-- Teaser: Why size doesn't matter! --

@Magnus

1.
"TrojanHunter has always had an open ruleset and this has n

"...Oh, and one more thing. I had always believed that an open database was beneficial to the end user - this is why the user has always been able to add his own detection rules and view those already in place. The only reason that the Advanced File Rules were not available to end users is because they are too complicated to operate and too much work to
support."

I did not and do not agree. See the reply @ Wilders. I believe that
signatures should be encrypted.

"However, your posts have convinced me that no good can come
from having an open signature database since people like you will only
abuse it."

Exactly. In particular, hackers will abuse an open signature database.
I believe that we have discussed this issue several months ago. I also
believe to remember that you told me that TH 4 would use a closed
signature database in order to prevent people from abusing it.

----

Moreover, please explain what is exactly wrong with our testing methods. (Btw.: It's somewhat funny that people criticise our testing methods although the test has not even started ;-)


2.
"And let's make another thing clear. I am not against you testing TrojanHunter or evaluating its signature quality."

I see. But you want to make it as difficult as possible?

"What I am against is you blatantly violating the TrojanHunter license agreement and using cracked versions of the program and then posting about it in public. Your testing methods are wrong and like I said nobody will be taking you seriously as long as you continue testing this way."

Would you be o.k. if I refrained from using the admin patch as a mean of verifying our results and simply used a file splitter? If yes: would you then also stop from reversing malware and potential (!) malware? Why do you believe that your reversing activities are less illegal than the use of a patched TH version? Why do you believe that people should use TH (although the developer daily reverse engineers software) but should not read our tests because we use the admin patch?

And one more question: Why is the TH license agreement so terribly small and why is it not possible to print it if you expect people to read it? Is this because the license agreement does not explicitly prohibit the use of a patch but merely prohibits the decompilation or disassembling of the software (which we have not done)? Do you also believe that well-known security advisors are non-trustworthy criminals because they disassemble software in order to discover security flaws?ot changed in the latest version since the user can still add/edit custom detection rules. You are again just trying to divert focus from your testing methods. Every scanner that is out there has the ability to read its own signature database and there is nothing in the world that is going to change that. If you want to make people believe that this is not the case then all you may be able to do is convince some uneducated users that this would be more "secure". However, your constant attacks which anyone with a bit of computer knowledge can tell is complete rubbish is actually making me consider removing custom detection rules entirely from the next version of TrojanHunter. This would not make TrojanHunter one bit more secure, it would just please people like you and those who are uneducated, but the time it would save in having these debates might actually make it worth it."

Divert focus? I think it's quite the other way round. But I have already replied to your private email:

snipped. Nautilus, as stated correctly: private email - and therefore not intended to be published on an open forum. Please keep common courtesy and rules in perspective.

regards,

paul

 

Yes, you are very welcome to examine TrojanHunter's signatures with a "file splitter" but like I said before your method of using binary patches and then using a patched version in your test is utterly unprofessional.

There is a huge difference between analysing malware and reverse engineering commercial software in violation of the license agreement. Believe me, I've checked with our lawyer and reverse engineering malware is very much legal.

 

@Paul

"That settles it - and in effect does make your test useless: all in all, you simply do advice all not to rely on just one (signature-based) software. As stated before: why re-invent the wheel? This is rather old news, and you know it."

I still not agree ;-) The problem is that most people do not even know that Kaspersky and others have minor or major problems. And even more people do not know WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw.

Last but not least, the above-mentioned AV/AT software developer (no: it's not Emsisoft -- we do not test a2) claims that the new version will sport several features that may overcome most if not all our concerns regarding signature quality etc.

 

In my opinion the following issues are open and should be clarified:

1.
Is it illegal that AV/AT software developers reverse engineer potential malware (i.e., commercial software)?

2.
If not: are also security advisors (like Secunia) and/or testers (like us) allowed to reverse engineer?

3.
Was it illegal to post the screenshot? (This is of relevance because I won't post it again if it is illegal to do so.)

4.
Is it illegal to apply the patch? Would this violate the TH license agreement? Would this violate the laws of the relevant jurisdiction (which one btw.?)?

5.
If it were illegal to apply the patch: Why can't Magnus simply allow us to use it only for purposes of our test? (Other AV/AT software developers seem to be quite cooperative.)

