|
Information Security News
mailing list archives
Re: eEye Enters Antivirus Business with Blink Suite
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 31 Jan 2007 01:12:00 -0600 (CST)
Forwarded from: Simson Garfinkel <simsong (at) acm.org>
http://www.betanews.com/article/
eEye_Enters_Antivirus_Business_with_Blink_Suite/1170087333
...
Rather than scan everything all the time, however, the new Blink will
scan newly discovered executables, and may perhaps rescan them if, for
instance, their patterns or file size appears to have changed. But if
it's the same executable, by default, Blink will only scan it once.
Presumably the Blink anti-virus technology is only performing this kind
of in-depth scan using a virtual machine because the scan is slow.
However, the potential virus writer has many options for avoiding this
technology. For example, the "virus" (really a trojan) could simply
perform its malicious activity only if it receives user input (which it
is unlikely to receive in a virtual machine, but likely to receive if it
pops-up a window.) Or the virus could simply check to see if it is
running in a virtual machine using technology that is now readily
available.
Back in the early 1990s anti-virus software used this approach of trying
to watch the behavior of a virus. They gave up on it in favor of the
current signature-based approach because it was prone to false positives
and because it didn't catch many known viruses.
Of course, it's theoretically impossible to look at a program and figure out
what it's going to do. Even running the program in a virtual machine won't tell
you want its going to do once you run it in the wild.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 By Date 
By Thread
Current thread:
|
Intro
