Boys ... this may be good news for you :-P

We @ Scheinsicherheit (http://scheinsicherheit.mirrorz.com) have a special taste and do not believe that the sheer size is decisive. We are neither impressed by Eugene's giant size nor are we stunned because Tobias' size is rapidly increasing. And we do not pity Kevin for his small size.

Why is that? Isn't size the most important thing? Doesn't a big size make you happy? Well, it depends. If you are interested in a replicating standard performance and do not ask too many questions a big size may be o.k. for you. But we @ Scheinsicherheit are quite demanding and ask for an outstanding, individual & non-replicating experience.

For this reason, we plan to invite Eugene, Tobias, Magnus, Wayne, Kevin and many others to an exclusive party. In the course of such party we will hopefully convince Magnus to disclose one of his best kept secrets:


Moreover, we plan to ask Tobias to dump a load of sigs right in our hands:


And we should also have the means to get from the other guys what we really want ;-)


In other words, we hereby announce our plans to peform a "Scheinsicherheit Signature Quality Evaluation Series" that will inform you about the quality of the signatures used by various AV/AT developers for the detection of malware samples: we would like to explain to you various criteria that can be used in order to determine the quality of the signatures contained in a signature database, e.g. the number of sigs used per sample (cumulative or alternative?), the location of the sigs (code section, resource section etc.), the sig size (the smaller the better ;-), the type of the sigs (code-based vs. text-based) and the strenght of the sigs (rebasing-proof?, hex-proof?, patch-proof?, ep-proof?, redundancy?). Moreover, we would perform several spot-checks with respect to a number of popular scanners and publish the results.

Unfortunately, such Signature Quality Evaluation Series would mean a lot of work for us. Therefore, I would like to figure out whether people are actually interested in such kind of qualitative (not: quantitative) test. Please let me know.

(Disclaimer + "calm down notice": We do not plan to disclose any "secret options" for Ewido. We do not intend to distribute the TH Admin Patch. And we do not plan to dump and distribute any other scanner's signature database.)

Screenshots removed by request. Ron

I would love that!!!

this could give a lot of perspective on how good an at really is.

looking forward to see the result.

Would be very informative. Yes, please :D

YES....YES....YES!!

I'd like to see such tests run, also - but I have a question.

Does the signature quality have anything to do with how well a given program is going to be able to detect variants of whatever the signature was written for?

I ask because - more and more - I'm seeing the following statement being given when someone gets slammed with something new - "Hi ____ does detect the (worm/Trojan/keylogger) you named. BUT you may have a variant. If you can find the file please zip it up and send to submit@..."

This doesn't do a whole hell of a lot of good for the person affected by the "variant" (although I guess it helps the Internet community as a whole after a new definition goes out - assuming the zipped file is sent - still able to be sent - properly received and acted upon. A lot of assumptions there).

Actually, the whole scenario leads me to question whether (given the increase of easily-modified malware) signature-based stuff is effective at all anymore, for anything except old threats.

And to question whether your "Signature Quality Evaluation" will be of any more than academic interest if signatures - period - simply aren't cutting it anymore. Pete

-{ Quote: "I'd like to see such tests run, also - but I have a question.

Does the signature quality have anything to do with how well a given program is going to be able to detect variants of whatever the signature was written for?

Actually, the whole scenario leads me to question whether (given the increase of easily-modified malware) signature-based stuff is effective at all anymore, for anything except old threats.

And to question whether your "Signature Quality Evaluation" will be of any more than academic interest if signatures - period - simply aren't cutting it anymore. Pete" }-

I guess that why's they are going to study

-{ Quote: " the strenght of the sigs (rebasing-proof?, hex-proof?, patch-proof?, ep-proof?, redundancy?)." }-

ok, the pics are gone...I want to see the pics :P

and out of curiosity, why are they removed???

Magnus allready told this isn't interesting for an end user (??) so why removing?

the same goes for Ewido picture.

can you explain Ronjor Please?

Perhaps Wilders doesn't want to condone reverse-engineering of security software and then publicly posting screenshots of the deed. Stuff like that - never mind that it is in violation of the license agreement of most software - does not belong on a serious security board. What would you say if they had posted a how-to guide on patching files so that they become undetected by KAV? It basically amounts to the same thing.

message clear Magnus, no prbs.

no I wouldn't like that guide on this board :D

-{ Quote: "Perhaps Wilders doesn't want to condone reverse-engineering of security software and then publicly posting screenshots of the deed." }-

Hi Magnus ;) Of course we don't want to condone reverse-engineering as you are well aware of. Screenshots have been removed by your request in the meanwhile. Personally, I do believe there is a distinct difference between reverse-engineering and posting screenshots.

-{ Quote: "Stuff like that - never mind that it is in violation of the license agreement of most software - does not belong on a serious security board." }-

Please don't question the seriousness from this board. Reverse-engineering is illegal indeed as stated above. Screen caps as a result from it are not.

-{ Quote: "What would you say if they had posted a how-to guide on patching files so that they become undetected by KAV? It basically amounts to the same thing." }-

Actually, we've seen that happen. It was removed on the spot. No offence, but this hasn't been the case in this particular thread. Pears and apples comparison: merely screenshots over here, nothing else.

Finally: good to see you dropping by; it has been a while!

regards.

paul

The site linked to in the first post has some very interesting stuff in it, if no one's bothered to look. (I was especially tickled to see that programs like TDS-3, NOD32 and EWIDO did so well in their variants test: http://illusivesecurity.funpic.de/viewtopic.php?t=56 ).

And you can't really blame people for being curious about "hidden" functions in any "security"-related program they're using - the whole concept of "hidden" functions in trusted security programs being enough to send chills up anyone's back. Pete

Interestingly enough, the original screenshot was of the licensed version of TrojanHunter 4.0 (not 4.1). It had an admin menu which contained functions such as "list the most recently added trojan definitions" etc. That menu has since been removed since it is of no use to a regular user. Anyway, I trust that any tester would use either the trial version or a fully licensed, unpatched version when testing any program as I don't see how you can justify tests with patched versions of security software.

@Magnus

1.
"Interestingly enough, the original screenshot was of the licensed version of TrojanHunter 4.0 (not 4.1)."

I am not sure. TH 4.0 and 4.1 were installed in the same directory. Both versions are different. The admin menue of TH 4.0 contains 5 entries. The admin menue of TH 4.1 contains only two entries. But this does not really matter. For our purposes, the most important thing is that you can access the signature database. Moreover, you can determine and evaluate the way signatures are created.

2.
"Anyway, I trust that any tester would use either the trial version or a fully licensed, unpatched version when testing any program as I don't see how you can justify tests with patched versions of security software."

It seems that there is no reason to believe that the patched version will work differently. As a precaution, however, the tests will be performed with an unpatched trial. The patched version will only be used to reconfirm that we correctly determined the signatures. O.k.?

3.
"doesn't want to condone reverse-engineering of security software"

Reverse-engineering is considered illegal in several jurisdictions. We do not admit that we have reverse-engineered TH. Moreover, we do not admit that we have patched TH. (This is because also patching may be illegal.)

For exactly the same reason I expect AV/AT software developers not to admit that they reverse engineer software EVERY day and could thereby act in an illegal manner ;-) We also expect certain AV/AT software developers to deny the fact that they use a disassembler in order to extract signatures from a file...

Moreover, most security advisors will deny that they reverse software in order to determine whether it has security flaws or not.

All of the above may be illegal. Btw. ... did you know that Microsoft used pirated software in order to code Windows XP? ( http://madpenguin.org/cms/?m=show&id=2923 ... )

4.
" I don't condone the activity of these guys. I think I know now why they have never revealed their true identities and operate under pseudonyms." (see http://forum.misec.net/board/TrojanHunter/1107356159 )

You are correct. One of the reasons why we use pseudonyms is to protect ourselves. Not only AV/AT developers but also testers are sometimes required to cross the borderline. For example, you may be required to download and use a cracked & modified crypter in order to determine whether it is supported by a scanner's unpacking engine or not. You may also be required to download a cracked signature database in order to determine whether a rumour is true or not.

5.
I therefore believe the most important question is not whether any laws are violated but whether we do the right or the wrong thing by disclosing the fact that TH features a "secret admin mode". I have carefully considered the pros and cons of such disclosure and came to the conclusion that the pros outweigh the cons.

Cons:

You will get angry with us.