6.
If not: Why does Magnus not want us to properly test TH (with the help of the patch)? Does this benefit the customers of TH? Does this benefit Magnus because there is anything to hide?

7.
Why was Magnus so upset and Ewido so relaxed about the disclosure. (Obviously, both scanners were reverse engineered. The only difference is that the TH screenshot is more impressive and, morever, TH was not only reverse engineered but also patched.)


----------------------------------------------------------------

An uncensored copy of this post can be found here: ~~~SNIP~~~

Would you kindly in future refrain from linking to other forums
Thank you
ADMIN

 

"Would you kindly in future refrain from linking to other forums
Thank you
ADMIN"

I guess this is because it will facilitate manipulations and censorship? Isn't it true that control-freaks fear nothing more than loosing absolute control over everyone?

Example:

Admin --- A.
Guest --- B.

Admin edits B. to A. and everyone says A. A perfect world, isn't it?

 

A lot of good points have been made.

However I would like to add that I too strongly disagree with the use of patched software as well. While this may not effect the detection ability of the scanner, I think it goes towards the credibility of the test (or lack thereof). If the issue is simply that you do not have a full version of TH, I can buy a license for your testing if Magnus agrees as well.

The other point of reverse engineering the scanner is a rather delicate one it seems. Please correct me if i am wrong or if I misunderstood any of the issues here... But I believe if one can test the signature strength of a scanner without reverse engineering the software I think that is better. If all scanners were reverse engineered first, the tester can pick and choose to reveal what areas a scanner is weak in, and fail to reveal others, because of personal bias. Or they may exploit a weakness and make it look larger than it really is. I am not saying that you have any personal bias, but by doing this it may open this kind of test up for such things. I would like to see what you have been doing before, with modifying the malware in specific ways to test the strength of scanners in each area. I do not know if you have found this method effective or if there are limitations. But to me it seems like it would be a much more level playing field.

I agree with Paul about the test possibly just re-inventing the wheel.

However I also see Nautilus' contention that it may help viewers see "WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw."

 

@LowWaterMark

Your post was helpful indeed. Although I know the guys from Tegam I hope that they will lose the law suit.

@rerun2

1.
Your post was also helpful because it will allow me to clarify a few things:

"If the issue is simply that you do not have a full version of TH, I can buy a license for your testing if Magnus agrees as well."

We already have licensed and unlicensed versions of TH 4.0 and 4.1. Licensed and unlicensed versions need to be patched in order to enable the Admin Mode. Such patch is extremely small and has nothing to do with a crack (software piracy). The patch will not remove copyright protection but simply enable an additional, hidden feature.

Consequently, we are not in need of a license. Moreover, Magnus had previously offered to send us a free license. (We rejected such offer like we always do.)

"The other point of reverse engineering the scanner is a rather delicate one it seems. Please correct me if i am wrong or if I misunderstood any of the issues here... But I believe if one can test the signature strength of a scanner without reverse engineering the software I think that is better. If all scanners were reverse engineered first, the tester can pick and choose to reveal what areas a scanner is weak in, and fail to reveal others, because of personal bias. Or they may exploit a weakness and make it look larger than it really is."

You can also do this w/o reverse engineering. It is very easy to unfairly bash a scanner if you are biased.

"I am not saying that you have any personal bias, but by doing this it may open this kind of test up for such things. I would like to see what you have been doing before, with modifying the malware in specific ways to test the strength of scanners in each area. I do not know if you have found this method effective or if there are limitations. But to me it seems like it would be a much more level playing field."

We will continue to use this method. We believe that it is effective. Moreover, we will comment on the signature quality by determining and analysing the signature itself. This does not require reverse engineering. A file splitter is sufficient.

The TH Admin Mode will allow us to easily verify our results and, moreover, it will allow us to make additional comments relating to the way of signature creation. We will not use patched TH versions for the detection tests.

"I agree with Paul about the test possibly just re-inventing the wheel."

I do not agree and, frankly speaking, I believe that Paul is absolutely clueless. But I will further comment on this problem in my next post.

"However I also see Nautilus' contention that it may help viewers see "WHAT combinations should be used. For instance, it does not make sense to arbitrarily combine two scanners which suffer from the same flaw.""

I am glad that people understand this point.


