|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
v.2.01; Oct. 21, 1997
The conference was held Oct.2-3, 1997 in SF. The partially accurate program of the conference is available on http://www.virusbtn.com/VB97/programme_tables.html.
I would like to single out the following five presentations that IMHO deserve attention:
1. David J. Stang: "In pursuit of prevalence: a look at 'In the Wild'".
2. Jimmy Kuo: "Free Macro Anti-virus Techniques".
3. David Aubrey-Jones: "Macro Attacks on Office 97"
4. Dmitry Gryaznov: "Scanning the Net'"
5. Martin Overton: "FAT32 - New Problems for Anti-virus or Viruses?
The most impressive was the presentation by David J. Stang. Its title could probably be changed to "'In The Wild List' Is Dead". Although David diplomatically stated that "This article is NOT an attack on the developers of any wild list" it was actually a RIP for the "In The Wild List" urban legend. IMHO this is probably the main result of VB97. Better late than never ;-). I hope that after this presentation the new editor of the Virus Bulletin will abandon the "In The Wild" urban legend.
I had never listened to David before and the fact that he worked in NCSA in the past makes him a little bit suspect (NCSA is the major proponent of the "In the Wild List" :-), but he gave a very good presentation. I believe most people connected with AV testing will (silently :-) agree that the "In The Wild List" is unscientific (i.e. subjective), misleading (if used in AV scanner testing) and generally serves no identifiably useful purpose. It's a little bit like the shadow of academician Lysenko's heritage (for those lucky souls who did not know about Lysenko and Lysenkoism, see the definition in the "Sceptic's dictionary" at http://wheel.ucdavis.edu/~btcarrol/skeptic/lysenko.html). A meaningful "In the wild list" is just not possible due to regional differences. For example there is a product called V-HUNTER (http://ras1.dials.ccas.ru/dsav.htm#Vhunter) that for many years detected and disinfected only viruses that were found in Russia (it does not cover polymorphic viruses - they are covered by DrWeb, though). The list of viruses that it contains, even if we exclude polymorphics, has very little to do with the "In the Wild List".
IMHO the "In the Wild List" is an artificial mix. As such, it should never be used for evaluations of the quality of the AV software. Often it does not include viruses that became widespread for a month or two (a very long period in the AV industry). At the same time it includes viruses which probably never managed to get into a particular country, and in this sense are no different from any virus that can be found on "Virus CDs" or in collections available via the Internet.
Although I have publicly criticized the "In the Wild List" several times, nobody has taken the time to put all the relevant arguments against it on paper. David's presentation does the job just fine. If any publication uses the "In the Wild List" in 1998, I recommend it be viewed with great suspicion or just thrown in the garbage, where it probably belongs ;-).
David Stang made a good field study of virus distribution in several different countries and formulated four reasons why a good wild list in not possible (I paraphrased them as follows):
Again, IMHO the main reason is that prevalence is so different between regions of the world that a global prevalence list make very limited sense after, say, a dozen most widespread viruses. See below for the discussion of Dmitry Grayznov's presentation about one possible alternative - "In The Usenet List". It is an objective, but it has several serious problems that need to be solved before it can be viable for AV scanners testing.
For some strange reason Jimmy Kuos presentation was put on the technical track. IMHO it was the most useful for practitioners presentation at the conference. Jimmy did a really useful job of collecting and classifying the methods of improving macro virus protection in MS Word without using macro virus scanners of VxD. I would like to applaud Jimmys vendor neutral-approach that was used in the paper. The text of this paper is available on http://www.nai.com/services/support/vr/free.asp I strongly recommend downloading and reading it. Several additional useful techniques should be mentioned:
A combination of copying the NORMAL.DOT template from a special backup directory, SCANPROT installation in the STARTUP directory and the use of RTF proves, as my own experience shows, to be a very inexpensive and efficient corporate framework for fighting macro viruses. These methods are especially useful for organizations that are afraid of using VxD for stability reasons.
As for RTF, I have had a positive experience with it in a large corporate environment, despite the fact that the CAP.A virus fools the user. This virus saves the document in native MS Word format instead of RTF even if the user tries to save it in RTF. At the same time, it is very easy to check on the mail gateway (or in the mailbox) if the attachment was really converted to RTF. One only needs to check the first 5 bytes of the file. So the check can be really quick, much quicker than scanning the file for macro viruses.
This was an interesting presentation that tried to systematize macro virus protection features that are available in MS Word 97. Although Microsoft could and should do more, they have made a number of important and significant changes in Office 97 that makes the threat of macro virus infection less likely. The following features (with the exception of No. 1) are generally poorly documented and communicated to the public.
