Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MS Anti Virus?
From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Jun 2004 16:48:10 -0400

On Fri, 18 Jun 2004 06:30:55 +1200, Nick FitzGerald <nick () virus-l demon co uk>  said:
Valdis.Kletnieks () vt edu wrote:

Naah.. They'd never use an undocumented API to benefit their product at the
expense of the competition, would they? ;)

In this case, no.

Given that a lot of AV technical work is reverse engineering and that 
most of the best AV reversers are not among those MS "acquired" from 
RAV or who have joined MS from other AV developers subsequently (not 
that they haven't got some very good reversers, just there are still an 
awful ot of them elsewhere), I doubt even MS is stupid enough to 
consider trying something like this.

You're forgetting that in this case, technical excellence fall behind marketing
and treachery in importance....

You don't think that the MS reverse engineers couldn't do better, if they had
an API that would tell them the exact footprints associated with a known
vulnerability?  :)

Remember that the BugBear virus used an undocumented API to snarf
all the passwords: http://www.extremetech.com/article2/0,3973,582176,00.asp

You really expect us to believe that the M$ AV team won't leverage off the
fact that they could know about that API, and all the others in Windows?

Now consider all the cases where Microsoft has shipped a half-working patch
that closes some cases but not others - could that be a case of "we intentionally
shipped half the patch because we're going to let our AV software in on the secret
sauce so it can install the OTHER half of the patch"?  :)

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]