Prev: What is happening to WinClam?
Next: hotfixq0306270.exe
From: Roger Wilco on 5 Sep 2005 18:57

"Art" <null(a)zilch.com> wrote in message
news:qvuoh190ob40ev03b0no89mn7c368ir2mg(a)4ax.com...

> I've never used any version of NAV, but I have uploaded many suspect
> files to Virus Total and jotti. And I used to use Project VGREP quite
> a bit to see what various av products name a malware that KAV alerts
> on.
>
> Often, NAV just gives a heuristic "Bloodhound" type of alert. And it
> even more often just calls a variety of quite different malware
> samples "Trojan Horse".
>
> It would drive me up the wall to have to use such a product :)
>
> Of course, alerting is at least _something_. The ever so popular
> AVG far too often just goes "duh" :)
>
> McAfee is another case. Its detection is quite good, but it tends
> to produce the same name for many different samples far too often
> to suit my tastes.
>
> And F-prot is even worse for this sort of thing ... lumping many
> different Trojans into just one kind of report such as "dangerous"
> or "suspicious".

As far as the 'protection' angle goes, it is sufficient to have high
accuracy in 'detection'. The accuracy in 'identification' is somewhat
less important. You need correct identification for correct removal, but
removal is not a preventative measure. If you use AV as a recovery from
infection tool, you have already lost the battle that AV was designed to
help with - prevention.

I know that I'm 'preaching to the choir' regarding you Art, but since AV
has tacitly admitted defeat in prevention and focussed on cleanup and
on-access scanning instead - it only then becomes important to correctly
identify malware locally with a scanner. Why couldn't the identification
of malware samples be done as a web application? Wouldn't doing so
reduce the number of definitions needed by the local AV program? The
local AV could detect a malware sample and offer to submit it to further
analysis or package a copy of it for you to send.

....but I digress...

Identification is not needed in order for an AV scanner to say "you
probably don't want to execute this program".


From: Art on 5 Sep 2005 20:42
On Mon, 5 Sep 2005 18:57:15 -0400, "Roger Wilco"
<yesman(a)yourservice.invalid> wrote:

>> I've never used any version of NAV, but I have uploaded many suspect
>> files to Virus Total and jotti. And I used to use Project VGREP quite
>> a bit to see what various av products name a malware that KAV alerts
>> on.
>>
>> Often, NAV just gives a heuristic "Bloodhound" type of alert. And it
>> even more often just calls a variety of quite different malware
>> samples "Trojan Horse".
>>
>> It would drive me up the wall to have to use such a product :)
>>
>> Of course, alerting is at least _something_. The ever so popular
>> AVG far too often just goes "duh" :)
>>
>> McAfee is another case. Its detection is quite good, but it tends
>> to produce the same name for many different samples far too often
>> to suit my tastes.
>>
>> And F-prot is even worse for this sort of thing ... lumping many
>> different Trojans into just one kind of report such as "dangerous"
>> or "suspicious".
>
>As far as the 'protection' angle goes, it is sufficient to have high
>accuracy in 'detection'. The accuracy in 'identification' is somewhat
>less important. You need correct identification for correct removal, but
>removal is not a preventative measure. If you use AV as a recovery from
>infection tool, you have already lost the battle that AV was designed to
>help with - prevention.
>
>I know that I'm 'preaching to the choir' regarding you Art, but since AV
>has tacitly admitted defeat in prevention and focussed on cleanup and
>on-access scanning instead - it only then becomes important to correctly
>identify malware locally with a scanner. Why couldn't the identification
>of malware samples be done as a web application? Wouldn't doing so
>reduce the number of definitions needed by the local AV program? The
>local AV could detect a malware sample and offer to submit it to further
>analysis or package a copy of it for you to send.
>
>...but I digress...
>
>Identification is not needed in order for an AV scanner to say "you
>probably don't want to execute this program".