2.
I would further like to mention that we will not unfairly bash TH because Magnus got angry with us etc. We are definitely used to get attacked or insulted by various AV/AT developers. This will not stop us from testing their software. Otherwise, a mere insult would be sufficient to avoid a Scheinsicherheit review.

Morever, I would like to mention that we have absolutely no reason to bash Magnus. As far as I can tell he was always fair, honest and did not ameliorate the former weaknesses of TH. Instead he continued to improve TH and that's probably the reason why so many people use it. We never had any difficulties with Magnus so far. Our negative comment/disclosure (actually we did not make a negative comment until Magnus got upset and we explained some of the admin features) came right out of the blue. That's why we can never be the friend of any AV/AT software developer. If there is something that we do not like we will always talk about it.

 

@Paul

-- Preface: I would like to highlight that you edited your post. Your initial version of the post contained several rude comments. Because you are an admin nobody can see that you amended you post. Well done! --

Contrary to the above posts your comments are not helpful at all. You do not mention why you believe that AV/AT's reverse engineering activities are illegal.

Your other comments are also not helpful:

"First - no offence intended - please don't imply you are playing in the same legue as Secunia. That said: Secunia isn't reverse-engineering; they are merely reporting findings of others."

First: You comments are beside the point. You did not even try to answer the question.

Second: Your constant use of the expression "no offense intended" is absolutely dishonest. Of course you intended to offend us. We did NOT suggest that we play in the same league as Secunia. By contrast, we properly distinguished between security advisors and testers (like us). If you believe that Secunia does not reverse engineer please replace this name by another security advisor's name.

Third: It's amazing that you comment on our technical knowlege. This is because your own knowledge of security software's internals goes close to zero. And that's exactly the problem. Frequently, you do not even understand what people are talking about and, consequently, you make improper comments or wrongly moderate a thread. Even more embarrassing is that your forum must be partially closed if you go to bed. You really have a problem with a perceived lack of control. But please let me assure you. It is not necessary that you try to play Papa God. You comments, skills and insights are not and do not need to be better than those of everyone else. And you do not need to control, censor and subdue everyone. The forum will be better without such dictatorship.

"Second: depending on the software in question: you are not allowed to do so in 99 percent of all cases."

Thanks for this most helpful and well-founded insight.

"Nothing - unless we do believe it's not done. Our perogative."

Thanks for this self-centered comment. Please note, however, that the question was NOT whether you properly removed the screenshot. The question was whether it is illegal to post it. Believe it or not, many people like to know whether they act illegally or not.

"in case it's a result of reverse-engineering: seems like it."

It seems that I need a more substantiated answer.

"Magnus didn't address this for no reason."

I believe the reason why Magnus did not comment on this question is that (i) the license agreement does not address this issue and (ii) Magnus does not really know whether it is illegal to apply the patch. We also do not know whether it is illegal or not. But we hesitate to apply the patch before this question has been answered.

"Looks like you've got your answer in the meantime - illegal. Courtesy demands Magnus providing the final verdict once more instead of me."

We have not got an answer. I do not know what you are talking about. Moreover, it is not up to Magnus to provide "a final verdict". We are certainly interested in his comments. But in the end it's the law that decides.

"You've lost me; are you in effect stating you have patched other AV/AT software as well and developers have stated that's just OK?"

No. I expressly stated that we did not patch Ewido. Moreover, we did not patch any other software so far. I said other developers are more cooperative because they offered to provide us with signatures (i.e., they want to save us the work to apply file splitters etc.). It's a little bit far fetched to assume that Magnus' main concern is the patch itself. If he did not want us to apply the patch (for no reason) he could still send us an internal build with the admin mode enabled.

I will tell you what the real problem is: Magnus is afraid that we do not merely comment on the signatures itself but also on the way of signature creation.

"Nice try indeed. Let's keep on topic here first: illegal reverse-engineering."

Please note that this is MY topic and not the topic of Papa God. It will be helpful for everyone (including Magnus) to identify the real reason for his anger. Moreover, it seems to me that Magnus has always been very open to his customers. AFAIK, he never tried to conceil TH's former weaknesses. By contrast, he usually said that the weaknesses will be removed and, in most cases, that's what happened. I feel that this is the main reason why so many people trust Misec and Ewido. Usually, they are more honest to their customer's than other market players.

"That's actually of no importance to the topic at hand. This topic isn't about TrojanHunter, Ewido as a target."