Competitors may start to closely examine TH and (again) make up "Madshi stories" etc.

TH sales might be indirectly affected.

Bad people may try to figure out how to enable the admin mode and then dump the signature database.

Pros:

The use of the admin patch will not only allow us to figure out a few TH signatures (we could also use a file splitter for this) but we will also be able to inform people whether TH's method of signature creation is flawed or not.

Consumers will be warned that security software developers include hidden options that facilitate the extraction of signatures.

You and other developers may ask themselves how serious they take the term "security".

You and other developers may be forced to remove hidden options etc. from public versions of security software.

Against this background, we have decided to disclose the fact that AV/AT software developers act negligently and provide for such hidden options etc. However, we will not tell people how to enable such hidden features.

6.
"What would you say if they had posted a how-to guide on patching files so that they become undetected by KAV? It basically amounts to the same thing."

We did this indeed ( http://scheinsicherheit.mirrorz.com/example.htm ). However, we informed Kaspersky many many months in advance. Moreover, we did not publish this trick before it became common knowledge in the trojan scene.


@all

Full disclosure: we have been contacted by an AV/AT software developer. Such developer has asked us to postpone the test of such developer's scanner because a significantly improved version will be released in about four weeks. We have replied that we will postpone the test of such scanner (but not for an indefinite period of time). This is because customers will not benefit from a test of an outdated version.

You can test TrojanHunter's signature strength all you want - I welcome you to. TrojanHunter 4 uses strong code-based signatures. However, using a cracked version of TrojanHunter with an applied patch and then publicly posting about this fact to try and make TrojanHunter look bad is just very unprofessional. Couple this with the fact that you have never revealed your true identity and I think you will find that very few people will take you seriously.

Nautilus,

First: you can try to bend the rules whatever you like, disclaim all: fact remains you have been reverse-engineering. That's illegal and surely explains you being anonymous. Let's get that one for the record.

Second: I for one am fully in the dark as for what you are trying to prove here. The fact that signatures are/can be weak is an old, well known story - Eugene Kaspersky is aware of this and all other minor/major companies in the business as well. Question remains for what reasons you are sort of re-inventing the wheel/digging up an old story. Beats me ::) .

regards,

paul

Since we have not yet performed the test it is still open whether we will come to the conclusion that TH's sigs are of a high, medium or low quality.

Moreover, I do not think that TH would look THAT bad if you simply said: "Admin mode will be removed in the next public version." Please also note that we did not merely criticise TH but Ewido as well. (Btw.: Also Tobias sent an email to us but did not complain ...). Other AV/AT developers are also suspected to use hidden options.

Why don't you simply admit that it was a very bad idea not to remove the admin mode from the public version? The problem can be easily solved ...

There is nothing "secret" or mysterious about this mode. You are just trying to focus attention on this in order to not make people focus on the methods you use when you examine software. What exactly are you saying is bad about a menu that contains things such as "Copy a list of the last added trojan names to the clipboard" and "Copy a standard update notification message to the clipboard"? Nothing! TrojanHunter has always had an open-rules format that allows users add their own detection rules so I don't see why you are trying to attack this feature now when you could have done so many years ago.

Anyway, it's interesting that you will now be using the trial version to conduct your test. I would have thought you would use the license you have already purchased given that the screenshots you posted were of the licensed version of TrojanHunter.

@Paul

"fact remains you have been reverse-engineering"

You first statement ("Personally, I do believe there is a distinct difference between reverse-engineering and posting screenshots.") came much closer to the truth.

"Second: I for one am fully in the dark as for what you are trying to prove here. The fact that signatures are/can be weak is an old, well known story - Eugene Kaspersky is aware of this and all other minor/major companies in the business as well. Question remains for what reasons you are sort of re-inventing the wheel/digging up an old story. Beats me ."

The idea is to determine whether there are at least a few scanners which do NOT use weak signatures. If this were the case it would be possible to recommend such scanners for the detection of non-replicating malware. Makes sense? Moreover, it may well be the case that different scanners suffer from different weaknesses. In such case, a combination of several scanners could significantly improve security. Our test would help to figure out suitable combinations.

@Magnus

We have "attacked" prior versions of TH because of the "open ruleset" concept which facilitates hexing/patching/modifying of malware. See http://scheinsicherheit.mirrorz.com/th.htm : "Last but not least ruft TrojanHunter geradezu dazu auf, seinen RAM Scanner durch modifizierte Trojaner auszutricksen, indem die verwendeten Signaturen frei zugänglich gemacht werden (siehe nachfolgender Screenshot mit einem Teil der Signatur des Bionet 3.18 Trojaners").

We have stopped to attack TH after the new version was released and the "open ruleset" concept was abolished. (At least that's what I thought.)

Now we may attack TH again because the admin mode can be used to re-enable the "open ruleset" concept. Similarly, we have attacked BOClean for not encrypting its signature database. With the release of BOClean this problem seems to be solved.

"What exactly are you saying is bad about a menu ..."

The real bad thing is not the admin menu but the Ruleset/Save Rules to Textfile menu. This is because such option will dump the NEW (possibly) strong, code-based file sigs. I thought that they are not supposed to be dumped. Correct? If I am mistaken and also the non-patched version allows dumping the ruleset there is no big problem at all. In such case, I do not understand why you are upset that we mentioned the existence of the admin mode.

TrojanHunter has always had an open ruleset and this has not changed in the latest version since the user can still add/edit custom detection rules. You are again just trying to divert focus from your testing methods. Every scanner that is out there has the ability to read its own signature database and there is nothing in the world that is going to change that. If you want to make people believe that this is not the case then all you may be able to do is convince some uneducated users that this would be more "secure". However, your constant attacks which anyone with a bit of computer knowledge can tell is complete rubbish is actually making me consider removing custom detection rules entirely from the next version of TrojanHunter. This would not make TrojanHunter one bit more secure, it would just please people like you and those who are uneducated, but the time it would save in having these debates might actually make it worth it.

And let's make another thing clear. I am not against you testing TrojanHunter or evaluating its signature quality. What I am against is you blatantly violating the TrojanHunter license agreement and using cracked versions of the program and then posting about it in public. Your testing methods are wrong and like I said nobody will be taking you seriously as long as you continue testing this way.

-{ Quote: "@Paul

"fact remains you have been reverse-engineering"

You first statement ("Personally, I do believe there is a distinct difference between reverse-engineering and posting screenshots.") came much closer to the truth." }-

There is a distinct difference for sure - but that's not the issue. Truth is, it's impossible to post such a screen shots without reverse-engineering. You know it, I do know it - we all do. So let's not beat around the bush here. Fact remains: it's illegal - and we both know it.

-{ Quote: ""Second: I for one am fully in the dark as for what you are trying to prove here. The fact that signatures are/can be weak is an old, well known story - Eugene Kaspersky is aware of this and all other minor/major companies in the business as well. Question remains for what reasons you are sort of re-inventing the wheel/digging up an old story. Beats me ."

The idea is to determine whether there are at least a few scanners which do NOT use weak signatures. If this were the case it would be possible to recommend such scanners for the detection of non-replicating malware. Makes sense?" }-

Rubbish. Following your route, for example KAV uses weak signatures. This implies you strongly advice not to use Kaspersky. Just an example - KAV can be exchanged by others as well.

-{ Quote: "Moreover, it may well be the case that different scanners suffer from different weaknesses. In such case, a combination of several scanners could significantly improve security. Our test would help to figure out suitable combinations." }-

Right. After ditching KAV no doubt others can be ditched as well - probably most, purely relying on signatures for one reason or another. What's new? You know how to fool, I know - and surely many others do. Software relying solely on signatures are in need of very fast and accurate database updating - leaving packers etc. aside.

Sorry to say, but I for one fail to see the advantage coming from re-inventing the wheel. And to me, it surely looks like that's where you're heading.

regards.

paul

"There is a distinct difference for sure - but that's not the issue. Truth is, it's impossible to post such a screen shots without reverse-engineering. You know it, I do know it - we all do. So let's not beat around the bush here. Fact remains: it's illegal - and we both know it."

Not correct. As you correctly mentioned in your first post it's completely open whether we or a third party reverse-engineered TH. The same applies, for example, to the cracked TDS-3 signature database or Senna Spy's AVP Offset Generator. We also did not crack TDS-3 nor did we code AVP Offset. But we told people about it.

