>It is plausible for the FBI to provide a signature to McAffee and >say "please don't report if you see this." AV doesn't work that way any more. Not since about a decade now. Mostly, it is either a "language" (go here, find this, go here, satisfy N choose K, whatever) or rules (heuristics). But we can't allow the essence of the schema you presented because as you said, what if someone hijacked it? That is, we can't say something is fine based on a substring that could have something else either before or after the code. For instance, the AV industry has agreed on this thing called an EICAR test file (to test installations). It is a 68 byte text file, which as it happens, happens to be executable code if you looked at its binary. It runs and prints a message and exits. The rule for an AV product to report finding this "EICAR test file" is, it must be found as the *FIRST* 68 bytes of a file. If found anywhere else, you cannot report it as the EICAR test file, because it could be a fake-out, to make people think that it's safe when it's not. >Whether NAI would ever do such a thing is outside my knowledge. Outside of the above, it's also not good business sense to go public on something that's just a rumor and alienate one's clientele who pay us to protect them from outside interference with their business. And if you have worked with the FBI, you notice, no, they don't tell you what they're working on. :-) So, I've become really good at packaging my evidence submissions, sending them in, and never to expect an answer other than an acknowledgement of receipt. (and not to ask...) >The report I cited only >mentions in passing that NAI has done this, and I am thrilled to >hear that it's not true. And also with many years in the business you also come to notice, what the reporter wrote in the article isn't what you said. (Actually, some good ones let me review their articles before they publish.) And if you search the internet on Bridis with McAfee, you'll see some history of his opinion of us. Jimmy
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:32:55 PDT