InVircible and generic technology

[Victor]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product. I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?" Of for
that matter is a good generic based scanner really a possibility in
todays technology? Once again, I am not here to put down InVircible
it may be a great program with bad press, I just have a question.

 

[kurt wismer]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product. I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?" Of for
that matter is a good generic based scanner really a possibility in
todays technology? Once again, I am not here to put down InVircible
it may be a great program with bad press, I just have a question.

i suspect most of the negative opinions actually have more to do with
the author of invircible than it's current implementation and any
flaws/defects that might have...

generic av techniques are actually quite powerful, but their
application isn't necessarily the same as what most people are used to
with av software (read: you can't use it in exactly the same way and
get the same results)... so the fact that it's generic shouldn't be the
reason some folks frown on it...

 

[FromTheRafters]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product.

Yes, it seems to have run into some opposition here, but
that's mostly historical imo. I am certainly no expert in the
AV field, but I beleive that the program can be effective
if used properly.

I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?"

There are pitfalls in the concept I think, but the programmer must
have found ways to deal with those. As far as it being susceptible
to attack by malware, it it has become fairly evident that most AVs
are not impervious to such attacks.

My only complaint (if you can call it that) is that it is suggested
as a alternative (replacement) for, and somehow superior to,
signature based scanning. Imo it is not, but may be a valuable
additional AV tool if used properly.

Of for
that matter is a good generic based scanner really a possibility in
todays technology?

Maybe some of the experts here can answer that, but it seems
that Zvi is of the opinion that it can be used effectively. ;o)

I don't know, but with the signature based scanner you need a
new definition added for a new worm, even if it uses the same
old vulnerability as the last one. With the generic approach you
should be able to detect the new one based on the method the
old one used ~ detection and intervention of the method some
future malware uses could be rightfully claimed. If some entirely
new method were discovered, then the generic database would
have to be updated, along with any needed engine modifications
to handle the new method. You probably wouldn't have a "day
zero effect" every day like you do with signature based scanners.

 

[Joep]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product.

I think it's pretty good. It's not THE answer, but a nice addition. Indeed
by using generic strategies, or 'rules of thumb' known and unknown virii and
worms can be detected.

I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?"

There's one big thing against (any) generic AV tool: "False positives" (I
know I am on thin ice here). Since generic 'means' it does not rely on
signatures, it can never be 100% certain that 'the identified item' is in
fact a virus.

One example of a very generic 'rule': If a program tries to hide it's true
extension (by using double extensions: 'virus.txt.exe')then in general a
generic AV tool will raise an alert. And indeed one may consider this
suspicious, though the file is not by defintion a virus.

So, in general, generic IV tools leave the final descision with the end user
in many cases. So, some understanding about how virii and worms work and
spread may be required before being able to implement a generic AV utility.
You must be able to 'judge' a file or process that was brought to your
attention by the generic AV utility.

Of for
that matter is a good generic based scanner really a possibility in
todays technology?

Today a generic AV utility, is IMO very useful, just look at how recent
worms were able to spread even when a signature based AV tool was installed.
Worms that could be easily detected by using generic 'rules'.

I believe a 'layered' approach may be best.

- Firewall ... a firewall *should* have detected recent worms as msblast
(although some didn't)
- Generic AV monitors *should* detect worms ala msblast even when the
firewall 'missed' it.
- In favor of signature based tools is that can identify the virus by name,
this makes it easier to find onfo on getting rid of it.

Once again, I am not here to put down InVircible
it may be a great program with bad press, I just have a question.

I have decided to ignore bad press (sometimes/often years old) and am using
IV since a few months now. I am very pleased with it.

 

[Jason Spashett]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product. I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?" Of for
that matter is a good generic based scanner really a possibility in
todays technology? Once again, I am not here to put down InVircible
it may be a great program with bad press, I just have a question.

It's the implementation of the idea. The product is of poor quality, in my
recent experience. I wonder if they've fixed the short file name problem yet
in the integrity checker. [http://mantrid.freeshell.org/invircible.txt]
Given the amount of time this product has been around (it's been around many
years), it's astoundingly underdeveloped. - Just get a good IDS/IRS, I can't
actualy think of one off hand for windows. But Tripwire for u*ix, is
reportedly quite good.