"Rubbish. Following your route, for example KAV uses weak signatures. This implies you strongly advice not to use Kaspersky. Just an example - KAV can be exchanged by others as well."

Not entirely correct. I do not recommend to EXCLUSIVELY use KAV. Because of KAV's many flaws you should use an additional scanner for non-replicating malware. In such case you can benefit from KAV's strenghts (comprehensive signature database, good static unpacking engine) and (partly) compensate its many weaknesses.

"And to me, it surely looks like that's where you're heading."

Please explain.

-{ Quote: ""There is a distinct difference for sure - but that's not the issue. Truth is, it's impossible to post such a screen shots without reverse-engineering. You know it, I do know it - we all do. So let's not beat around the bush here. Fact remains: it's illegal - and we both know it."

Not correct. As you correctly mentioned in your first post it's completely open whether we or a third party reverse-engineered TH. The same applies, for example, to the cracked TDS-3 signature database or Senna Spy's AVP Offset Generator. We also did not crack TDS-3 nor did we code AVP Offset. But we told people about it." }-

Ok - you want to make sure your actions will not end up in a law suit. Blame 'third parties' for doing so and providing you the results ::) . I'll leave it up to all reading this to judge you on this.

-{ Quote: ""Rubbish. Following your route, for example KAV uses weak signatures. This implies you strongly advice not to use Kaspersky. Just an example - KAV can be exchanged by others as well."

Not entirely correct. I do not recommend to EXCLUSIVELY use KAV. Because of KAV's many flaws you should use an additional scanner for non-replicating malware. In such case you can benefit from KAV's strenghts (comprehensive signature database, good static unpacking engine) and (partly) compensate its many weaknesses." }-

That settles it - and in effect does make your test useless: all in all, you simply do advice all not to rely on just one (signature-based) software. As stated before: why re-invent the wheel? This is rather old news, and you know it.

-{ Quote: ""And to me, it surely looks like that's where you're heading."

Please explain." }-

I just did ;)

regards.

paul

@Magnus

1.
"TrojanHunter has always had an open ruleset and this has n

"...Oh, and one more thing. I had always believed that an open database was beneficial to the end user - this is why the user has always been able to add his own detection rules and view those already in place. The only reason that the Advanced File Rules were not available to end users is because they are too complicated to operate and too much work to
support."

I did not and do not agree. See the reply @ Wilders. I believe that
signatures should be encrypted.

"However, your posts have convinced me that no good can come
from having an open signature database since people like you will only
abuse it."

Exactly. In particular, hackers will abuse an open signature database.
I believe that we have discussed this issue several months ago. I also
believe to remember that you told me that TH 4 would use a closed
signature database in order to prevent people from abusing it.

----

Moreover, please explain what is exactly wrong with our testing methods. (Btw.: It's somewhat funny that people criticise our testing methods although the test has not even started ;-)


2.
"And let's make another thing clear. I am not against you testing TrojanHunter or evaluating its signature quality."

I see. But you want to make it as difficult as possible?

"What I am against is you blatantly violating the TrojanHunter license agreement and using cracked versions of the program and then posting about it in public. Your testing methods are wrong and like I said nobody will be taking you seriously as long as you continue testing this way."

Would you be o.k. if I refrained from using the admin patch as a mean of verifying our results and simply used a file splitter? If yes: would you then also stop from reversing malware and potential (!) malware? Why do you believe that your reversing activities are less illegal than the use of a patched TH version? Why do you believe that people should use TH (although the developer daily reverse engineers software) but should not read our tests because we use the admin patch?

And one more question: Why is the TH license agreement so terribly small and why is it not possible to print it if you expect people to read it? Is this because the license agreement does not explicitly prohibit the use of a patch but merely prohibits the decompilation or disassembling of the software (which we have not done)? Do you also believe that well-known security advisors are non-trustworthy criminals because they disassemble software in order to discover security flaws?ot changed in the latest version since the user can still add/edit custom detection rules. You are again just trying to divert focus from your testing methods. Every scanner that is out there has the ability to read its own signature database and there is nothing in the world that is going to change that. If you want to make people believe that this is not the case then all you may be able to do is convince some uneducated users that this would be more "secure". However, your constant attacks which anyone with a bit of computer knowledge can tell is complete rubbish is actually making me consider removing custom detection rules entirely from the next version of TrojanHunter. This would not make TrojanHunter one bit more secure, it would just please people like you and those who are uneducated, but the time it would save in having these debates might actually make it worth it."

Divert focus? I think it's quite the other way round. But I have already replied to your private email:

snipped. Nautilus, as stated correctly: private email - and therefore not intended to be published on an open forum. Please keep common courtesy and rules in perspective.

regards,

paul

Yes, you are very welcome to examine TrojanHunter's signatures with a "file splitter" but like I said before your method of using binary patches and then using a patched version in your test is utterly unprofessional.

There is a huge difference between analysing malware and reverse engineering commercial software in violation of the license agreement. Believe me, I've checked with our lawyer and reverse engineering malware is very much legal.

@Paul

"That settles it - and in effect does make your test useless: all in all, you simply do advice all not to rely on just one (signature-based) software. As stated before: why re-invent the wheel? This is rather old news, and you know it."

I still not agree ;-) The problem is that most people do not even know that Kaspersky and others have minor or major problems. And even more people do not know WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw.

Last but not least, the above-mentioned AV/AT software developer (no: it's not Emsisoft -- we do not test a2) claims that the new version will sport several features that may overcome most if not all our concerns regarding signature quality etc.

Nautilus,

As far as I'm concerned: it's heading towards 2:00 AM over here and I'm hitting the sack. I'll address this - if still needed - tommorow, my time zone.

regards,

paul

Nautilus,

Last reply has been stalled/removed. This thread is closed for the time being.

regards,

paul

Ladies and gents,

This thread had been closed because of the merely human need of sleep as well as business to attend after that. As of now, this thread has been re-opened.

Those feeling the need to contribute are welcome to do so.

regards,

paul

In my opinion the following issues are open and should be clarified:

1.
Is it illegal that AV/AT software developers reverse engineer potential malware (i.e., commercial software)?

2.
If not: are also security advisors (like Secunia) and/or testers (like us) allowed to reverse engineer?

3.
Was it illegal to post the screenshot? (This is of relevance because I won't post it again if it is illegal to do so.)

4.
Is it illegal to apply the patch? Would this violate the TH license agreement? Would this violate the laws of the relevant jurisdiction (which one btw.?)?

5.
If it were illegal to apply the patch: Why can't Magnus simply allow us to use it only for purposes of our test? (Other AV/AT software developers seem to be quite cooperative.)

6.
If not: Why does Magnus not want us to properly test TH (with the help of the patch)? Does this benefit the customers of TH? Does this benefit Magnus because there is anything to hide?

7.
Why was Magnus so upset and Ewido so relaxed about the disclosure. (Obviously, both scanners were reverse engineered. The only difference is that the TH screenshot is more impressive and, morever, TH was not only reverse engineered but also patched.)


----------------------------------------------------------------

An uncensored copy of this post can be found here: ~~~SNIP~~~

Would you kindly in future refrain from linking to other forums
Thank you
ADMIN

"Would you kindly in future refrain from linking to other forums
Thank you
ADMIN"

I guess this is because it will facilitate manipulations and censorship? Isn't it true that control-freaks fear nothing more than loosing absolute control over everyone?

Example:

Admin --- A.
Guest --- B.

Admin edits B. to A. and everyone says A. A perfect world, isn't it?

-{ Quote: "In my opinion the following issues are open and should be clarified:

1.
Is it illegal that AV/AT software developers reverse engineer potential malware (i.e., commercial software)?" }-

Apart from the fact there's a distinct difference between malware and (commercial) software: as far as I'm concerned it is.

-{ Quote: "2.
If not: are also security advisors (like Secunia) and/or testers (like us) allowed to reverse engineer?" }-

First - no offence intended - please don't imply you are playing in the same legue as Secunia. That said: Secunia isn't reverse-engineering; they are merely reporting findings of others.

Second: depending on the software in question: you are not allowed to do so in 99 percent of all cases.

-{ Quote: "3.
Was it illegal to post the screenshot? (This is of relevance because I won't post it again if it is illegal to do so.)" }-

Nothing - unless we do believe it's not done. Our perogative.

