Joanna Rutkowska ," detecting file infections was a waste of time".

Discussion in 'other anti-virus software' started by ashishtx, Sep 6, 2007.

Thread Status:
Not open for further replies.
  1. ashishtx

    ashishtx Registered Member

    Joined:
    Oct 7, 2005
    Posts:
    389
    Location:
    Houston,Texas
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
    More thoughts by Kurt Wismer here and here.
     
  3. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Well, most of what we deal with today are not infected executables. Its more like Trojan down loaders delivered either through an intentional package like some free screen saver, or via a browser vulnerability using a hacked web site. Same goes for boot sector viruses. The term virus may be obsolete as most malware is non replicating. Delivery is accomplished by means other than the malware package itself. We are also in an age where distinguishing spyware from more malicious forms of malware is getting more difficult. This leaves me somewhat uncomfortable with the idea that separate apps should deal with spyware and the stuff that is worse, as in setting up bot networks and loading key loggers. Perhaps Symantec has a good idea with its Anti-Bot product (if it works).
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Actually the number of file infectors is increasing. They are usually harder to detect and also harder to remove.
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater

    How do you know this?
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    He's in the know.

    But I agree with detection being ... futile. Human mind can only work to the limits of its own exploits. Beyond that, no software can help.

    If something is wrong, good, but if something is good, what then? How far do we trust ourselves, the scanners, the distributor, the vendor etc...

    It comes down to a simple principle: if in doubt, there's no doubt.
    If you gonna run it, run it, no reason to scan... just prolong the suffering.

    Mrk
     
  7. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    I can understand that AV companies are not going to find a solution that will stop viruses forever or at least that they are not going in that direction.

    But... we have the same situation in health, big drug companies are blocking ideas that could stop disease...
     
  8. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Every now and then someone says the ISP's should identify all the Bots and shut them down until fixed. However, they can't charge for service during the shutdown, so don't expect the ISP's to leave that revenue on the table.
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I was never afraid of trojans, backdoors and mumbo jumbo mass mail worms, but i still have plenty of respect to real viruses. What would you be more afraid of a regular headache (mass mail worms) or parasitic virus (file infectors)?
    I can spot that regular junk bilions of miles ahead. But you can't spot file infector without checking file content. It can be any executable, legit or not, from known vendor or not. It can be made by Symantec and just passed through infected PC and next user has no chance of spotting anything suspicious about it even though it's actually infected.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I agree with you, RejZoR. File infectors and macro viruses are difficult to spot (from the point of view of an average or above-average user like me). Other kinds of malware are easily avoided with safe computing + common sense.
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    no offense to the original poster (of this thread :) ), he didnt write it.

    but this article was a 'waste of time' :isay:
     
    Last edited: Sep 7, 2007
  12. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    @C.S.J

    If you are trying to say that the blog writer didn't write it then maybe you missed this part:

    So, do I want to say that all those years of A/V research on detecting file infections was a waste time? I’m afraid that is exactly what I want to say here.

    AFAIK Joanna Rutkowska is a clever lady who knows how to grab attention. Her blue pill was overrated and the answers she gave to the challanges were really laughable.

    Again if you see her blog (with comments), you'll find Vesselin Bontchev cleared up her confusion nicely but she just didn't acknowledge it. This is one of the many reasons I like forums like this more than a blog (unless of course if it belongs to someone respectable).
     
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    nope i meant the original poster of this thread.
     
  14. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    Oh sorry.
     
  15. ashishtx

    ashishtx Registered Member

    Joined:
    Oct 7, 2005
    Posts:
    389
    Location:
    Houston,Texas
    I could not think of any other thread heading. Sorry about that.
     
  16. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I just saw an article over at Neowin about an Ebay bot net attack that was being delivered by compromised websites. So far as I can tell, this is one of the main methods of infiltration today.

    Someone please explain to me why infected files are so important when compromised websites and trojan loaded crapware are so common today. I get the feeling someone is worrying about a technical or theoretical problem when the real deal is 10 or 100 times worse.
     
  17. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Just password-protect your whole OS with your own program in BASIC, C++ or one you can buy, and ditch your AV, SSM, firewall, etc. This "ZERO DAY" BSola is like a broken record. But Opera is still faster that IE!

    Dave
    One of the VERY few people who knows why C, C+ and C++ are so-called!
     
  18. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I don't think there is a C+ programming language, so yes you are amoung the "VERY few". There is a C+- though ;)

    Also, how would password protecting your drive do anything for you, a virus can still delete and corrupt password protected files. In addition, getting rid of a firewall while still having open ports with services listening on them that you did not explicitly enable and ensure the security of is not a good idea.

    As to protection, I would always say backups are the best solution, such as to a tape or usb drive. That way if you are hit, it takes little time to come up to a pristine state without having to worry whether or not the infection was actually taken care of.

    Cheers,

    Alphalutra1
     
  19. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Indeed there is a C+ programming language, and password protection is an effective alternative to AVs, HIPS, etc. Just email the guys at LLNL.gov or PDG.gov, and tell them Dave sent you! The whole password protection idea -- properly implemented -- secures both user/client/net interface/internet by password protocol. Does that make sense? Or am I obfuscating the obvious? I don't always explain things well.


    Dave
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    Do explain again.
    Mrk
     
  21. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Okay. For anyone who or anything that wishes to access my PC, a password is needed. The password changes pseudorandomly and can be seen only by me. If I deny entrance, the file is deleted or the intruder is denied entrance. If I download something which might be viral or potentially destructive and if I wish to install it, my password system informs me of each act being performed and I must afford it my approval at each step of istallation by a password which shall change several times before any other change by installation occurs. No one, no program can read the passwords which resides on a drive run by The Edinburgh-Cambridge LCF three-teir platform and is echoed to a "dummy" second monitor which cannot be recognized by Windows, Linux, etc.

    Was that okay?

    Dave
     
  22. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    That system would have a usability rating of "well below zero".

    "each act being performed", like each file copied? each registry entry set?

    right.... as if anyone would actually start entering 3278 pseudorandom passwords to install open office (default install, not counting temp files)...

    you'D probably have to enter a few hundred passwords just to boot the damn thing :)

    even if that wouldn't be an issue, such as system basically implements no help to a user at all, since he's the one who has to make each and every decision (good or bad).
     
  23. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,056
    Location:
    Las Vegas
    Lack of critical thinking and erroneous statements on both counts. AV companies will increase profits if they develop something that works. As to drug companies, they also profit greatly if they find a disease stopper.
     
  24. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    okay, I have searched google, and I cannot find one. Maybe I am lacking something in search skills. There is a C+@, which was originally calico, maybe that is what you are thinking of? Please provide a link because I am interested in learning more.

    Wow, that method is pretty horrible in terms of usability and ability to implement. I don't think it will catch on, ever, if you ask me ;) I think I will stay with my current setup right now, I don't think I will get infected for a while (malware writers will need to start writing some more things and releasing them into the wild for my OS before I begin to worry, and even then, I think there are much more pressing security matters)

    Cheers,

    Alphalutra1
     
  25. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    C = pretopos semantics of programming languages
    C+ = separated presheaf semantics of programming languages
    C++ = full topos semantics = full sheaf semantics of programming languages = typed logic based on equality
    LCF -- if you'll read my post (!) -- is logic for computable funtionals, which handles all the work on another drive. The system works very well! Ask the guys at NASA.gov, LBL.gov., LLNL, etc. Be sure to tell them that Dave sent you!

    Dave
     
Loading...
Thread Status:
Not open for further replies.