It makes me feel a bit uneasy that people actually may try and use it; be it
at their peril. Hopefully it can only improve in quality.

 

[Joep]

It's the implementation of the idea. The product is of poor quality, in my
recent experience. I wonder if they've fixed the short file name problem yet
in the integrity checker. [http://mantrid.freeshell.org/invircible.txt]

Integrity checking and generic detection aren't the same. Apart from the
integrity checker there's a little more to IV.

Anyway, I repeated the test described in
[http://mantrid.freeshell.org/invircible.txt] with the exact same
file-names, made modifications to both files and Audit & Intergrity detected
the modofications to BOTH files!

Given the amount of time this product has been around (it's been around many
years), it's astoundingly underdeveloped.

Well, if [http://mantrid.freeshell.org/invircible.txt] is the only thing to
back this bold statement up, then I don't value your opinion very much.

- Just get a good IDS/IRS, I
can't
actualy think of one off hand for windows. But Tripwire for u*ix, is
reportedly quite good.

IDS isn't the same a generic virus detection.

It makes me feel a bit uneasy that people actually may try and use it;

Well don't.

be
it
at their peril. Hopefully it can only improve in quality.

If you have got something to say improve the quality of your 'proof' and
research.

 

[Zvi Netiv]

The general opinion of this group, based on what I have read, is
InVircible is not a very good product. I don't know myself whether it
is or not since I am far less knowledgeable than most here. But my
question is," is it the product itself or the concept of a generic
based program that makes it, in many opinions, not so good?" Of for
that matter is a good generic based scanner really a possibility in
todays technology? Once again, I am not here to put down InVircible
it may be a great program with bad press, I just have a question.

It's the implementation of the idea. The product is of poor quality, in my
recent experience. I wonder if they've fixed the short file name problem yet
in the integrity checker. [http://mantrid.freeshell.org/invircible.txt]

I read the report referred to, and although I tried hard to understand what you
are trying to demonstrate, I couldn't make any sense of it.

BTW, there is no "build 572" yet as mentioned in the reference page (the current
build is 565), nor "update #30" (30 is the default update number where 'smart
update' hasn't been activated).

If you think you discovered a genuine problem, then the honest way was to e-mail
us about and we would check and fix what needs fixing (if needed at all). The
way you chose rather suggest that you have an agenda.

Given the amount of time this product has been around (it's been around many
years), it's astoundingly underdeveloped. - Just get a good IDS/IRS, I can't
actualy think of one off hand for windows. But Tripwire for u*ix, is
reportedly quite good.

It makes me feel a bit uneasy that people actually may try and use it; be it
at their peril. Hopefully it can only improve in quality.

What peril, exactly? ;-)

 

[Jason Spashett]

It's the implementation of the idea. The product is of poor quality, in my
recent experience. I wonder if they've fixed the short file name problem yet
in the integrity checker. [http://mantrid.freeshell.org/invircible.txt]

Integrity checking and generic detection aren't the same. Apart from the
integrity checker there's a little more to IV.

Integrity checking is a Generic method.

Anyway, I repeated the test described in
[http://mantrid.freeshell.org/invircible.txt] with the exact same
file-names, made modifications to both files and Audit & Intergrity detected
the modofications to BOTH files!

Then perhaps they have fixed it. Did you try the specific build mentioned?
They certainly didn't want to comment when I posted the bug as you well
remember.

Well, if [http://mantrid.freeshell.org/invircible.txt] is the only thing to
back this bold statement up, then I don't value your opinion very much.

That's alright.

If you have got something to say improve the quality of your 'proof' and
research.

I'l not examine new versions of said software each they come out. Take it as
you have then.

 

[Zvi Netiv]

is a good generic based scanner really a possibility in
todays technology?

'Generic' and 'scanner' are opposites and do not combine.

'Scanner' necessarily implies passive pattern recognition, while 'generic'
excludes it, but encompasses everything else, including system behavior. How
would you "scan" system behavior, or spawning, or response to baiting (these are
all generic techniques), etc.?

Regards, Zvi

 

[Jason Spashett]

'Generic' and 'scanner' are opposites and do not combine.

'Scanner' necessarily implies passive pattern recognition, while 'generic'
excludes it, but encompasses everything else, including system behavior. How
would you "scan" system behavior, or spawning, or response to baiting (these are
all generic techniques), etc.?

....

Scanner is not the opposite of generic in my dictionary. You can use
scanning as a generic method of detection once you've determined what to
scan for. ( There are papers on this )

Anyway, by "scanner" Victor meant the process of examining files by what
ever means. That is obvious, unless you have a fanatic pedantism.

 

[Joep]

Integrity checking is a Generic method.

Integrity checking may be a generic method, that's still not the same as
saying generic virus detection equals integrity checking. Generic virus
detection is so much more.

Then perhaps they have fixed it. Did you try the specific build mentioned?

That build doesn't seem to exist yet. I am using the latest build, which is
565a.

I'l not examine new versions of said software each they come out. Take it as
you have then.

No one asks you to keep on testing IV. However before making statements like
that, you better verify them first, and you may want to point out that you
*only* tested a single aspect of only one of the tools that is IV, being
'Audit and Integrity'.

 

[Zvi Netiv]

"Jason Spashett" <@.> wrote in message

Jason isn't worth wasting your time on. He was just trolling.

Regards, Zvi

 

[Zvi Netiv]

[...]

My only complaint (if you can call it that) is that it is suggested
as a alternative (replacement) for, and somehow superior to,
signature based scanning. Imo it is not, but may be a valuable
additional AV tool if used properly.

I don't suggest IV as a replacement to scanners. What I DO suggest is to change
strategy and use generic protection for alerting and first line protection. All
recent malware attacks prove that the days of scanners, on-demand as well as
background, are over.

Scanners have a role in identifying the attacking virus, and can help in
choosing an optimal course of action, like the use of a DEDICATED disinfection
tool. Note that scanners are useless, since long, in handling the great
majority of recent malware. Which is the reason for which there are so many
dedicated and virus specific cleaning tools.

Maybe some of the experts here can answer that, but it seems
that Zvi is of the opinion that it can be used effectively. ;o)

I don't know, but with the signature based scanner you need a
new definition added for a new worm, even if it uses the same
old vulnerability as the last one. With the generic approach you
should be able to detect the new one based on the method the
old one used ~ detection and intervention of the method some
future malware uses could be rightfully claimed. If some entirely
new method were discovered, then the generic database would
have to be updated, along with any needed engine modifications
to handle the new method.

Not really. You are missing cardinal differences between the generic approach
and scanners. The latter are of "single mode of failure" design. Generic
protection are closer to fail-safe as they use *multiple* and *independent*
methods *simultaneously*. Success in the latter requires that a single method,
at least, responds to the threat. Failure, OTOH, is when not even one method
responded to the threat, or IOW, the threat defeats *all* the methods
implemented in the generic system. The latter doesn't happen in real life
scenarios, as practically all threats are detected by more than one method.

Which is why generic protection has the largest margin against both new and
known threats, and doesn't depend on critical updates, like scanners do.

New methods are constantly added to generic protection to *reinforce* the
existing ones, but the performance of the generic product against new threats
doesn't depend on them.

You probably wouldn't have a "day
zero effect" every day like you do with signature based scanners.

That's correct.

Regards, Zvi

 

[Zvi Netiv]

...

Scanner is not the opposite of generic in my dictionary.

Being the one that introduced "generic" to AV (at the NCSA AVPD conference, Nov.
'91), then I should know what I meant by that.

You can use
scanning as a generic method of detection once you've determined what to
scan for. ( There are papers on this )

You can use certain passive-generic methods in scanner mode, like integrity
checking, yet this doesn't make it a "generic scanner". If integrity checkers
were generic scanners, then they would be called that. Don't you think?

Anyway, by "scanner" Victor meant the process of examining files by what
ever means. That is obvious, unless you have a fanatic pedantism.

So far, the fanatic pedant here is you.

 

[Joep]

in the integrity checker.

[http://mantrid.freeshell.org/invircible.txt]

Integrity checking and generic detection aren't the same. Apart from the
integrity checker there's a little more to IV.

Integrity checking is a Generic method.

Anyway, I repeated the test described in
[http://mantrid.freeshell.org/invircible.txt] with the exact same
file-names, made modifications to both files and Audit & Intergrity detected
the modofications to BOTH files!

Then perhaps they have fixed it. Did you try the specific build mentioned?
They certainly didn't want to comment when I posted the bug as you well
remember.

Is that webpage yours? If so:

Since it seems 'fixed' don't you think it's reasonable to either:

- Repeat the test with the current version,
- Modify the document to reflect the current situation (it was fixed), or,
- Remove the document

 

[Jason Spashett]

--
GPGKID: 0xC0539971

Since it seems 'fixed' don't you think it's reasonable to either:

- Repeat the test with the current version,
- Modify the document to reflect the current situation (it was fixed), or,
- Remove the document

No, the fact still remains. Since it was broken don't you think it should
have been admitted to? It was a wapping great big bug and you both know it.

 

[kurt wismer]

No, the fact still remains. Since it was broken don't you think it
should
have been admitted to? It was a wapping great big bug and you both
know it.

the fact seems to remain that it was broken in a version that has never
existed...

one way or another your documentation is false...

 

[FromTheRafters]

[...]

My only complaint (if you can call it that) is that it is suggested
as a alternative (replacement) for, and somehow superior to,
signature based scanning. Imo it is not, but may be a valuable
additional AV tool if used properly.

I don't suggest IV as a replacement to scanners. What I DO suggest is to change
strategy and use generic protection for alerting and first line protection. All
recent malware attacks prove that the days of scanners, on-demand as well as
background, are over.

Yes, it seems that signature based scanners will *always* fail
against day zero effect worms. Many of the new worms are
designed to take full advantage of this weakness.

Scanners have a role in identifying the attacking virus, and can help in
choosing an optimal course of action, like the use of a DEDICATED disinfection
tool. Note that scanners are useless, since long, in handling the great
majority of recent malware. Which is the reason for which there are so many
dedicated and virus specific cleaning tools.

Point taken ~ reliance on cleaners is almost the result of a defeatist attitude.

Not really. You are missing cardinal differences between the generic approach
and scanners.

Yes, I was thinking here in terms of a single generic approach and not
a multi-layered or simultaneous application of differing generic approaches.
I was not however forgetting that your program uses the simultaneous
application design. My intent was to point out that even though the "updates"
that traditional signature based AVs don't apply to generics, that doesn't
mean that the generic design is stagnant ~ the individual methods used
may still require some changes to keep current with any *new* tricks
that come to light.

The latter are of "single mode of failure" design. Generic
protection are closer to fail-safe as they use *multiple* and *independent*
methods *simultaneously*. Success in the latter requires that a single method,
at least, responds to the threat. Failure, OTOH, is when not even one method
responded to the threat, or IOW, the threat defeats *all* the methods
implemented in the generic system. The latter doesn't happen in real life
scenarios, as practically all threats are detected by more than one method.

Which is why generic protection has the largest margin against both new and
known threats, and doesn't depend on critical updates, like scanners do.

Understood, I didn't mean to imply that your program was that
simplistic (I knew it wasn't).

New methods are constantly added to generic protection to *reinforce* the
existing ones, but the performance of the generic product against new threats
doesn't depend on them.

That was the point I was trying to make. It is not without the *need* for
updates to address some new trick, but the lack of a particular update
would only affect one facet of the overall scheme ~ and not usually result
in a complete failure of the system.

That's correct.

...and that *is* an important consideration, especially of late.

 

[kurt wismer]

FromTheRafters wrote:
[snip]

Yes, it seems that signature based scanners will *always* fail
against day zero effect worms. Many of the new worms are
designed to take full advantage of this weakness.

please refer to my post of some days (weeks?) ago where f-prot was
detecting swen in my inbox heuristically...

scanners are not necessarily completely susceptible to the day zero
effect...

 

[Jason Spashett]

....

the fact seems to remain that it was broken in a version that has never
existed...

one way or another your documentation is false...

The build number mentioned on the web page was 572a not 562a as it should
have been.