Full Disclosure: Re: AV companies better hire good lawyers soon.

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: AV companies better hire good lawyers soon.

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 15 Sep 2004 12:29:52 +1200

Frank Knobbe wrote:

Alternatively, software manufacturers can add their applications into AV
exclusion lists upon installation of their products. Applications
already have to "register" with the operating systems. Why not make it
register with the AV software if the software is prone to false
positives? Or at least advice the end-user of such recommended manual
step during installation.


Do I detect the re-emergence of parasitic binary infectors?

If the user trusts the application, and does not trust the AV software,
he can override the AV checks for this software. If AV vendors present a
lot of false positives, my guess is that the trust of the end user in
those AV products will wane.

So, it is in the best interest for the AV vendor to ensure low/no false
positives. There is no need for software manufacturers to "register"
their products with AV vendors.


Of course, the best solution is to fix the cart-before-the-horse design 
of contemporary scanners.  They should not be black-listing (by it's 
nature heavily prone to _both_ false-positives (the issue here) and 
false-negatives ("you should expoect us to miss new malware")) but 
enforcing white lists.  The "bad old days" of severe hardware (RAM, CPU 
cycles, I/O speed) limitations that made black-listing only marginally 
acceptable because it was the only amrginallt viable approach, are 
_long_ past.  Idiot users that want to run just any old cr*p code from 
anywhere are welcome to keep failing to be "protected" by black-listing 
scanners, but informed admin types should have been agitating for years 
npw for their AV developers (or, perhaps better, other security system 
developers) to develop a useful, real-time black-listing solution that 
would work in a corporate setting.  Partly because this did not happen 
we then had all manner of further idiocies "enforced" on us, such as 
the truly screwed-up notion that we should accept arbitrary code from 
web servers (in the form of HTML-embedded scripts, scripting in third-
party interpreted languages such as are used in SWF, etc, etc).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: AV companies better hire good lawyers soon., (continued)
- Re[2]: AV companies better hire good lawyers soon. 3APA3A (Sep 13)
  - RE: AV companies better hire good lawyers soon. Jean Gruneberg (Sep 13)
- Re: AV companies better hire good lawyers soon. Florian Weimer (Sep 14)
  - Re: AV companies better hire good lawyers soon. Frank Knobbe (Sep 14)
    - Re: AV companies better hire good lawyers soon. Michael Simpson (Sep 15)