Art said:
Better include them. Few will go to the trouble I did trying to figure
out what was wrong, go search on the internet for them, etc. Very
bad, particularly since there was no info on this included that I
could find.
Where's the info? Where's the Help? Why have such a stupid thing
as known false alarms hit users in the face immediately? Very bad.
And what skimpy info is available makes it seem as if the scanner
is strictly a sig scanner using CRC32 type hashes only. What is
the nature of the heuristics?
True, buggy was not a good choice of word. What's a word
meaning "extremely user unfriendly with no help in sight"?
Don't take my bluntness in the wrong way. Look at it, if you
can, as constructive criticism. I've not abandoned the idea
of trying to evaluate your scanner and give it a fair shake,
but geeez!
Please don't throw obvious stumbling blocks
in the way! There's no excuse for the things I've mentioned.
Now, please tell us something. You seem to be using a very
large number of hashes or sigs. Were alt the sigs established
on known tested and _viable_ samples?
And please quit top posting. It makes it too difficult for
others to follow our exhange. And I'll be damned if I'm
going to go to the trouble of fixing that up.
Art
http://home.epix.net/~artnpeg
If I did include the external files (richtx32.ocx, msinet.ocx,
flash.ocx, msvbm60.dll), that would add almost 2 extra MB to the
download. For users on a dialup connection, that seems a bit
unreasonable to me, especially since most of the computers I've
installed this on already have the required runtimes. I know for a
fact that most of the computer users aren't computer literate, however,
when they come across something like a "missing msvbm60.dll" error,
chances are, they'll probably have a good idea that they need that dll.
As it said in the technical informatino page, this program is mainly
designed for network administrators and software developers, but can
also be used on a home computer. This alone inherently states that
you'll have to have at least some basic technical expertise to
understand in detail how it works. Aside from that, if you have the
runtimes, all you have to do is point and click... the interface was
made to be self explanatory. I don't think it can get much more
simplistic than that. And I believe the term you're looking for is
"Non-Drool Proof" (ie non user friendly).
As for the heuristics... open heur.txt and look at the pattern for at
least a few seconds. Obviously, the number right above the name is the
sensitivity indicator. If you want a more in-depth explanation of it,
I would suggest you download the source code and start reading it.
http://69.10.149.234/~idbehold/vte/VTE.HTM
And yes, I do have a help page up now.
As for the heuristics, they are based off of simple string patterns
that are found in almost every virus/worm/trojan that you'll come
across, and they also contain common API functions that virii tend to
use (For reference I'm referring to Native Executables, not Portable
Executables). And keep in mind, the heuristic scanning included may
not always indicate the presence of a virus, just suspicious looking
API calls or strings. Hence the term "heuristics".
If you've read the technical information page, yes, the database
consists of crc32 hash signatures, and they have been tested on viable
samples (see zoo.htm for the whole story). If anyone is going to
complain about the fact that I will allow people to obtain copies of
it, I really don't want to hear your incessant moaning. There was a
reason it was up to begin with, and that was to prove the project was
not a hoax.
And if you're wondering why the updates are so infrequent, there's a
reason why: I work 40+ hours a week doing fast food service.
