|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
v.2.01; Oct. 21, 1997
Note: This article was published in Softpanorama Bulletin Vol 9, No.4 (1997)
The conference was held Oct.2-3, 1997 in SF. The partially accurate program of the conference is available on http://www.virusbtn.com/VB97/programme_tables.html.
I would like to single out the following five presentations that IMHO deserve attention:
1. David J. Stang: "In pursuit of prevalence: a look at 'In the Wild'".
2. Jimmy Kuo: "Free Macro Anti-virus Techniques".
3. David Aubrey-Jones: "Macro Attacks on Office ‘97"
4. Dmitry Gryaznov: "Scanning the ‘Net'"
5. Martin Overton: "FAT32 - New Problems for Anti-virus or Viruses?
The most impressive was the presentation by David J. Stang. Its title could probably be changed to "'In The Wild List' Is Dead". Although David diplomatically stated that "This article is NOT an attack on the developers of any wild list" it was actually a RIP for the "In The Wild List" urban legend. IMHO this is probably the main result of VB’97. Better late than never ;-). I hope that after this presentation the new editor of the Virus Bulletin will abandon the "In The Wild" urban legend.
I had never listened to David before and the fact that he worked in NCSA in the past makes him a little bit suspect (NCSA is the major proponent of the "In the Wild List" :-), but he gave a very good presentation. I believe most people connected with AV testing will (silently :-) agree that the "In The Wild List" is unscientific (i.e. subjective), misleading (if used in AV scanner testing) and generally serves no identifiably useful purpose. It's a little bit like the shadow of academician Lysenko's heritage (for those lucky souls who did not know about Lysenko and Lysenkoism, see the definition in the "Sceptic's dictionary" at http://wheel.ucdavis.edu/~btcarrol/skeptic/lysenko.html). A meaningful "In the wild list" is just not possible due to regional differences. For example there is a product called V-HUNTER (http://ras1.dials.ccas.ru/dsav.htm#Vhunter) that for many years detected and disinfected only viruses that were found in Russia (it does not cover polymorphic viruses - they are covered by DrWeb, though). The list of viruses that it contains, even if we exclude polymorphics, has very little to do with the "In the Wild List".
IMHO the "In the Wild List" is an artificial mix. As such, it should never be used for evaluations of the quality of the AV software. Often it does not include viruses that became widespread for a month or two (a very long period in the AV industry). At the same time it includes viruses which probably never managed to get into a particular country, and in this sense are no different from any virus that can be found on "Virus CDs" or in collections available via the Internet.
Although I have publicly criticized the "In the Wild List" several times, nobody has taken the time to put all the relevant arguments against it on paper. David's presentation does the job just fine. If any publication uses the "In the Wild List" in 1998, I recommend it be viewed with great suspicion or just thrown in the garbage, where it probably belongs ;-).
David Stang made a good field study of virus distribution in several different countries and formulated four reasons why a good wild list in not possible (I paraphrased them as follows):
Again, IMHO the main reason is that prevalence is so different between regions of the world that a global prevalence list make very limited sense after, say, a dozen most widespread viruses. See below for the discussion of Dmitry Grayznov's presentation about one possible alternative - "In The Usenet List". It is an objective, but it has several serious problems that need to be solved before it can be viable for AV scanners testing.
For some strange reason Jimmy Kuo’s presentation was put on the technical track. IMHO it was the most useful for practitioners presentation at the conference. Jimmy did a really useful job of collecting and classifying the methods of improving macro virus protection in MS Word without using macro virus scanners of VxD. I would like to applaud Jimmy’s vendor neutral-approach that was used in the paper. The text of this paper is available on http://www.nai.com/services/support/vr/free.asp I strongly recommend downloading and reading it. Several additional useful techniques should be mentioned:
A combination of copying the NORMAL.DOT template from a special backup directory, SCANPROT installation in the STARTUP directory and the use of RTF proves, as my own experience shows, to be a very inexpensive and efficient corporate framework for fighting macro viruses. These methods are especially useful for organizations that are afraid of using VxD for stability reasons.
As for RTF, I have had a positive experience with it in a large corporate environment, despite the fact that the CAP.A virus fools the user. This virus saves the document in native MS Word format instead of RTF even if the user tries to save it in RTF. At the same time, it is very easy to check on the mail gateway (or in the mailbox) if the attachment was really converted to RTF. One only needs to check the first 5 bytes of the file. So the check can be really quick, much quicker than scanning the file for macro viruses.
This was an interesting presentation that tried to systematize macro virus protection features that are available in MS Word 97. Although Microsoft could and should do more, they have made a number of important and significant changes in Office 97 that makes the threat of macro virus infection less likely. The following features (with the exception of No. 1) are generally poorly documented and communicated to the public.
