kurt wismer said:
Zvi Netiv wrote:
[snip]
What prevented Integrity Master, and checkers in the same category (e.g. CRC,
MD5, etc.), from becoming widely used in AV, are the following reasons:
1. Plain integrity ("plain" here refers to the processing of the entire file,
not to the method used) is useless for AV purposes as it's unable to
discriminate between legitimate changes and malware related changes.
as malware can make arbitrary changes, processing the entire file is
required... if you're only worried about parasitic infection then sure,
for some types of files you may only need to check a subset of the
entire file, but integrity checkers aren't *just* for detecting that
sort of thing...
Malware doesn't make arbitrary changes, full stop. That's a fallacy that has
been nurtured by ignorance, fools (e.g. Lambdin, with his unsolicited CRCs), and
AVers that had an interest that users assimilate that nonsense.
of course we've had this disagreement for a good long time now... you
feel integrity checkers should behave like your product but your product
has been highly specialized/optimized for detecting infection... plain
integrity checkers detect a broader range of changes and, correctly or
incorrectly, leave the interpretation of those changes up to a
non-autonomous agent also known as the user (which is the real reason
the non-technical majority never adopted them)...
You are actually saying the same thing, but from a different angle: Users were
incapable to tell on base of the plain integrity change whether it was caused by
virus or was benign.
there are those who feel that programmatically restoring
infected/corrupted objects to their original state is a losing
proposition... some anti-virus vendors (like sophos) don't offer virus
disinfection for most file infecting viruses because of this philosophy...
Again, part of the above is propaganda, that was cultivated by interested
parties. The fact is that DOS objects, all types, were recovered through
integrity methods to their *exact* original state, to the byte, including the
time and date stamp. The restored file would even occupy the same exact
location on the hard drive, that it occupied before it was infected. Several
products like NAV's inoculation, Eliashim's PIC, and Thunderbyte's Tbclean
performed just as well as IV in restoring infected DOS files. The advantage of
IV on the above was its better false positives rejection. Eventually, this was
one of the reasons the integrity module lost importance in the above products
(the other reasons are the advent of the Windows infectors, also known as PE
infectors, and the orientation of the producers to scanners).
Your above assertion became true with the appearance of PE infectors.
Disinfection of a PE object by scanner does never restore it to its exact pre
infected state. It has nothing to do with malware modifying the file
"arbitrarily" (malware doesn't do that), but with the complexity of the PE file
structure and reverting the changes made to. Theoretically, *only* restoration
from a suitable integrity signature can assure full recovery of PE objects, but
as said, the signature file to do that will be prohibitively large. That's why
we ended with real-time integrity monitoring only for PE file in our on-access
module, and recovery for 16 bit objects only (in the offline module, not on
access).
while the average joe may certainly prefer a magic bullet (and there are
plenty of examples of people expressing exactly that), i'm not about to
penalize a technology for failing to be a panacea - i'd rather penalize
a proponent of it for falsely leading users to believe it is a panacea...
I hope that you don't point to me as I never made such claim. Which didn't
prevent professional bashers from pretending that I did.
plain integrity checkers are purely detective mechanisms... they do not
prevent and they do not restore, but they are (when used properly)
practically infallible at detecting change...
Let's extend the above now: Real-time AV optimized integrity checkers can
detect an infection and block execution of that object. When implemented
properly, real-time integrity monitoring is nearly infallible at detecting viral
changes in monitored files.
Regards, Zvi
The AVG