From: FromTheRafters on

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:hitlb509bf(a)news3.newsguy.com...
> From: "FromTheRafters" <erratic(a)nomail.afraid.org>
>
>
> < snip >
>
> | Viruses, on the other hand, cannot infect non-executables, so
> | non-executable filetypes need not be searched for them.
>
> No but they can be hidden or contained within through such techniques
> as steganography.

Yes, but then they are trojan payloads. They need another malware
instance to translate and execute them (trojan/dropper).

....or de-containerized by some mechanism - and *then* detected.
(unfortunately Java doesn't do this and its containers must be searched
as if they were executable files)

Viruses are attached to code (probably in their view in that article)
and perhaps they are not considering malware in general, just the
(necessary) AV component (especially on servers).

Why look for something where it *cannot* be?


From: Dustin Cook on
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:hite6k$lm4$1
@news.eternal-september.org:

> "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message
> news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250...
>> http://www.itworld.com/security/90249/ignore-microsoft-check-
everything?
>> source=peer2peerpromo
>
> It's another case of terminology problems I think.
>
> If the filetype is non-executable - it *cannot* be infected so there is
> no need to scan it for *viruses*.

That's where the problem lies... Microsoft suggests excluding entire
folders by default...this would actually allow malware to hide from their
own application by doing that... Lol. :)

and I do hope it's actually doing a header check on the files and not
going by file extension. Yes, the windows GUI won't execute a .bmp file;
it'll try to open it for viewing instead. However, a program oth, can
call said .bmp (which was really an exe) and it won't display a picture
but run instead.

> data in the registry even becomes a hiding place for code. You might as
> well include trojans in the mix, because replication is irrelevant to
> whether or not a file should be scanned by an antimalware application.

I agree.


--
"Is there anything in Guul Draz that doesn't suck the life out of you?"
- Tarsa, Sea Gate sell-sword.

From: FromTheRafters on
"Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message
news:Xns9D02F2FD89A50HHI2948AJD832(a)69.16.185.247...
> "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in
> news:hite6k$lm4$1
> @news.eternal-september.org:
>
>> "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message
>> news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250...
>>> http://www.itworld.com/security/90249/ignore-microsoft-check-
> everything?
>>> source=peer2peerpromo
>>
>> It's another case of terminology problems I think.
>>
>> If the filetype is non-executable - it *cannot* be infected so there
>> is
>> no need to scan it for *viruses*.
>
> That's where the problem lies... Microsoft suggests excluding entire
> folders by default...this would actually allow malware to hide from
> their
> own application by doing that... Lol. :)

I don't understand their logic in suggesting an entire directory can be
excluded, but I also don't see that actually suggested here:

http://support.microsoft.com/kb/822158

Maybe upon re-reading I will see it.

The files that they suggest can be excluded are not excluded based on
the extension, they are named in order for the user to identify them and
only those identified files (not any others that may use the same
extension) are being suggested for exclusion.

As for entire folders (as they put it) I assumed that maybe those would
be symbolic links (which aren't really directories). Just guessing there
though as I haven't re-read the article yet.

> and I do hope it's actually doing a header check on the files and not
> going by file extension. Yes, the windows GUI won't execute a .bmp
> file;
> it'll try to open it for viewing instead. However, a program oth, can
> call said .bmp (which was really an exe) and it won't display a
> picture
> but run instead.

Yes, that I *do* remember - each time that they offer the suggestion,
they stipulate that files should not be excluded *based* on extensions,
but the extensions can be used to help the user identify the files that
are targeted for exclusion.

>> data in the registry even becomes a hiding place for code. You might
>> as
>> well include trojans in the mix, because replication is irrelevant to
>> whether or not a file should be scanned by an antimalware
>> application.
>
> I agree.

You just can't go around excluding areas from scanning for malware, but
viruses (in this context) will *not* be found in non-executable
filetypes.

The problem now is that AV scanners do more than just check for viruses
but attempt to cover a wide spectrum of malware types. Excluding areas
from scanning for viruses will also exclude them from scanning for other
malware types.

AV should have remained strictly anti-VIRUS like many of us suggested
years ago in the alt.comp.virus groups. The AV companies, in their zeal
to be the *all* for protecting users from the need to behave properly,
have made a mess of things by chasing the allmighty dollar. They now
offer antispyware components in an attempt to muscle into that arena to
the exclusion of any competitor's programs - citing resource conflicts
as the *reason* for excluding competitors (better) products.

