Virus Guy wrote in
news:m2mrsa$bf7$1@speranza.aioe.org:
> Dustin wrote:
>
>> > And we have more! This one's hot-off-the-press (as of 3 hours
>> > ago):
>>
>> And it means absolutely nothing. That's the thing you don't seem
>> to comprehend.
>
> So what you're saying is that for the 10 AV programs that *can*
> detect those files as viral - it means nothing.
They aren't viral. Please use the proper terminology. I *know* you
already understand the differences so I won't bore you with the
specifics again. It's not my intention to talk down to you or come
across that way.
> The work they do so that they can perform the detection almost
> immediately as those files get into circulation - according to you
> it means nothing. It has no value. They do it for no reason.
That isn't what I wrote to you, Virus Guy. Please do not attempt to
twist exactly what I wrote to mean anything other than exactly what I
wrote. Reminder:
This is what I wrote in response to your entire thread in general and
the previous ones.
> And we have more! This one's hot-off-the-press (as of 3 hours
> ago):
And it means absolutely nothing. That's the thing you don't seem to
comprehend.
I am glad ten products are picking something up, and Kaspersky
impressed me with what appears to be an actual signature hit; IE:
it's not 0day malware to them, although it was to you.
I didn't say the work anybody did meant nothing, I said your
complaints in general mean nothing. The ones like this one, for
example. You complain that a few detect such and such trojan you got
via email. You expect all of them or nearly all of them to nail it as
soon as you submit it, but the reality is, the technology doesn't
actually work that way.
We can get into specifics of detection technologies and their
respective limitations/consequences when deployed if you really want
to bother, but the statement I made isn't going to change. It was
directly in reference to YOUR posts, not the tireless/thankless work
of the researchers.
> Because according to you, the general population of windoze
> computer users don't need to be able to detect those files as
> malware.
Not according to me. See above.
> They magically don't need protection from their own
> stupidity in case they click on them, because for some reason they
> don't click on them, and therefor according to you - AV software
> doesn't have to detect these files in "real time".
I said nothing of the sort. It's not realistically feasable that AV
software or AM software is going to detect all threats the second
they see it the first time. It's not even logical.
> And btw Dustin, did you download those files so you can take them
> apart and submit the actual droppers to VT?
The actual droppers? Umm.. bro, the files I pulled from your url are
actually themselves, the dropper. They 'install' the real malware for
you. I took the actual malware apart too. [g] Unlike yourself, I
*don't* have to submit a suspicious file to virustotal. I'm capable
of taking a peek for myself.
I have shared my findings with others in the AV/AM industries,
though; I'm not stingy. I suppose I could have sent it to virustotal
as well; but I already have those contacts, so there was no real
point. Besides, virustotal wouldn't have passed it to everyone on my
research list. Better I do that myself in this case.
Don't worry, every malware sample I pull that you've kindly taken the
time to fork over is shared with the AV/AM community; their programs
will be able to add detection/possible removal as a result. They'll
also be able to hone in on a better scan string if they don't already
have one instead of a generic hit that could also trigger with a
legit file.
The thing is, every technology you employ for detection,
disinfection, and other removal methods, have pros and cons to using
them. No single technology is perfect and some carry more risk of
accidentally flagging a legit file as a bad one. As a
developer/researcher you weigh those risks and try to determine
what's best for the user.
What is likely to get the bad guys and hopefully, not bother the user
with too many false positives. it's not realistically possible to
claim no false positives with most of the technologies because most
malware is written HLL these days and much of it is identical to a
legitimate application.
Take AVG for example. It's false positive city. It has a very active
heuristics engine that is mostly in paranoid mode all the time. This
can be considered a good thing on one hand, it's far less likely a
user is going to run something AVG doesn't like; especially if their
constantly told that if their AV blocks it, you DON'T run it.
OTH, this can also result in unnecessary technical support for you;
when AVG doesn't like some program all of a sudden (a database update
usually causes this) and the user thinks they have a virus or
something, when infact, they don't.
And there's the fun of downloading apps from nirsoft to be told by
AVG that such and such is a trojan or something; when you know it's a
perfectly legit app.
I'm just using AVG as an example. Every program on the market has
it's issues. AVG is just one of the better known ones for being..
overzealous in it's detection.
You're expecting a magic bullet and I'm trying to explain to you that
there isn't one and there won't be one anytime soon. I keep writing
that you don't understand how any of this actually works behind the
scenes, and, based on your replies, it's clear you really don't.
You need to learn how your computer actually 'runs' programs. Once
you do, you'll understand how modern day, HLL compiled malware is
doing what it does and why the AV/AM products you rail on aren't
detecting them the moment you submit them. It'll make alot more sense
to you then. As long as you refuse to take a little time and do a
little reading, this is all going to seem like I'm making excuses for
what you feel is shoddy protection, at best.
--
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|