The last feature is probably the most important. In Word 97 only ‘projects’ can be protected, while in Word 6 any single macro can be protected. A Microsoft white paper "Word Basic Migration to Visual Basic for Applications" (available as a self extracting archive wbmigrat.exe from http://support.microsoft.com/support/kb/articles/q164/3/70.asp) lists the following four important restrictions:
Generally, switching to Office 97 is a pretty smart move from the point of view of macro virus protection.
VirusPatrol is a free service, provided by Dr. Solomon, to protect users of newsgroups from virus infections by the daily scanning of major Usenet newsgroups. Dmitry Gryaznov’s project was really innovative in several aspects and, to a certain extent, proved that Dr. Solomon is one of the market leaders.
First, probably the best way for a virus author to quickly distribute a virus is to mail it to one or several popular USENET groups. Also, files and documents that contain a particular virus (for example a resume that contains the CAP.A virus) are an indicator of a prevalence of the virus. Attached executables and documents are scanned using heuristic analysis. Suspicious samples are analyzed and a detection and clean-up routine is incorporated in FindVirus. VirusPatrol issues an alert to the newsgroup warning other readers not to download the infected file. In this way a virus outbreak may be prevented. Service is not intrusive. Readers of the scanned newsgroups will be aware that they are being protected by Internet VirusPatrol only when an alert is issued within that group. The list of viruses found on the scanned newsgroups over the past two months is available via http://www.drsolomon.com/vircen/vp/index.cfm. It is really instructive reading.
The second important aspect of this pioneering work is the ability to create something like an "In the Usenet List". I believe that Dmitry should take some steps in this direction. There are several problems that need to be resolved, such as the posting of virus collections and posting viruses for distribution in provirus newsgroups. The simplest way is to exclude them. A second approach is to introduce a rating for each virus found according to the newsgroup and to use a lower rating for virus distribution newsgroups. Let's briefly discuss four major objections mentioned above against the "In The Wild List":
Martin Overton provided an interesting discussion of FAT32 that appeared in the Service Pack 2 for Windows 95 and is a preferable file system for today 3G+ hard drives. The paper is available on http://www.salig.demon.co.uk/fat32/fat32new.htm. He demonstrated that many DOS viruses (including MBR and boot sector (DBR) viruses) work adequately under Windows 95 and FAT32. At the same time most antivirus vendors were very slow to implement proper handling of FAT32.
Some of his findings appear to be completely opposite to postings by notable researchers on the alt.comp.virus group. The most important of them is that DBR viruses really cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.
That means that customers with FAT32 installed, who paid for such AV products as AVP 3.0, F-prot Professional 3.0 and ThunderByte (as well as probably several others) were paying not for protection from a large subset of boot viruses that infect the boot sector [DBR] instead of MBR, but for vapor. Of those that do support FAT32, both McAfee ViruScan 3.03 and Norton Antivirus 3.0 constantly gave false positives after a cold-clean-boot [Virus found in memory]. Those that successfully support FAT32 and didn’t produce false alarm include: Dr. Solomon’s AVTK 7.72 and VET 9.44. Sophos Sweep supports FAT32, but refuses to remove FORM.A as they consider a FAT32 partition infected with a FAT16 boot virus a problem that requires help from their support desk.
IMHO one important problem was completely overlooked: the problem of the reliability of AV products. AV products not only add to the cost of ownership of the Microsoft and Novel platforms. More often that not AV products, especially NLM s and VxD drivers, negatively affect the underling OS stability. Like other categories of consumers, AV consumers need some kind of consumer protection from problems like those reported by Martin Overton. The level of testing of AV products (QA) really needs to be improved. I will add just one example:
From: firstname.lastname@example.org (F PROT MAN)
Subject: Re: F-Prot Pro 3.0 for NT: Very Nasty Bug
Date: 2 Oct 1997 21:51:22 GMT
>This is confirmed by me personally. We lost lots of documents, thank God
>for back ups. We reported this to our F-prot supplier who finally confirmed
>this problem yesterday ( Oct.1).
We hope to have this resolved in the next version of the software. Thank you
for your interest in F-PROT Professional.
... ... ...
The author plans additional research into this subject.
Dr. Nikolai Bezroukov
Copyright 1997, Nikolai Bezroukov
Permission granted to freely copy and redistribute (including posting on web pages, usenet, BBS, bulletin boards of on-line service providers) provided this copyright notice is included.
Copyrighted material contained within this document is used in compliance with the United States Code, Title 17, Section 107, "for purposes such as criticism, comment, news reporting, teaching"
Disclaimer: All comments or statements are solely my own, and do not reflect or represent any organization's that I may be associated with.
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: Oct 16, 1997;