-{ Quote: "4.
Is it illegal to apply the patch? Would this violate the TH license agreement? Would this violate the laws of the relevant jurisdiction (which one btw.?)?" }-

In case it's a result of reverse-engineering: seems like it. Magnus didn't address this for no reason.

-{ Quote: "5.
If it were illegal to apply the patch: Why can't Magnus simply allow us to use it only for purposes of our test?" }-

Looks like you've got your answer in the meantime - illegal. Courtesy demands Magnus providing the final verdict once more instead of me.

-{ Quote: "(Other AV/AT software developers seem to be quite cooperative.)" }-

You've lost me; are you in effect stating you have patched other AV/AT software as well and developers have stated that's just OK? ???

-{ Quote: "6.
If not: Why does Magnus not want us to properly test TH (with the help of the patch)? Does this benefit the customers of TH? Does this benefit Magnus because there is anything to hide?" }-

Nice try indeed. Let's keep on topic here first: illegal reverse-engineering.

-{ Quote: "7.
Why was Magnus so upset and Ewido so relaxed about the disclosure. (Obviously, both scanners were reverse engineered. The only difference is that the TH screenshot is more impressive and, morever, TH was not only reverse engineered but also patched.)" }-

That's actually of no importance to the topic at hand. This topic isn't about TrojanHunter, Ewido as a target.

regards.

paul

-{ Quote: ""Would you kindly in future refrain from linking to other forums
Thank you
ADMIN"

I guess this is because it will facilitate manipulations and censorship? Isn't it true that control-freaks fear nothing more than loosing absolute control over everyone?" }-

Rubbish. In case you would have bothered to investigate: we do have a policy in this regard - not aimed at your person. Thus, your signature has been handled as all others have been.

regards,

paul

Hmm, news.com story...

Researcher faces jail for finding bugs (http://news.com.com/Researcher%2Bfaces%2Bjail%2Bfor%2Bfinding%2Bbugs/2100%2D7348_3%2D5531586.html)

No, not exactly the same legal question, but depending upon the outcome of things like this, these questions might become more defined. :-\

A lot of good points have been made.

However I would like to add that I too strongly disagree with the use of patched software as well. While this may not effect the detection ability of the scanner, I think it goes towards the credibility of the test (or lack thereof). If the issue is simply that you do not have a full version of TH, I can buy a license for your testing if Magnus agrees as well.

The other point of reverse engineering the scanner is a rather delicate one it seems. Please correct me if i am wrong or if I misunderstood any of the issues here... But I believe if one can test the signature strength of a scanner without reverse engineering the software I think that is better. If all scanners were reverse engineered first, the tester can pick and choose to reveal what areas a scanner is weak in, and fail to reveal others, because of personal bias. Or they may exploit a weakness and make it look larger than it really is. I am not saying that you have any personal bias, but by doing this it may open this kind of test up for such things. I would like to see what you have been doing before, with modifying the malware in specific ways to test the strength of scanners in each area. I do not know if you have found this method effective or if there are limitations. But to me it seems like it would be a much more level playing field.

I agree with Paul about the test possibly just re-inventing the wheel.

However I also see Nautilus' contention that it may help viewers see "WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw."

@LowWaterMark

Your post was helpful indeed. Although I know the guys from Tegam I hope that they will lose the law suit.

@rerun2

1.
Your post was also helpful because it will allow me to clarify a few things:

"If the issue is simply that you do not have a full version of TH, I can buy a license for your testing if Magnus agrees as well."

We already have licensed and unlicensed versions of TH 4.0 and 4.1. Licensed and unlicensed versions need to be patched in order to enable the Admin Mode. Such patch is extremely small and has nothing to do with a crack (software piracy). The patch will not remove copyright protection but simply enable an additional, hidden feature.

Consequently, we are not in need of a license. Moreover, Magnus had previously offered to send us a free license. (We rejected such offer like we always do.)

"The other point of reverse engineering the scanner is a rather delicate one it seems. Please correct me if i am wrong or if I misunderstood any of the issues here... But I believe if one can test the signature strength of a scanner without reverse engineering the software I think that is better. If all scanners were reverse engineered first, the tester can pick and choose to reveal what areas a scanner is weak in, and fail to reveal others, because of personal bias. Or they may exploit a weakness and make it look larger than it really is."

You can also do this w/o reverse engineering. It is very easy to unfairly bash a scanner if you are biased.

"I am not saying that you have any personal bias, but by doing this it may open this kind of test up for such things. I would like to see what you have been doing before, with modifying the malware in specific ways to test the strength of scanners in each area. I do not know if you have found this method effective or if there are limitations. But to me it seems like it would be a much more level playing field."

We will continue to use this method. We believe that it is effective. Moreover, we will comment on the signature quality by determining and analysing the signature itself. This does not require reverse engineering. A file splitter is sufficient.

The TH Admin Mode will allow us to easily verify our results and, moreover, it will allow us to make additional comments relating to the way of signature creation. We will not use patched TH versions for the detection tests.

"I agree with Paul about the test possibly just re-inventing the wheel."

I do not agree and, frankly speaking, I believe that Paul is absolutely clueless. But I will further comment on this problem in my next post.

"However I also see Nautilus' contention that it may help viewers see "WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw.""

I am glad that people understand this point.


2.
I would further like to mention that we will not unfairly bash TH because Magnus got angry with us etc. We are definitely used to get attacked or insulted by various AV/AT developers. This will not stop us from testing their software. Otherwise, a mere insult would be sufficient to avoid a Scheinsicherheit review.

Morever, I would like to mention that we have absolutely no reason to bash Magnus. As far as I can tell he was always fair, honest and did not ameliorate the former weaknesses of TH. Instead he continued to improve TH and that's probably the reason why so many people use it. We never had any difficulties with Magnus so far. Our negative comment/disclosure (actually we did not make a negative comment until Magnus got upset and we explained some of the admin features) came right out of the blue. That's why we can never be the friend of any AV/AT software developer. If there is something that we do not like we will always talk about it.

Nautilus,

-{ Quote: "I do not agree and, frankly speaking, I believe that Paul is absolutely clueless. But I will further comment on this problem in my next post." }-

If I am, I'm in good company (Magnus Mischel, Wayne Langlois, Kevin McaLeavey Eugene Kaspersky...etc.). Be our 'common' guest ;) .

regards,

paul

@Paul

-- Preface: I would like to highlight that you edited your post. Your initial version of the post contained several rude comments. Because you are an admin nobody can see that you amended you post. Well done! --

Contrary to the above posts your comments are not helpful at all. You do not mention why you believe that AV/AT's reverse engineering activities are illegal.

Your other comments are also not helpful:

"First - no offence intended - please don't imply you are playing in the same legue as Secunia. That said: Secunia isn't reverse-engineering; they are merely reporting findings of others."

First: You comments are beside the point. You did not even try to answer the question.

Second: Your constant use of the expression "no offense intended" is absolutely dishonest. Of course you intended to offend us. We did NOT suggest that we play in the same league as Secunia. By contrast, we properly distinguished between security advisors and testers (like us). If you believe that Secunia does not reverse engineer please replace this name by another security advisor's name.

Third: It's amazing that you comment on our technical knowlege. This is because your own knowledge of security software's internals goes close to zero. And that's exactly the problem. Frequently, you do not even understand what people are talking about and, consequently, you make improper comments or wrongly moderate a thread. Even more embarrassing is that your forum must be partially closed if you go to bed. You really have a problem with a perceived lack of control. But please let me assure you. It is not necessary that you try to play Papa God. You comments, skills and insights are not and do not need to be better than those of everyone else. And you do not need to control, censor and subdue everyone. The forum will be better without such dictatorship.

"Second: depending on the software in question: you are not allowed to do so in 99 percent of all cases."

Thanks for this most helpful and well-founded insight.

"Nothing - unless we do believe it's not done. Our perogative."

Thanks for this self-centered comment. Please note, however, that the question was NOT whether you properly removed the screenshot. The question was whether it is illegal to post it. Believe it or not, many people like to know whether they act illegally or not.

"in case it's a result of reverse-engineering: seems like it."

It seems that I need a more substantiated answer.

"Magnus didn't address this for no reason."

I believe the reason why Magnus did not comment on this question is that (i) the license agreement does not address this issue and (ii) Magnus does not really know whether it is illegal to apply the patch. We also do not know whether it is illegal or not. But we hesitate to apply the patch before this question has been answered.