Give me an AV that checks for *viruses* and allow me to choose what
other programs (or policies) to use to avoid other malware types.

Gotta go to work (before I *really* start ranting...

:o)


From: Ant on
"FromTheRafters" wrote:

> "Ant" wrote:
>> Yes, indeed but such files are not "executables" in the way that exe
>> and dll files are.
>
> The WMF filetype example was designed to be, but many assumed it was
> not.

It may contain code (the SetAbortProc callback) for use by the GDI but
is not an executable that can be run by the OS exe loader. Any scan
only needs to check if this callback record is present.

> Unfortunately, there is the possibility that those experts use the term
> "viruses" to mean malware - in which case it would be wrong to exclude
> any filetypes.

Yes.

>> Also, you can't rely on file extensions to determine the type.
>
> That was mentioned on the MS page ISTR.

I hadn't read that until now.

>> This means that all files should be opened and read by a scanner,
>> regardless of extension, in order to check their format even if no
>> further scanning is done on a particular file.
>
> Malware scanners, yes.

I would say virus scanners also need to check, since executable files
with an extension other than 'exe' can still be launched from the
registry.

> The idea that certain filetypes and/or directories can be safely
> excluded from malware scanning is too 'brain-dead' an idea even for
> Microsoft.

I agree and am somewhat puzzled by that MS KB article. They warn about
corruption and other stuff if certain files are not excluded. If these
files are critical they should be locked for exclusive access by
whatever MS program is using them.

> Viruses, on the other hand, cannot infect non-executables, so
> non-executable filetypes need not be searched for them.

Yes, but they should be accessed and read to determine their
executability.


From: FromTheRafters on
"Ant" <not(a)home.today> wrote in message
news:DeidnTYC5MepkM7WnZ2dnUVZ7oWdnZ2d(a)brightview.co.uk...
> "FromTheRafters" wrote:
>
>> "Ant" wrote:
>>> Yes, indeed but such files are not "executables" in the way that exe
>>> and dll files are.
>>
>> The WMF filetype example was designed to be, but many assumed it was
>> not.
>
> It may contain code (the SetAbortProc callback) for use by the GDI but
> is not an executable that can be run by the OS exe loader. Any scan
> only needs to check if this callback record is present.

There are plenty of examples of executable filestypes not directly
loaded by the loader chain.

What I meant is that an attacker using this filetype for hostile code is
not exploiting a software vulnerability in this case, but is abusing a
function. That function was deprecated and nearly forgotten, and the
filetype was assumed to be graphic data only.

>> Unfortunately, there is the possibility that those experts use the
>> term
>> "viruses" to mean malware - in which case it would be wrong to
>> exclude
>> any filetypes.
>
> Yes.
>
>>> Also, you can't rely on file extensions to determine the type.
>>
>> That was mentioned on the MS page ISTR.
>
> I hadn't read that until now.

Did you see any reference to excluding an entire folder? Or was that
reference intended to mean all files within that folder that were placed
there by the OS installation?

I think that they might have meant that all files placed (by default by
the OS when installed) within some folders and only *some* files
(identified by filename or extension) in other folders.

>>> This means that all files should be opened and read by a scanner,
>>> regardless of extension, in order to check their format even if no
>>> further scanning is done on a particular file.
>>
>> Malware scanners, yes.
>
> I would say virus scanners also need to check, since executable files
> with an extension other than 'exe' can still be launched from the
> registry.

I believe they are only concerned with the files mentioned. They know
what those files are and are not capable of. They are *not* executable
files and need not be scanned. They are *not* saying (for instance) that
*all* log files or database files are benign.

>> The idea that certain filetypes and/or directories can be safely
>> excluded from malware scanning is too 'brain-dead' an idea even for
>> Microsoft.
>
> I agree and am somewhat puzzled by that MS KB article. They warn about
> corruption and other stuff if certain files are not excluded. If these
> files are critical they should be locked for exclusive access by
> whatever MS program is using them.

I'm guessing that these files are fairly large and that they change
often, making AV scanners that use change detection in order to avoid
having to scan again already scanned files, scan them every time. This
in addition to their already stated corruption issues.

>> Viruses, on the other hand, cannot infect non-executables, so
>> non-executable filetypes need not be searched for them.
>
> Yes, but they should be accessed and read to determine their
> executability.

I suppose that that isn't too much to ask - should be much quicker than
scanning for virus signatures.