Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strange software > winsupdater.exe

From: k levinson <levinson_k () yahoo com>
Date: Thu, 17 Mar 2005 10:16:33 -0800 (PST)
You're both right, sort of.  File names are not
totally useless, but one has to be careful and
understand the caveats.  

Using file names, you can more or less confirm that a
file is suspicious, but you cannot confirm whether a
file is legitimate.  If google doesn't find anything,
or everything it finds is bad, that's not good.  But
if google or any other web site does find legitimate
files with that name, that is inconclusive.

Also, looking at file names does not reliably identify
what the malware is, what variant, what it may have
done to your system, and how to remove it.  

Far more useful and informative is submitting the file
to a place such as www.virustotal.com for instant
analysis, and for simultaneously submitting new
samples to multiple AV vendors.  If you know the file
name, I feel this should be done before searching
google or posting here.

People posting file names here should probably also be
posting 1) the directory path the file was found in,
in case a legitimate file name [e.g. svchost.exe] is
found in a nonstandard folder name.  I would also
suggest such people also 2) post the results of a
google search and 3) results of analysis via one or
more antivirus programs, such as via
www.virustotal.com

Now, if someone was to argue that in the time it took
you to do a google search, you could have more
accurately identified the malware by using one or more
AV scanners, that could be a true statement.  

Or if someone was to say that using file names
incorrectly presents a danger that a junior tech could
look up "svchost.exe" and find that it is legitimate,
or that someone could decide just to delete a bad file
and not realize that passwords have been logged or a
second service undeletes the first deleted file, I
might agree.  Just deleting malware [or reformatting
it away] without accurately identifying it, submitting
it and understanding it can be very bad for your
security.

regards,

Karl



-----Original Message-----
From: Jeremy Anderson [mailto:jeremy () angelar com] 



Actually, I'd say [filenames are] fairly useful, if

you plug them 

into google.  Sites like iamnotageek.com have pretty

good 

information repositories on what is legitimate and

what is not.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: