From: FromTheRafters on
"RayLopez99" <raylopez88(a)gmail.com> wrote in message
news:612fa39b-70b6-4c4b-ae4a-218b3b26a1cc(a)z3g2000yqz.googlegroups.com...
On Mar 23, 11:27 pm, "FromTheRafters" <erra...(a)nomail.afraid.org>
wrote:

>
> Yes. I had to clean up a Windows laptop last year despite things
> being kept up to date and AV installed. The AV was bloody hopeless at
> setecting it despite being kept up to date.

***
That wasn't me, my contributions are either indented properly, or fixed
between the *** and the *** when "quoted-printable" like this post.
***

[...]


In short, as I code, I know that computers are very predictable. If
your AV program is configured to catch virus "X" then it will catch
it--and you will not be infected.

***
Not *always* the case. Sometimes the signature is in the virus body and
the self-decryptor has to run in emulation for a time before revealing
said virus body. If the self-dycryptor has emulation detection
capability it may fail to reveal the body when it detects that it is
being *watched*.
***

As for the 30-70% of malware that
are not caught (see the PDF in this thread), this could be "zoo" type
malware that is included in the figure but in practice is never seen
'in the wild'.

***
Actually, the problem with zoo viruses are that they *are* being
detected in the tests, and they make a useless feature appear as an edge
over those that don't (or can't) detect them. To me, it is okay if they
*don't* detect them, but it is not okay if they *can't*. They should be
excluded from test sets, but the technology to detect them should
remain.
***



From: David H. Lipman on
From: "Char Jackson" <none(a)none.invalid>

| On Wed, 24 Mar 2010 07:48:20 -0400, Leythos <spam999free(a)rrohio.com>
| wrote:

>>In article <qluiq59i975s6scc2slnl6gf6fcc02onvr(a)4ax.com>,
>>none(a)none.invalid says...

>>> On Tue, 23 Mar 2010 22:14:24 -0400, "David H. Lipman"
>>> <DLipman~nospam~@Verizon.Net> wrote:

>>> >From: "Char Jackson" <none(a)none.invalid>
>>> >
>>> >| On Tue, 23 Mar 2010 18:57:13 -0400, ToolPackinMama
>>> >| <philnblanc(a)comcast.net> wrote:
>>> >
>>> >>>People I meet have many times asked me if they should shut their Windows
>>> >>>computers off at night, and I always say, "Yes, keep your PC off unless
>>> >>>you are using it."
>>> >
>>> >>>I figure if it's off, an infected computer can do less damage.
>>> >
>>> >| I agree with the advice, although I don't follow it myself. To me, the
>>> >| primary reason for turning a system off is to save electricity.
>>> >
>>> >
>>> >Actualy the quiescent temperature is better since you dont have hard drive warming
>>> >exapnsion and drive cooling contraction cycles adding tom the wear and tear factor
>>> and
>>> >aging of a hard disk.

>>> Probably true, but I have no evidence, even anecdotal evidence, to
>>> indicate that it makes an appreciable difference in equipment life. :)

>>If you've worked with Electronics for any length of time,

| Just over 45 years. The end is in sight. :)

>>and with
>>devices that have bearings, you would know, without guessing, that
>>turning off a device increases chances of a problem when you try and use
>>it again. There are also times when a device fails due to normal
>>wear/tear/age....

| I know what you're saying is a commonly held belief. I used to repeat
| it myself, but I have to admit that looking back over the last 20-30
| years that it simply isn't true. I think it used to be true in the
| days of vacuum tubes, but not since then.

| Here's someone who agrees with me, or vice versa:
| <http://michaelbluejay.com/electricity/computers-questions.html#turnoff>
| <http://blogs.wsj.com/numbersguy/how-much-juice-is-your-computer-using-at-night-145/>

| The articles are mostly about saving energy, but they touch on the
| power cycle issue, as well.


If chips are soldered down they STILL suffer from chip-creep due to exapansion/contraction
cycles.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: FromTheRafters on
"RayLopez99" <raylopez88(a)gmail.com> wrote in message
news:dd0a8cc6-8a56-43da-863d-86b3ae9c6b56(a)y17g2000yqd.googlegroups.com...
On Mar 23, 10:43 pm, "FromTheRafters" <erra...(a)nomail.afraid.org>
wrote:

> The bottom line is that antivirus and antimalware programs only detect
> *some* of what they try to detect. The best approach is to limit the
> amount of malware that you expose those programs to. Adhering to best
> practices may result in avoiding 95% (just a guess) of malware out
> there. The rest will be worms (i.e. exploit based autoworms) and
> viruses
> (downloaded from *reputable* sources).


OK, that 5% interests me. But as a scientist I believe in
verification. Anybody get infected by that 5%, and by what, did it
have a name?

***
Conficker (fairly recent) was (is) an exploit based autoworm. There is
the lag time (zero-day effect) from the time the vulnerability is first
exploited, to the time the patch is applied. Its *intent* seems to be to
annoy you into purchasing something. Using a botnet to keep itself
current, it is much more powerful than that - we were lucky - this might
change.
***

The only thing I can think of is: (1) unnamed viruses
not get discovered by Kaspersky or whoever, and, (2) zero-day attacks
by new viruses (or variants of old) that Kaspersky sends out the patch
but a day late.

***
Yes, there is a lag time also between the analysis of the malware (not
the exploit) and the distribution of the signature obtained from the
analysis (another zero-day effect, this time for the particular malware
now utilizing that exploit. It is not called a "patch" though, usually a
definitions file or signature file (sigfile).

I can't provide you with anything that supports the "trusted channel"
vector except to mention that Energizer USB Charger software trojan.
There have been others, viruses IIRC, on distribution CD for harddrives
and such, but no URLs for you.
***


From: FromTheRafters on
"David W. Hodgins" <dwhodgins(a)nomail.afraid.org> wrote in message
news:op.u92rm6fca3w0dxdave(a)hodgins.homeip.net...

> These were on systems using up-to-date av/m$ software. So the
> problem does still exist, but is mostly rootkits and trojans,
> rather then true viruses.

Funny how things change. Rootkits used to be used for hiding activity.
Now the activity is "in your face" and the rootkit only hides to make
removal more difficult. Must be damned annoying always getting stuff
like that.


From: FromTheRafters on
"RayLopez99" <raylopez88(a)gmail.com> wrote in message
news:af165e13-bdda-40d8-85de-3bcbea20e8a0(a)g28g2000yqh.googlegroups.com...

B.S.! You lost the debate and now you're trying ad homenium attacks.

***
Beware of those ad harmonium attacks, they can often lead to violins.
***