RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Sun Nov 25 2001 - 01:54:35 PST

  • Next message: Kuo, Jimmy: "RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus"

    >It is plausible for the FBI to provide a signature to McAffee and 
    >say "please don't report if you see this." 
    
    AV doesn't work that way any more.  Not since about a decade now.  Mostly,
    it is either a "language" (go here, find this, go here, satisfy N choose K,
    whatever) or rules (heuristics).  But we can't allow the essence of the
    schema you presented because as you said, what if someone hijacked it?  That
    is, we can't say something is fine based on a substring that could have
    something else either before or after the code.
    
    For instance, the AV industry has agreed on this thing called an EICAR test
    file (to test installations).  It is a 68 byte text file, which as it
    happens, happens to be executable code if you looked at its binary.  It runs
    and prints a message and exits.  The rule for an AV product to report
    finding this "EICAR test file" is, it must be found as the *FIRST* 68 bytes
    of a file.  If found anywhere else, you cannot report it as the EICAR test
    file, because it could be a fake-out, to make people think that it's safe
    when it's not.
    
    >Whether NAI would ever do such a thing is outside my knowledge. 
    
    Outside of the above, it's also not good business sense to go public on
    something that's just a rumor and alienate one's clientele who pay us to
    protect them from outside interference with their business.
    
    And if you have worked with the FBI, you notice, no, they don't tell you
    what they're working on.  :-)  So, I've become really good at packaging my
    evidence submissions, sending them in, and never to expect an answer other
    than an acknowledgement of receipt.  (and not to ask...)
    
    >The report I cited only 
    >mentions in passing that NAI has done this, and I am thrilled to 
    >hear that it's not true.
    
    And also with many years in the business you also come to notice, what the
    reporter wrote in the article isn't what you said.  (Actually, some good
    ones let me review their articles before they publish.)  And if you search
    the internet on Bridis with McAfee, you'll see some history of his opinion
    of us.
    
    Jimmy
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:32:55 PDT