| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Show me the Virrii! Steve Wray <steve.wray@...adise.net.nz> replied to S G Masood: > > 4. When their heuristic engines pick up new viruses > > automatically, they usually have some kind of an > ... > > Does anyone have reliable reports of an antivirus system firing > off on a heuristic? > > I'm not aware of ever having seen one; always seems to be a > signature. Well, the answer may depend on precisely how you choose to define "firing off", "heuristic" and "signature"... Regardless, apart from what would be ridiculously limited definitions of those terms, I am sure I could answer "yes, all the time". The sophist in me wishes to point out that _any_ detection based on "identifying data" smaller than the object to be detected is necessarily "heuristic". For example, consider the simplest case of malware detection -- identifying a single, complete file (be it a Trojan Horse, monolithic replicating virus or what have you) -- and the simple detection method for such static targets (albeit possibly impractable for real-world, realtime use) of comparing a cryptographic hash of the entire file contents with a list of such hashes for all known static malware targets. Although triflingly small, there is always a larger than 0% probability of false positives due to the heuristic assumption that this probability is "low enough" for everyday use. Note that I am not denying the usefulness of such a heuristic in much everyday malware scanning. Rather, I am pointing out that such detection methods _are_ heuristic in nature despite the fact they are often considered deterministic. Of course, all manner of further simplifications of this basic approach -- from the crudest of simple short sub-string matches through the sometimes hugely elegant evaluations of code emulator outputs -- commonly used in varying numbers and forms in all currently "successful" virus scanners are equally clearly "heuristic" in this sense. However, let's accept for now that by "heuristic" we mean detection methods much "looser" and much less deterministic than comparison of cyrptographic file hashes. Many scanners have emulators, code analysers, groups of detection strings indicative of functionality that typically falls together in malware and seldom is seen together in "legitimate" programs and so on. These make detections of previously unseen malware all the time. Further, some products have (to varying degrees) eschewed the notion that precise identification is the be all and end all of malware detection, with the developers deliberately making their product's detection of known and analysed malware quite "loose". The point of such "sloppy" deetction is that it will, by and large, detect new and previosuly unseen malware variants while not detecting non-malware programs. All this leads to continual "heuristic" detections. Of course, in some products these heuristic detections may not seem like such unless you know what to look for. For example, NAI's (aka McAfee) detection engine uses a lot of "generic" detection drivers. In effect these work by being able to detect a large number of specific variants of a known malware family (handy when different disinfection and system restore information is necessary for different variants), but also have a notion of a code profile (my term, for lack of a better one) for the family in question. Many new variants are thus detected by the "profile" rather than by information pertinent to a specific variant. The engine may report many (or even all -- someone from NAI may wish to step in and help me here...) of the detections from such a driver as "<family_name>.gen" despite the fact the disinfection engine will know the right thing to do for any specifically detected variants. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists