K
kurt wismer
Jason said:
ok... well, at least you fixed that in the text file..
ok... well, at least you fixed that in the text file..
F
FromTheRafters
kurt wismer said:
Yes. However, unlike Zvi, I don't consider heuristic detection
to be strictly a signature based scanning method. F-Prot didn't
detect it as Swen, but rather likely detected the more generic
exploit code and knew it was something worth alerting you
about (was it indeed an *exploit* it alerted to?)
No, but the signature based scanning which "identifies" a particular
malware is. In some cases a *new* virus or worm will not be
sufficiently *new* enough to not be detected as an *old* known
entity, and an *exploit* detection is not specific to a worm or virus.
(although they are being called trojans)
If a malware is sufficiently *new*, day zero still applies.
K
kurt wismer
FromTheRafters said:
in that case, do any 'signature based scanners' actually exist? you
know, the kind that you say will always fail against day zero effect
worms (i thought they were called warhol worms)?
no, the alert didn't include the word "exploit", nor did it have any
kind of name - it was a true heuristic 'may contain unknown or
corrupted blah blah blah' type of report... hold on the exact wording
was "could be a corrupted or intended virus"...
Z
Zvi Netiv
FromTheRafters said:
Note that I am rather choosy on my phrasing. Heuristics are based on *pattern
recognition*, which is a broader case of plain signature recognition. You could
describe it as signature based, with preprocessing and fuzzy logic. In no way
are heuristics "strictly signature based".
Although I don't know the specifics in Kurt's case, most chances are that what
disclosed the bogus message is the "<iframe src=" line. Plain trivial, and
expected.
"Not necessarily completely susceptible" is a funny expression. Like "not
necessarily completely lethal", i.e. it doesn't always kill, or kills, but only
slightly.
Heuristics are widely misunderstood in this group, and in result, attributed
capabilities that they doesn't possess. Heuristics can detect a new virus only
if it contains a *pattern* included in the product's database, which is a
signature, or one of several possible signature fractions, after appropriate
pre-processing.
The term "day zero" is misleading, as it gives the wrong impression of the
problem and lulls users into a false sense of being safe. A more appropriate
term is "new threat outbreak" phase, which may last for several days, more often
weeks, until countermeasures to the new threat are fully deployed.
Regards, Zvi
F
FromTheRafters
Zvi Netiv said:
Okay. My terminology may be inaccurate. My use of "signature"
was to indicate that a specific malware could be recognized, and
the less specific detection by heuristic or other more general means
would be "generic" detection. I can see how "pattern recognition"
could encompass more than just a "signature".
I was thinking along those lines, or the ability to detect an "audio/x-wav"
content type mismatched with a file having .exe or .src extension.
"Not necessarily completely susceptible" is a funny expression. Like "not
necessarily completely lethal", i.e. it doesn't always kill, or kills, but only
slightly.
Heuristics are widely misunderstood in this group, and in result, attributed
capabilities that they doesn't possess. Heuristics can detect a new virus only
if it contains a *pattern* included in the product's database, which is a
signature, or one of several possible signature fractions, after appropriate
pre-processing.
Heuristics may mean something different where AV is concerned,
but to me it was first introduced in a chess playing program ~ pattern
matching (now called "book") was used first, and if no match was
found then heuristics came into play with general rules such as "a
particular piece's value is increased toward the center of the board",
"control of the center of the board is advantageous", "when in doubt,
push a pawn", and other less specific advice. Heuristics were always
somewhat less reliable than "book".
Could you point me to an online information source of what
the term means with regard to AV products?
I agree, which is why I sometimes qualify that with 'week zero' or 'month zero'
to stress that point.