"Looks like you've got your answer in the meantime - illegal. Courtesy demands Magnus providing the final verdict once more instead of me."

We have not got an answer. I do not know what you are talking about. Moreover, it is not up to Magnus to provide "a final verdict". We are certainly interested in his comments. But in the end it's the law that decides.

"You've lost me; are you in effect stating you have patched other AV/AT software as well and developers have stated that's just OK?"

No. I expressly stated that we did not patch Ewido. Moreover, we did not patch any other software so far. I said other developers are more cooperative because they offered to provide us with signatures (i.e., they want to save us the work to apply file splitters etc.). It's a little bit far fetched to assume that Magnus' main concern is the patch itself. If he did not want us to apply the patch (for no reason) he could still send us an internal build with the admin mode enabled.

I will tell you what the real problem is: Magnus is afraid that we do not merely comment on the signatures itself but also on the way of signature creation.

"Nice try indeed. Let's keep on topic here first: illegal reverse-engineering."

Please note that this is MY topic and not the topic of Papa God. It will be helpful for everyone (including Magnus) to identify the real reason for his anger. Moreover, it seems to me that Magnus has always been very open to his customers. AFAIK, he never tried to conceil TH's former weaknesses. By contrast, he usually said that the weaknesses will be removed and, in most cases, that's what happened. I feel that this is the main reason why so many people trust Misec and Ewido. Usually, they are more honest to their customer's than other market players.

"That's actually of no importance to the topic at hand. This topic isn't about TrojanHunter, Ewido as a target."

Yes, Sir Papa God. You will certainly know what's important and what is not.

I credit Paul with great admiration for allowing this thread to continue and I hope you don't have a change of heart and lock it again. For what it is worth my 2 cents on the subject are; reverse engineering to disclose weakness/fault/vulnerability with a piece of security software is illegal according to the letter of the law. However by allowing knowledgeable people ( the supposed white hat hackers) to do so in effect protects us all, they will discover ways to improve software and thus provide greater protection to everyone. I for one can not understand how a software maker is not thrilled that some one is trying to improve their product, isn't this a type of compliment in a way? The topic of intellectual property rights does come into play but then they don't seem to be using their knowldege gained from the reverse engineering process for their own gain. They try to inform the company of possible faults. Yes we all may not like what is being done here, but rest assured the black hat hackers are doing the same damn thing and using that knowledge for their own benefit to create malware that exploits the faults/vulnerabilities that they find. So I feel that this is a valuable experiment being done and it seems to be by people that do care about the rest of us.

I agree that what's being discussed is worth considering, I just wish that ntl could approach this with a little more professionalism. I have a hard time taking any tests seriously when the tester displays little to no mental discipline.

Nicely spoken Flyrfan, I completely second you ... except for this

-{ Quote: "by people that do care about the rest of us." }-

but I'll keep the funny things to myself now. ;D

Inf


p.s. Paul & Nautilus -> Thanx

-{ Quote: "I just wish that ntl could approach this with a little more professionalism" }-

yes, correct bout that. no need for getting personal here...or indeed he might stay in his own backyard.

this discussion is on the edge regarding TOS so might be better to act a bit more mature and discrete.

Inf.

-{ Quote: "@Paul

-- Preface: I would like to highlight that you edited your post. Your initial version of the post contained several rude comments. Because you are an admin nobody can see that you amended you post. Well done! --" }-

Editted and rude comments? What the heck are you talking about? Those following this thread do know better.

-{ Quote: "Contrary to the above posts your comments are not helpful at all. You do not mention why you believe that AV/AT's reverse engineering activities are illegal." }-

Let's put it the other way around: in case you are that sure, reveal your identity instead of hiding out. Andreas Marx does, Andreas Clementi does. They have nothing to fear. Makes one wonder...

-{ Quote: "Your other comments are also not helpful:

"First - no offence intended - please don't imply you are playing in the same legue as Secunia. That said: Secunia isn't reverse-engineering; they are merely reporting findings of others."

First: You comments are beside the point. You did not even try to answer the question." }-

Seems quite to the point to me.

-{ Quote: "Second: Your constant use of the expression "no offense intended" is absolutely dishonest. Of course you intended to offend us." }-

Wrong again. Why on earth should I intend to offend you? Let's not get paranoid here - there's a differince between questioning your methods and goal and the intend of offending.

-{ Quote: "We did NOT suggest that we play in the same league as Secunia." }-

Good - that's for the record ;)

-{ Quote: "By contrast, we properly distinguished between security advisors and testers (like us). If you believe that Secunia does not reverse engineer please replace this name by another security advisor's name." }-

If you say so ::)

-{ Quote: "Third: It's amazing that you comment on our technical knowlege. This is because your own knowledge of security software's internals goes close to zero. And that's exactly the problem." }-

It's refreshing to have someone questioning my knowlegde - doens't happen that often. Guess Kaspersky, Mischel, Mcaleavey etc. are next in line? All do have very outspoken opinions in regard to you as welll...

-{ Quote: "Frequently, you do not even understand what people are talking about and, consequently, you make improper comments or wrongly moderate a thread. Even more embarrassing is that your forum must be partially closed if you go to bed. You really have a problem with a perceived lack of control. But please let me assure you. It is not necessary that you try to play Papa God. You comments, skills and insights are not and do not need to be better than those of everyone else. And you do not need to control, censor and subdue everyone. The forum will be better without such dictatorship." }-

If you say so ;D - sorry, but I'm on the verge of taking all this not that serious any more.

-{ Quote: ""Second: depending on the software in question: you are not allowed to do so in 99 percent of all cases."

Thanks for this most helpful and well-founded insight." }-

You're most welcome ;)

-{ Quote: ""Nothing - unless we do believe it's not done. Our perogative."

Thanks for this self-centered comment. Please note, however, that the question was NOT whether you properly removed the screenshot. The question was whether it is illegal to post it. Believe it or not, many people like to know whether they act illegally or not." }-

...has been answered a while ago, hasn't it?

-{ Quote: ""in case it's a result of reverse-engineering: seems like it."

It seems that I need a more substantiated answer.

"Magnus didn't address this for no reason."

I believe the reason why Magnus did not comment on this question is that (i) the license agreement does not address this issue and (ii) Magnus does not really know whether it is illegal to apply the patch. We also do not know whether it is illegal or not. But we hesitate to apply the patch before this question has been answered." }-

All I can say is: when in doubt (as you obviously are, see the bolded part): make sure you are and don't take advantage of being anonymous all the way.

-{ Quote: ""Looks like you've got your answer in the meantime - illegal. Courtesy demands Magnus providing the final verdict once more instead of me."

We have not got an answer. I do not know what you are talking about. Moreover, it is not up to Magnus to provide "a final verdict". We are certainly interested in his comments. But in the end it's the law that decides." }-

Well, playing hide and seek certainly doesn't help as for credibility - especially in case you don't have an answer. For all interested: law according to which country as far as you're actions are concerned?

-{ Quote: ""You've lost me; are you in effect stating you have patched other AV/AT software as well and developers have stated that's just OK?"

No. I expressly stated that we did not patch Ewido. Moreover, we did not patch any other software so far.

...implying you have no hesitation in doing so if you feel like it?

-{ Quote: "I said other developers are more cooperative because they offered to provide us with signatures (i.e., they want to save us the work to apply file splitters etc.)." }-

I've stated this before: you are re-inventing the (rather old) wheel. I've commented on this before over on this thread; please read back.

-{ Quote: "It's a little bit far fetched to assume that Magnus' main concern is the patch itself. If he did not want us to apply the patch (for no reason) he could still send us an internal build with the admin mode enabled.

I will tell you what the real problem is: Magnus is afraid that we do not merely comment on the signatures itself but also on the way of signature creation." }-

It's not up to me to comment on this. Magnus Mischel surely will - I presume.

-{ Quote: ""Nice try indeed. Let's keep on topic here first: illegal reverse-engineering."

Please note that this is MY topic and not the topic of Papa God." }-

...and please note this is OUR board, and we do allow you to vent your issues over here as long as we feel fit. It's as simple as that - no fathers or gods involved.

