lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040914212106.GB32431@tempest.stormcenter.net>
From: live4java at stormcenter.net (Mister Coffee)
Subject: AV companies better hire good lawyers soon.

On Tue, Sep 14, 2004 at 03:12:31PM -0400, Barry Fitzgerald wrote:
> Mister Coffee wrote:
> 
> >
> >Making it the other guy's fault doesn't wash.  It's more bad QC on the AV 
> >vendor's part.  But as you mentioned previously, they'll get pounced if 
> >zome 0day gets past them and some clown loses his data.  It's a thankless 
> >task.  But it's _far_ more reasonable for them to err on the side of 
> >"Physician, do no harm" and miss the first day of an outbreak than it is 
> >for them to rush out and -break existing programs- because they were in 
> >such a hurry to "Be first to recognize ScatMaster@....MM!!"
> >
> I'm not sure I entirely agree with that.
> 
In some situations, I'm not sure I agree with it either.  And I wrote it.

Just goes to show how convoluted the issue is, eh?

> If AV vendors were physicians and operating system/application 
> combinations biological entities, I might agree.
> 
> However, if XYZ AV program blows away a copy of c0rph0re.exe thinking 
> its "scatmaster", it's not nearly as bad as if "scatmaster" were allowed 
> to spread and cause other damage to people's PCs.  A compromised system 
> can cause considerable problems for an organization, not to mention 
> damage programs and files. 
>
I suppose it would depend on the relative damage scatmaster would cause versus the criticality of c0rph0re.

Wax a mission critical app because AV thought it was a lame, no payload, worm?
 
> It can be assumed that if said person has c0rph0re.exe on his system, 
> he/she should be able to reinstall it should it get blown out of the 
> water.  Recovery in this situation is relatively simple.  Recovery in 
> the case of, say, a keylogger or a backdoor or a rootkit is not nearly 
> so simple.
>
Are your users that bright?  Mine weren't!  If VirusMuncher 2.0 waxed c0rph0re on our systems because it thought it was scatmaster, the users would panic.  They'd panic whether it c0rph0re was an electronic post-it-note app or their dedicated VPN config app to reach the secure gizmo distribution system.

Users are dumb.

(What's that line from Men in Black?  "A person can be smart.  But 'people' are stupid."  It applies to users.)

As for recovery, no argument at all.  It's usually a couple of orders of magnitude easier to replace a broken app than stand off and nuke the workstation from orbit to make sure you got all the malware.
 
> I would definately err on the side of caution here.
> 
Ultimately, so would I.  Better safe then sorry.

Too bad we can't get the drones to install FBSD or something...

And here, having the AV software configured to Delete Without Warning rather than quarentine or ask for user intervention is pretty bad.  The bottom line is A: False positives will happen.  B: Virii will get through.  C: Users will do stupid things (open attachments, go to malware sites, what have you.) D: If it can be mis-configured, someone will misconfigure it.

When it comes to this specific case (regardless of whether the software that got waxed was any good or not) the AV falsed on legitimate software and, in at least some cases, was configure to auto-delete and thus cost the software company and users of the software time and money.  There's no simple blame here, really.  The delete without asking was, IMHO, an over-aggressive config.  That's an Admin/User problem, unless it was the default behavior of the AV product.  The false positive was almost inevitibly the AV vendor's problem.  Do AV vendors check against every "known good" program they've ever had submitted before every signature release?  I've got no idea.  

Should they?  I'd say yes.  If you can't trust your AV software to not break your system, then you can't trust your AV software.

Will they?  Some will.  Some won't.  It costs them time and money, and I can't imagine them spending as much on "play nice" as they do on "Kill Virii!"

>                -Barry
> 

Cheers,
L4J


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