Forwarded from: Simson Garfinkel <simsong (at) acm.org> > http://www.betanews.com/article/ > eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333 > ... > > Rather than scan everything all the time, however, the new Blink will > scan newly discovered executables, and may perhaps rescan them if, for > instance, their patterns or file size appears to have changed. But if > it's the same executable, by default, Blink will only scan it once. Presumably the Blink anti-virus technology is only performing this kind of in-depth scan using a virtual machine because the scan is slow. However, the potential virus writer has many options for avoiding this technology. For example, the "virus" (really a trojan) could simply perform its malicious activity only if it receives user input (which it is unlikely to receive in a virtual machine, but likely to receive if it pops-up a window.) Or the virus could simply check to see if it is running in a virtual machine using technology that is now readily available. Back in the early 1990s anti-virus software used this approach of trying to watch the behavior of a virus. They gave up on it in favor of the current signature-based approach because it was prone to false positives and because it didn't catch many known viruses. Of course, it's theoretically impossible to look at a program and figure out what it's going to do. Even running the program in a virtual machine won't tell you want its going to do once you run it in the wild. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:36:18 PST