jan 29)
- <Possible follow-ups>
- Re: eEye Enters Antivirus Business with Blink Suite InfoSec News (Jan 30)