RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Sun Nov 25 2001 - 01:54:35 PST

Next message: Kuo, Jimmy: "RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus"

Previous message: Crispin Cowan: "Re: CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Maybe in reply to: Crispin Cowan: "CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Next in thread: Kuo, Jimmy: "RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>It is plausible for the FBI to provide a signature to McAffee and 
>say "please don't report if you see this." 

AV doesn't work that way any more.  Not since about a decade now.  Mostly,
it is either a "language" (go here, find this, go here, satisfy N choose K,
whatever) or rules (heuristics).  But we can't allow the essence of the
schema you presented because as you said, what if someone hijacked it?  That
is, we can't say something is fine based on a substring that could have
something else either before or after the code.

For instance, the AV industry has agreed on this thing called an EICAR test
file (to test installations).  It is a 68 byte text file, which as it
happens, happens to be executable code if you looked at its binary.  It runs
and prints a message and exits.  The rule for an AV product to report
finding this "EICAR test file" is, it must be found as the *FIRST* 68 bytes
of a file.  If found anywhere else, you cannot report it as the EICAR test
file, because it could be a fake-out, to make people think that it's safe
when it's not.

>Whether NAI would ever do such a thing is outside my knowledge. 

Outside of the above, it's also not good business sense to go public on
something that's just a rumor and alienate one's clientele who pay us to
protect them from outside interference with their business.

And if you have worked with the FBI, you notice, no, they don't tell you
what they're working on.  :-)  So, I've become really good at packaging my
evidence submissions, sending them in, and never to expect an answer other
than an acknowledgement of receipt.  (and not to ask...)

>The report I cited only 
>mentions in passing that NAI has done this, and I am thrilled to 
>hear that it's not true.

And also with many years in the business you also come to notice, what the
reporter wrote in the article isn't what you said.  (Actually, some good
ones let me review their articles before they publish.)  And if you search
the internet on Bridis with McAfee, you'll see some history of his opinion
of us.

Jimmy

Next message: Kuo, Jimmy: "RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Previous message: Crispin Cowan: "Re: CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Maybe in reply to: Crispin Cowan: "CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Next in thread: Kuo, Jimmy: "RE: CRIME FBI's "Magic Lantern" and McAfee Antivirus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:32:55 PDT