I was not looking at this from the POV of prevention but from the POV
of a user who gets a vague detection report. One wonders how effective
a product can be that can't pinpoint and ID a particular malware and
variant. What are you supposed to do next when you scan your drive on
demand and it reports something vague, and it's unable to do anything
about it? That sucks :)

I think your web app idea might have some merit, but my first critical
thought is of the many malwares nowdays for which the user shouldn't
be on line .... RATs and Worms. And he may need to be in Safe mode
or using a alternate OS for removal. But think it and work it through
some more and then elaborate :)

The crux of your idea or thought seems to involve the use of a
hypothetical heuristic-heavy scanner that's "lightweight" in both
defs and bloat .... that somehow turns over the chore to "something
else" to determine exactly what it is that it found ... a fp or a
actual malware ... and pinpoint the malware and its variant. But
again, that "something else" can't require a connection to the
internet. Maybe a rf (radio waves) link to that "something else". Who
knows what might evolve in the future.

Art

http://home.epix.net/~artnpeg
From: What's in a Name? on 5 Sep 2005 21:05
"Buffalo" <eric(nospam)@nada.com.invalid> wrote in
news:3v-dnSNoLtc2G4HeRVn-jg(a)comcast.com:

>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:Zd%Se.13936$QN4.8127(a)trnddc02...
>> From: "Buffalo" <eric(nospam)@nada.com.invalid>
>>
>> | Check here for some interesting results:
>> | http://www.av-comparatives.org/
>> |
>> | It seems that in the Feb and Aug 05 On-demand comparative,
>> | Norton Anti-Virus
> is
>> | second in detection, just behind Kaspersky.
>> | Those who use the others, and swear by them, should also check
>> | out that
> site.
>> | How the heck did Norton get up so high?
>> | One answer is their latest engine is better. AFAIK, Norton's
>> | 2002,3,and 4's engines don't do as well.
>> | Any other ideas?
>> |
>>
>> One must remember "comparitive tests" are only based upon
>> statistical analysis
> and the test
>> process. Both can be biased either intentionally or
>> accidentally.
>>
>> There are; lies, damn lies, statistcs and benchmarks.
>
> Someone once said, 'If you want favorable answers to your poll,
> ask the right questions'.
>
>

"I didn't lie.I only said some things that later, seemed to be
untrue."-Richard Nixon

--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236
From: * * Chas on 6 Sep 2005 01:56

"What's in a Name?" <maxpro4(a)nomail.afraid.org> wrote in message
news:Xns96C8D6AC031FDmaxpro4unomailafraid(a)204.153.244.170...
| "Buffalo" <eric(nospam)@nada.com.invalid> wrote in
| news:3v-dnSNoLtc2G4HeRVn-jg(a)comcast.com:
|
| >
| > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| > news:Zd%Se.13936$QN4.8127(a)trnddc02...
| >> From: "Buffalo" <eric(nospam)@nada.com.invalid>
| >>
| >> | Check here for some interesting results:
| >> | http://www.av-comparatives.org/
| >> |
| >> | It seems that in the Feb and Aug 05 On-demand comparative,
| >> | Norton Anti-Virus
| > is
| >> | second in detection, just behind Kaspersky.
| >> | Those who use the others, and swear by them, should also check
| >> | out that
| > site.
| >> | How the heck did Norton get up so high?
| >> | One answer is their latest engine is better. AFAIK, Norton's
| >> | 2002,3,and 4's engines don't do as well.
| >> | Any other ideas?
| >> |
| >>
| >> One must remember "comparitive tests" are only based upon
| >> statistical analysis
| > and the test
| >> process. Both can be biased either intentionally or
| >> accidentally.
| >>
| >> There are; lies, damn lies, statistcs and benchmarks.
| >
| > Someone once said, 'If you want favorable answers to your poll,
| > ask the right questions'.
| >
| >
|
| "I didn't lie.I only said some things that later, seemed to be
| untrue."-Richard Nixon

"I am not a crook"! - Richard Nixon


From: * * Chas on 6 Sep 2005 02:00

"Art" <null(a)zilch.com> wrote in message
news:7gaph11kmijcqf20vm0pr67honkmfpj5sp(a)4ax.com...
| On Mon, 5 Sep 2005 13:13:14 -0700, "* * Chas" <dnafutz(a)aol.spam.com>
| wrote:
|
| >No AV product is ever going to be 100% full proof and detect every
virus
| >all of the time. Malware is developed faster than protective
measures.
| >The most realistic solution is to practice Safe Hex, pick a product
or
| >products that you have FAITH in and hope for the best.
|
| I say never put any faith in any av. Those who do will take hits.
|
| Art

That's why it's capitalized!

Chas.


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: What is happening to WinClam?
Next: hotfixq0306270.exe