Yes, Sir Papa God. You will certainly know what's important and what is not.

 

I credit Paul with great admiration for allowing this thread to continue and I hope you don't have a change of heart and lock it again. For what it is worth my 2 cents on the subject are; reverse engineering to disclose weakness/fault/vulnerability with a piece of security software is illegal according to the letter of the law. However by allowing knowledgeable people ( the supposed white hat hackers) to do so in effect protects us all, they will discover ways to improve software and thus provide greater protection to everyone. I for one can not understand how a software maker is not thrilled that some one is trying to improve their product, isn't this a type of compliment in a way? The topic of intellectual property rights does come into play but then they don't seem to be using their knowldege gained from the reverse engineering process for their own gain. They try to inform the company of possible faults. Yes we all may not like what is being done here, but rest assured the black hat hackers are doing the same damn thing and using that knowledge for their own benefit to create malware that exploits the faults/vulnerabilities that they find. So I feel that this is a valuable experiment being done and it seems to be by people that do care about the rest of us.

 

I agree that what's being discussed is worth considering, I just wish that ntl could approach this with a little more professionalism. I have a hard time taking any tests seriously when the tester displays little to no mental discipline.

 

Nicely spoken Flyrfan, I completely second you ... except for this

but I'll keep the funny things to myself now.

Inf


p.s. Paul & Nautilus -> Thanx

 

yes, correct bout that. no need for getting personal here...or indeed he might stay in his own backyard.

this discussion is on the edge regarding TOS so might be better to act a bit more mature and discrete.

Inf.

 

I am pretty sure at this point why "Nautilus" wants to remain anonymous. It's a very convenient way to avoid responsibility for licensing and license issues. For all I know he could even be a competitor, which would not surprise me given the numerous attempts to discredit various scanners. Anyway, I have much better things to do with my time than responding to an anonymous poster who obviously thrives on the attention he is getting so I will get back to doing some real work which is more than one can say about Nautilus' posts here.

 

"Editted and rude comments? What the heck are you talking about? Those following this thread do know better."

I will then take it for granted that you inadvertedly confused "preview" and "edit mode".

"It's refreshing to have someone questioning my knowlegde - doens't happen that often. Guess Kaspersky, Mischel, Mcaleavey etc. are next in line?"

Wrongly guessed. The knowledge of a coder is usually greater and, sometimes, different from the insight's of tester.

"reveal your identity instead of hiding out. Andreas Marx does, Andreas Clementi does."

Correct. But they have present or future financial interests. Moreover, they are not/have not always been completely independent from AV/AT developers. They are or try to be gentlemen testers. By contrast, we have or try to have no friends or foes.

"You started off inviting quite alot of software companies to join in on a general 'test'. As time goes by, you are limiting your focus on TrojanHunter and my person."

This is only because you made so many unasked comments. I also perceive it unfortunate that the focus lies on TH. It was a tactical mistake of Magnus to get upset and draw attention to TH's weakness. TH is NOT the only AV/AT affected. Please also note: initially, we did not even put the emphasis on such weaknesses. But since this issue has been brought up: ALL software developers should remove hidden functions that allow it to dump a scanner's signature database. Such functions should not be included into public builds.

---

Btw.: Was this thread really closed for a short time? Did you need to internally discuss whether it must be removed and/or how to handle me & this entire awful situation?

 

@Magnus

"For all I know he could even be a competitor, which would not surprise me given the numerous attempts to discredit various scanners."


That could be true. However, it's hard to tell which one. We have criticised McAfee, Kaspersky, BOClean, AntiVir, Ewido, Trojan Hunter and many others. The only competitor we could work for is Emsisoft/A2/Andreas Haak.

However, this is also unlikely because I have already said that I believe that a2 is still unable to compete with the top AT scanners (like BOC, TDS-3, BOC or Trojan Hunter).

Believe it or not, we are really independent. However, we DO receive information from various AV/AT developers. And such information IS occasionally intended to make competing products looking bad. And we DO publish such information if we believe that it serves the public.

 

There just wouldn't be anyway to know if an anonymous tester, that
seems to feel a need to hid his identity, would be impartial or not.

IMHO, without any way to determine if the anonymous tester may or may
not be bias then any test results would have a large credibility gap and be without any real value.