Re: [ISN] eEye Enters Antivirus Business with Blink Suite

From: InfoSec News (alerts@private)
Date: Tue Jan 30 2007 - 23:12:00 PST

Forwarded from: Simson Garfinkel <simsong (at)>

> eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333
> ...
> Rather than scan everything all the time, however, the new Blink will 
> scan newly discovered executables, and may perhaps rescan them if, for 
> instance, their patterns or file size appears to have changed. But if 
> it's the same executable, by default, Blink will only scan it once.

Presumably the Blink anti-virus technology is only performing this kind 
of in-depth scan using a virtual machine because the scan is slow. 
However, the potential virus writer has many options for avoiding this 
technology. For example, the "virus" (really a trojan) could simply 
perform its malicious activity only if it receives user input (which it 
is unlikely to receive in a virtual machine, but likely to receive if it 
pops-up a window.) Or the virus could simply check to see if it is 
running in a virtual machine using technology that is now readily 

Back in the early 1990s anti-virus software used this approach of trying 
to watch the behavior of a virus. They gave up on it in favor of the 
current signature-based approach because it was prone to false positives 
and because it didn't catch many known viruses.

Of course, it's theoretically impossible to look at a program and figure out
what it's going to do. Even running the program in a virtual machine won't tell
you want its going to do once you run it in the wild.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:36:18 PST