-{ Quote: "It will be helpful for everyone (including Magnus) to identify the real reason for his anger. Moreover, it seems to me that Magnus has always been very open to his customers. AFAIK, he never tried to conceil TH's former weaknesses. By contrast, he usually said that the weaknesses will be removed and, in most cases, that's what happened. I feel that this is the main reason why so many people trust Misec and Ewido. Usually, they are more honest to their customer's than other market players." }-

This is addressed to Magnus and Tobias. No need for me to comment on this.

-{ Quote: ""That's actually of no importance to the topic at hand. This topic isn't about TrojanHunter, Ewido as a target."

Yes, Sir Papa God. You will certainly know what's important and what is not." }-

Now, let's get things straight. You started off inviting quite alot of software companies to join in on a general 'test'. As time goes by, you are limiting your focus on TrojanHunter and my person. I didn't change the agenda for sure...so cut the 'Sir Papa God' crap - and focus on your initial goal. Seems to me you've lost sight on that ;)

regards,

paul

I am pretty sure at this point why "Nautilus" wants to remain anonymous. It's a very convenient way to avoid responsibility for licensing and license issues. For all I know he could even be a competitor, which would not surprise me given the numerous attempts to discredit various scanners. Anyway, I have much better things to do with my time than responding to an anonymous poster who obviously thrives on the attention he is getting so I will get back to doing some real work which is more than one can say about Nautilus' posts here.

"Editted and rude comments? What the heck are you talking about? Those following this thread do know better."

I will then take it for granted that you inadvertedly confused "preview" and "edit mode".

"It's refreshing to have someone questioning my knowlegde - doens't happen that often. Guess Kaspersky, Mischel, Mcaleavey etc. are next in line?"

Wrongly guessed. The knowledge of a coder is usually greater and, sometimes, different from the insight's of tester.

"reveal your identity instead of hiding out. Andreas Marx does, Andreas Clementi does."

Correct. But they have present or future financial interests. Moreover, they are not/have not always been completely independent from AV/AT developers. They are or try to be gentlemen testers. By contrast, we have or try to have no friends or foes.

"You started off inviting quite alot of software companies to join in on a general 'test'. As time goes by, you are limiting your focus on TrojanHunter and my person."

This is only because you made so many unasked comments. I also perceive it unfortunate that the focus lies on TH. It was a tactical mistake of Magnus to get upset and draw attention to TH's weakness. TH is NOT the only AV/AT affected. Please also note: initially, we did not even put the emphasis on such weaknesses. But since this issue has been brought up: ALL software developers should remove hidden functions that allow it to dump a scanner's signature database. Such functions should not be included into public builds.

---

Btw.: Was this thread really closed for a short time? Did you need to internally discuss whether it must be removed and/or how to handle me & this entire awful situation?

@Magnus

"For all I know he could even be a competitor, which would not surprise me given the numerous attempts to discredit various scanners."


That could be true. However, it's hard to tell which one. We have criticised McAfee, Kaspersky, BOClean, AntiVir, Ewido, Trojan Hunter and many others. The only competitor we could work for is Emsisoft/A2/Andreas Haak.

However, this is also unlikely because I have already said that I believe that a2 is still unable to compete with the top AT scanners (like BOC, TDS-3, BOC or Trojan Hunter).

Believe it or not, we are really independent. However, we DO receive information from various AV/AT developers. And such information IS occasionally intended to make competing products looking bad. And we DO publish such information if we believe that it serves the public.

There just wouldn't be anyway to know if an anonymous tester, that
seems to feel a need to hid his identity, would be impartial or not.

IMHO, without any way to determine if the anonymous tester may or may
not be bias then any test results would have a large credibility gap and be without any real value.

-{ Quote: ""Editted and rude comments? What the heck are you talking about? Those following this thread do know better."

I will then take it for granted that you inadvertedly confused "preview" and "edit mode"." }-

By all means. Those following this thread do know better.

-{ Quote: ""It's refreshing to have someone questioning my knowlegde - doens't happen that often. Guess Kaspersky, Mischel, Mcaleavey etc. are next in line?"

Wrongly guessed. The knowledge of a coder is usually greater and, sometimes, different from the insight's of tester." }-

Right. Have a look at Magnus Mischel's comment right above. No further comment needed. Unless you want various collgues from Magnus coming over and posting and and the same.

-{ Quote: ""reveal your identity instead of hiding out. Andreas Marx does, Andreas Clementi does."

Correct. But they have present or future financial interests. Moreover, they are not/have not always been completely independent from AV/AT developers. They are or try to be gentlemen testers. By contrast, we have or try to have no friends or foes." }-

Suggesting Andreas Clementi and his tests are financially influenced is a serious issue. I sincerely do hope you can back this up. If not: it's in effect slander.

-{ Quote: ""You started off inviting quite alot of software companies to join in on a general 'test'. As time goes by, you are limiting your focus on TrojanHunter and my person."

This is only because you made so many unasked comments." }-

...Let's get this straight: you are putting the blame on me because of the fact I commented unasked in a thread on our own board? This is getting ridicolous...

-{ Quote: "I also perceive it unfortunate that the focus lies on TH. It was a tactical mistake of Magnus to get upset and draw attention to TH's weakness. TH is NOT the only AV/AT affected. Please also note: initially, we did not even put the emphasis on such weaknesses." }-

Rubbish. In your first post you posted - removed shortly after - a screen shot especially targetted at TH/TrojanHunter. No further comment needed.

-{ Quote: "Btw.: Was this thread really closed for a short time? Did you need to internally discuss whether it must be removed and/or how to handle me & this entire awful situation?" }-

Totally off topic and in fact none of your business. Please don't offend peoples intelligence; trying to divert from the real subject at hand isn't serving your cause at all.

regards,

paul

@Paul

"Suggesting Andreas Clementi and his tests are financially influenced is a serious issue. I sincerely do hope you can back this up. If not: it's in effect slander."

Not at all. You just incorrectly interpreted my statement. I did not say that they get bribed or something. However, they want to directly or indirectly earn money with their tests and/or their (future) IT-related work. This is not bad per se. Howeover, it should be noted that we are completely independent. We do not look for a job in the IT sector. We do not want to get paid for our tests etc. We do not have any financial interests. That may or may not compensate for our anonymity.

"Let's get this straight: you are putting the blame on me because of the fact I commented unasked in a thread on our own board? This is getting ridicolous..."

Again: you are so self-centered! Just because someone asks a question in YOUR forum you are not asked to repy unless you have something meaningful to say. It's simply not necessary that you comment each and everything. Of course, you can still do it because this is YOUR forum. However, such comments are redundant.


"Rubbish. In your first post you posted - removed shortly after - a screen shot especially targetted at TH/TrojanHunter. No further comment needed."

Wrong. Again, you try to conceal the truth. We also posted a screenshot targeted at Ewido. Did they also ask you to remove it?

-{ Quote: "@Paul

"Suggesting Andreas Clementi and his tests are financially influenced is a serious issue. I sincerely do hope you can back this up. If not: it's in effect slander."

Not at all. You just incorrectly interpreted my statement. I did not say that they get bribed or something. However, they want to directly or indirectly earn money with their tests and/or their (future) IT-related work. This is not bad per se." }-

You aren't addressing the real issue at hand here - have another look at Magnus Mischel's very outspoken last post. Plain for all to see.

As for your statement in regard to Andreas Clementi: I merely did read what you have stated, no more and no less. Even the slightly mellowed comment I've quoted comes at least close to slander - unless you back it up.

-{ Quote: "Howeover, it should be noted that we are completely independent. We do not look for a job in the IT sector. We do not want to get paid for our tests etc. We do not have any financial interests." }-

None of us do know who you are and therefore what your motives are, wether you do get paid or not etc.

-{ Quote: "...That may or may not compensate for our anonymity." }-

On the contrary: it's actually backfiring at you as may be plain to see in the meanwhile.

-{ Quote: ""Let's get this straight: you are putting the blame on me because of the fact I commented unasked in a thread on our own board? This is getting ridicolous..."

Again: you are so self-centered! Just because someone asks a question in YOUR forum you are not asked to repy unless you have something meaningful to say." }-

'Self-centered'? 'I'm not 'asked to reply? Heck, everyone is entitled to join in - guess that counts me in as well. As for meaningfull: at least Magnus and my person have been addressing this in a factual and plain way...

-{ Quote: "It's simply not necessary that you comment each and everything. Of course, you can still do it because this is YOUR forum. However, such comments are redundant." }-

You are right - for that reason I don't post that much. I do jump on the bandwagon if necessary though. And this is one of those rare ocassions.

-{ Quote: ""Rubbish. In your first post you posted - removed shortly after - a screen shot especially targetted at TH/TrojanHunter. No further comment needed."

Wrong. Again, you try to conceal the truth. We also posted a screenshot targeted at Ewido." }-

Wrong? You did pick TrojanHunter as a target. The fact you posted a screen shot from Ewido doesn't make any difference.

-{ Quote: "Did they also ask you to remove it?" }-

I have been informed they missed the screen shot - it had been removed already. So there was no need to ask for removal.

Overall, the pattern as for this thread is plain for all to see - weeding out all in-betweens. I'm sure readers have gained enough information to draw their conclusions as Magnus Mischel has.

regards,

paul

@Paul

In consider most of your comments irrelevant. Everyone can make up his own mind (at least if s/he reads the uncensored thread at our forum).

However, one comment is important to me:

"As for your statement in regard to Andreas Clementi: I merely did read what you have stated, no more and no less. Even the slightly mellowed comment I've quoted comes at least close to slander - unless you back it up."

I did not say anything bad about Andreas Clementi. I merely made a distinction between professional testers and us. AFAIK, Andreas Clementi has previously performed internal tests for AV/AT developers. Now he wants to establish an independent review business like A. Marx. Nothing bad about this. But both testers want to earn money by working in the IT sector. That's why they can't afford to be as radical as us. If all AV/AT developers jointly bashed Andreas M. or Andreas C. they would be out of business. By contrast, we a greyhats/underdogs who have nothing to lose.

-{ Quote: "@Paul

In consider most of your comments irrelevant. Everyone can make up his own mind (at least if s/he reads the uncensored thread at our forum)." }-

That's your perogative no doubt - as it is Magnus Mischel's Eugene Kaspersky's, Wayne Langlois, Kevin McaLeavey's etc. etc.
What happens over on your own niche is none of our concern.

-{ Quote: "However, one comment is important to me..." }-

As far as I'm concerned, all has been said. As you stated correctly, it's up to the readers over here to make up their mind - and no doubt in my mind they will or already have done so.

regards,

paul

In principle, I am also finished.

However, I can't refrain from posting one more comment:

"That's your perogative no doubt - as it is Magnus Mischel's Eugene Kaspersky's, Wayne Langlois, Kevin McaLeavey's etc. etc.
What happens over on your own niche is none of our concern."

You constantly indicate that you have received private emails from the above-mentioned persons and that such persons condemn our activities.

Actually, I consider it likely that this is indeed the case. However, since several AV/AT developers (including some of the above-mentioned persons) have also confirmed in writing to me that it is generally good what we do I do not consider this a serious issue. Most if not all AV/AT developers will do everything to conceal the flaws of their software. This is because it's generally easier to deny/conceal a flaw than to fix it. After all, AV/AT developers are predominantly interested in their own profits. Security is only a secondary objective.

I have to say it has been very entertaining reading this thread here. It's always good to be a spectator at a bun fight, especially when the protagonists take such a dislike to each other and are quite unable to behave with decorum.

Now...

1. Disregard all the talk of what's legal and what's not. Its' simply irrelevant. Of those who make claims one way or another, none of you have the slightest idea. You are not lawyers, and definitely not lawyers with specific knowledge of the subject matter. You do, however profess to know more than they do. The only time legal matters are of any importance whatsoever is if one or more parties involved actually take legal action. And this forum is quite irrelevant in that respect.

2. Disregard the personal animosity that has grown between the Scheinsicherheit representative and Paul Wilders. Paul in particular seems blissfully unaware of the inherent contradiction in much of what he has written (especially when he claims not to seek to insult, while at the same time plainly attempting to do just that with his written words).

3. Disregard the Scheinsicherheit representative's insistance on anonymity as being any kind of factor in his/her (well, it seems clear that he is a he, rather than a her, but I will will remain PC in this respect) credibility. If he/she goes ahead with the planned tests and publishes the results then each individual can then come to his/her own conclusion as to their validity and act accordingly.

4. Disregard Paul's attempts to discredit the poster (as he clearly does attempt to do): this only serves to diminish his own credibility. Let's be clear here: it is Paul who expressly permits anonymous postings to these forums, so for him to then berate a poster for protecting him/herself behind this expressly permitted opportunity is hardly an action rooted in reason.

As an aside: I am surprised by Magnus' involvement in this thread. I have great respect for Magnus and his product, but I am disappointed that he felt the need to involve himself to the extent that he did. No vendor can win a public argument such as this.

...What you are then left with is an offer from Scheinsicherheit which has been warmly received by a number of other posters. If you don't see this, then go ahead - make a copy of this thread's contents and remove all the dross. You will see that this is indeed the case. So go ahead, Scheinsicherheit ... perform your tests and then post the results for all to see.

@spm

"You are not lawyers,"

Not entirely correct.

"and definitely not lawyers with specific knowledge of the subject matter."

Probably correct.

"well, it seems clear that he is a he, rather than a her, but I will will remain PC in this respect"

Not entirely correct. There is not a single "Nautilus". "Nautilus" is the name of a project including male members and at least one female member. "---", however, is indeed male.

" I have great respect for Magnus and his product, but I am disappointed that he felt the need to involve himself to the extent that he did. No vendor can win a public argument such as this."

I already sent a private email to Magnus and told him that people will be disappointed and that he can't win this public argument. However, people should also bear in mind that it is VERY HARD for an AV/AT developer to properly react in a situation like this. You need to take into account that a scanner is the "baby" of the coder. The coder is spending MUCH time and will do everything to make the scanner as good as possible. It's very hard for a coder to accept that random strangers like us suddenly start to criticise their baby. That's why we should not condemn them if they get upset. They are just human beings.

" So go ahead, Scheinsicherheit ... perform your tests and then post the results for all to see."

Damn. It seems that we now really need to do some work ;-)

-{ Quote: "
Not entirely correct. There is not a single "Nautilus". "Nautilus" is the name of a project including male members and at least one female member. "---", however, is indeed male." }-I'll stand corrected by those other than your person....but I believe the name Nautilus that others have been using throughout this thread is in reference to the Wilders Nautilus junior member (http://www.wilderssecurity.com/member.php?u=1529) ....not the nautilus project you are alluding to ?

-{ Quote: "However, people should also bear in mind that it is VERY HARD for an AV/AT developer to properly react in a situation like this. You need to take into account that a scanner is the "baby" of the coder. The coder is spending MUCH time and will do everything to make the scanner as good as possible. It's very hard for a coder to accept that random strangers like us suddenly start to criticise their baby. That's why we should not condemn them if they get upset. They are just human beings." }-I think this is the first nice thing said in this thread, thus far. btw is anyone else getting a head ache reading all this? ;D ;D ;D

1.
I understand that Bubba does not want me to answer his question.

2.
There is a rather unfortunate development to report:

Magnus now presents his customers with two bad alternatives ( http://forum.misec.net/board/TrojanHunter;action=display;num=1107385909;start= ). Alternative A is to entirely remove the custom ruleset feature. Alternative B is not to do anything.

He quickly deleted alternative C (which was suggested by me). Fortunately, user Matt_Day had an idea similar to alternative C: "Would it be possible to say, not edit rules created by Misec (and therefore pleasing these people that the rules "cannot be viewed"), but still allowing users to create and edit their own?" I hope, Magnus will not also delete the post of Matt_Day.

So what is alternative C and what is it all about:

TH features two kind of rules. The old, weak file rules. Such file rules are visible to everyone and such file rules can be viewed, edited and added by the customer. By contrast, the new, code-based file rules are supposed to be stronger. Such new rules cannot be viewed, edited or added by the customer UNLESS the admin mode of Trojan Hunter is enabled.

In other words, there is generally no reason to remove the interface for the old file rules. Nobody has asked for such action. It is entirely sufficient that malicious people do not get access to the new file rules because this would facilitate the creation of modified malware that can't be detected by TH.

The problem is that the interface for the new file rules is CONTAINED in the public version of TH for no good reason. Note: the ordinary customer cannot use it because the interface is hidden. However, a hacker can enable the interface for the new file rules and then dump the entire signature database in order to create modified malware. Contrary to what Magnus says it is much easier to activitate the hidden interface for the new file rules than to crack a properly encrypted signature database which cannot be accessed by means of a hidden interface.

Our suggestion would be (i) NOT to remove the interface for the old file rules, (ii) to ENABLE and MAKE VISIBLE the interface for the new, safer file rules and (iii) to modify the interface for the new, safer file rules in such a way that only the creation of new file rules is possible (i.e., it should not be possible to view/dump the standard/default file rules created by Misec). If this suggestion is technically too difficult to implement the interface for the NEW (not the old) file rules should be entirely removed from the TH public builds. Such removal of the interface for the NEW file rules would mean absolutely no change to TH's customers because the interface is presently hidden.

In principle, it makes no sense to me that Magnus asks whether the interface for the old file rules should be deleted. Nobody is talking about the old file rules. (I could only imagine that the interface for the old file rules is somehow connected to the hidden interface for the new file rules and, therefore, Magnus faces technical difficulties to merely remove the hidden interface for the new file rules from public builds. However, such technical difficulties would need to be solved.)

ADDENDUM:

There is one possibility why alternative C may not be a good alternative. It is possible that the way of signature creation under the new file rule system is flawed. (We have not analyzed this yet.) In such case, it would be no good idea to enable the hidden interface for the new file rules because it will allow hackers to exploit the flaws pertained to the signature creation method.

In such case, it would be better to entirely remove the hidden interface for the new file rules from the public builds (as a preliminary measure) and, subsequently, create a better, safer way of signature creation.

I believe that it may indeed be illegal to patch a computer program (even if you have not reverse engineered such program).

Within the European Community the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs ( http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&type_doc=Directive&an_doc=1991&nu_doc=0250&lg=EN ) has been implemented by numerous member states:

Pursuant to Article 4(b) of such Directive any alteration of a computer program generally requires authorization.

--------------
"Article 4 Restricted Acts

Subject to the provisions of Articles 5 and 6, the exclusive rights of the rightholder within the meaning of Article 2, shall include the right to do or to authorize:

(a) the permanent or temporary reproduction of a computer program by any means and in any form, in part or in whole. Insofar as loading, displaying, running, transmision or storage of the computer program necessitate such reproduction, such acts shall be subject to authorization by the rightholder;
(b) the translation, adaptation, arrangement and any other alteration of a computer program and the reproduction of the results thereof, without prejudice to the rights of the person who alters the program;"
------------------

The application of a patch may be considered an alteration of the computer program although it is argued, for example, that only alterations of the source code (and not minimal modifications of the binary code) are covered.

Moreover, it may well be the case that none of the exceptions from the authorization requirement applies. For instance, Article 5 of the Directive provides:

------------
"Article 5 Exceptions to the restricted acts
1. In the absence of specific contractual provisions, the acts referred to in Article 4 (a) and (b) shall not require authorization by the rightholder where they are necessary for the use of the computer program by the lawful acquirer in accordance with its intended purpose, including for error correction.
...
3. The person having a right to use a copy of a computer program shall be entitled, without the authorization of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do."
-------------

In the present case, it is doubtful whether the application of the Admin Patch serves the purpose of error correction. On the one hand, the hidden Admin Mode is a security risk which should be fixed. If you do not apply the Admin Patch you cannot prove that such security risk exists and the developer will not react until its too late. On the other hand, the actual fix can only be performed by the developer. This is because all public versions must be fixed in order to resolve the problem.

I think the dilemma is that the language of the statutory law is too tight and, therefore, it may not be possible to inform the public about security flaws. This would be quite unfortunate: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site, then Ford could file a complaint against me," (see http://news.com.com/Researcher%2Bfaces%2Bjail%2Bfor%2Bfinding%2Bbugs/2100-7348_3-5531586.html , cited by LowWaterMark).

If it were actually true that the language of the legal statutes must be narrowly interpreted this would be another example for the detrimental effects of the current copyright law which does not provide for a fair balance between consumers and rightholders.

-{ Quote: "I think this is the first nice thing said in this thread, thus far. btw is anyone else getting a head ache reading all this? ;D ;D ;D" }-

Yes, I noticed that, too. Rang quite true and indicated a little more compassionate understanding of the people and personalities they were dealing with than had hitherto been revealed - maturity even, for God's sake.

And then I read post #62 and thought to myself - "Wow, that really makes sense! Why doesn't Magnus just do that?". Whereupon I read #63 and thought "OMG. I hope that's not the case and not the reason why he doesn't want to do that."

Anyway, I hope if the discussed issue is a bona-fide vulnerability in TH, that Magnus will do whatever it takes to correct it. I certainly don't fault him for having a (supposed) weakness/vulnerability in his program - nobody's perfect.

But I would have to wonder about it if he didn't want to admit to the fact that something (or maybe everything related to his old and new file rules interface) needed to be re-written from the ground up to make the program better/safer/more immune to attack for his users'.

After all - that's what it's all about, isn't it? Pete

Well I must say that this has been an interesting read. No matter the feeling expressed here one way or another.

They were things said by both sides that made sense. But my feeling is it's time for the Testers to test the programs and post results.

I agree with spy1 that as the tread went on there seem to be more of an understanding. Maybe it was a good thing that this tread continued as it did give everyone a chance to AIR things out. Maybe both sides learned something I can only hope.

To Paul a thank u for reopening this tread.

Grand Dad

Nautilus thank you for clearing things up in my earlier post.

I wonder though if any sort of reverse engineering or patching is going to take place in your test. If so, what advantage would this give in testing over your previous method of testing which involved modifying the malware?

@rerun2

I have already stated that we did no reverse engineer TH or any other scanner. Consequently, no reverse engineering will or has taken place in the course of the test.

You can turn on the TH admin mode either with the help of a patch or manually with a hex editor by making a minor alteration of the program. The respective knowledge probably results from reverse engineering (not performed by us). It may be illegal to alter the TH program (see above). Therefore, we will reconsider to apply the patch. If we do not apply the patch or comment on TH's method of signature creation the significance of the test results will be lower than it could be.

If people want us to provide test results of greater significance they should ask Magnus to expressly allow us the use of the patch (for test purposes only).

-{ Quote: "complete rubbish is actually making me consider removing custom detection rules entirely from the next version of TrojanHunter. " }-

dont do it Magnus !!!!


thats one of the best features in trojan hunter, i really hope that it will stay

as for the test, i'll comment it when its finished


a hint for ntl:
test spyware/hijackers too
also test removal mechanisms
infect with CWS NS3 and check who removes ;)

@illukka

This will be a signature quality evaluation series only. We will only do spot checks. The completion of the test will take us several weeks.

Spyware and trojan removal needs to be covered by another test. Our capacities are severely limited.

it seems to me that nowadays its mostly spyware/hijackers that are added to signatures
for every new rat theres a couple of new spywares
i suppose it will be relatively easy to find a weak spot in every scanner, an old zoo trojan for example..
i'd be more concerned if there are flaws in the signatures of some major trojans

We will not test signature quantity (i.e, test whether rare zoo trojans are detected) but signature quality. We will use popular and rare trojans in order to determine whether the signature quality differs depending on the spread of the trojan (e.g., it might be possible that an AV/AT developer uses more sigs or hand-picked, high-quality sigs for popular trojans).

We will not test the quality of the signatures used for the detection of replicating malware like virii, worms and widely spread spyware. This would not make sense. High-quality sigs are only required for the detection of non-replicating malware which is frequently modified, customized etc. That's why we always say that a scanner that perfoms bad in our tests may still be a good scanner for replicating malware. If you are interested in the detection of replicating malware you can read the tests of Andreas Clementi. We do not believe that we would be able to significantly improve such tests.

-{ Quote: " in order to determine whether the signature quality differs depending on the spread of the trojan (e.g., it might be possible that an AV/AT developer uses more sigs or hand-picked, high-quality sigs for popular trojans).
" }-


that would be only a logical thing to do( for a trojan analyst)
the web is full of buggy'n'crappy (mostly vb)trojans which no-one will ever use to infect anyone(probably not even the author... ROFL ).. why waste time and energy in getting a superb detection/multiple signatures of such a major threat? those are nice to have in a collection though :D

because
there are also some very popular trojans which have lots of different versions/variants, and most importantly users.. who use just that favourite rat to infect people..

thats just my opinion of course..

"all rule creation buttons in advanced mode are no longer part of TH 4.2"
(from this thread: http://forum.misec.net/board/TrojanHunter/1108891502 ).

Looks like "_ _ _" was right. Pete