The last feature is probably the most important. In Word 97 only projects can be protected, while in Word 6 any single macro can be protected. A Microsoft white paper "Word Basic Migration to Visual Basic for Applications" (available as a self extracting archive wbmigrat.exe from http://support.microsoft.com/support/kb/articles/q164/3/70.asp) lists the following four important restrictions:
Generally, switching to Office 97 is a pretty smart move from the point of view of macro virus protection.
VirusPatrol is a free service, provided by Dr. Solomon, to protect users of newsgroups from virus infections by the daily scanning of major Usenet newsgroups. Dmitry Gryaznovs project was really innovative in several aspects and, to a certain extent, proved that Dr. Solomon is one of the market leaders.
First, probably the best way for a virus author to quickly distribute a virus is to mail it to one or several popular USENET groups. Also, files and documents that contain a particular virus (for example a resume that contains the CAP.A virus) are an indicator of a prevalence of the virus. Attached executables and documents are scanned using heuristic analysis. Suspicious samples are analyzed and a detection and clean-up routine is incorporated in FindVirus. VirusPatrol issues an alert to the newsgroup warning other readers not to download the infected file. In this way a virus outbreak may be prevented. Service is not intrusive. Readers of the scanned newsgroups will be aware that they are being protected by Internet VirusPatrol only when an alert is issued within that group. The list of viruses found on the scanned newsgroups over the past two months is available via http://www.drsolomon.com/vircen/vp/index.cfm. It is really instructive reading.
The second important aspect of this pioneering work is the ability to create something like an "In the Usenet List". I believe that Dmitry should take some steps in this direction. There are several problems that need to be resolved, such as the posting of virus collections and posting viruses for distribution in provirus newsgroups. The simplest way is to exclude them. A second approach is to introduce a rating for each virus found according to the newsgroup and to use a lower rating for virus distribution newsgroups. Let's briefly discuss four major objections mentioned above against the "In The Wild List":
Martin Overton provided an interesting discussion of FAT32 that appeared in the Service Pack 2 for Windows 95 and is a preferable file system for today 3G+ hard drives. The paper is available on http://www.salig.demon.co.uk/fat32/fat32new.htm. He demonstrated that many DOS viruses (including MBR and boot sector (DBR) viruses) work adequately under Windows 95 and FAT32. At the same time most antivirus vendors were very slow to implement proper handling of FAT32.
Some of his findings appear to be completely opposite to postings by notable researchers on the alt.comp.virus group. The most important of them is that DBR viruses really cannot be removed from FAT32 partitions by non-FAT32 compatible anti-virus software.
That means that customers with FAT32 installed, who paid for such AV products as AVP 3.0, F-prot Professional 3.0 and ThunderByte (as well as probably several others) were paying not for protection from a large subset of boot viruses that infect the boot sector [DBR] instead of MBR, but for vapor. Of those that do support FAT32, both McAfee ViruScan 3.03 and Norton Antivirus 3.0 constantly gave false positives after a cold-clean-boot [Virus found in memory]. Those that successfully support FAT32 and didnt produce false alarm include: Dr. Solomons AVTK 7.72 and VET 9.44. Sophos Sweep supports FAT32, but refuses to remove FORM.A as they consider a FAT32 partition infected with a FAT16 boot virus a problem that requires help from their support desk.
IMHO one important problem was completely overlooked: the problem of the reliability of AV products. AV products not only add to the cost of ownership of the Microsoft and Novel platforms. More often that not AV products, especially NLM s and VxD drivers, negatively affect the underling OS stability. Like other categories of consumers, AV consumers need some kind of consumer protection from problems like those reported by Martin Overton. The level of testing of AV products (QA) really needs to be improved. I will add just one example:
From: email@example.com (F PROT MAN)
Subject: Re: F-Prot Pro 3.0 for NT: Very Nasty Bug
Date: 2 Oct 1997 21:51:22 GMT
>This is confirmed by me personally. We lost lots of documents, thank God
>for back ups. We reported this to our F-prot supplier who finally confirmed
>this problem yesterday ( Oct.1).
We hope to have this resolved in the next version of the software. Thank you
for your interest in F-PROT Professional.
... ... ...
The author plans additional research into this subject.
Dr. Nikolai Bezroukov
Copyright 1997, Nikolai Bezroukov
Permission granted to freely copy and redistribute (including posting on web pages, usenet, BBS, bulletin boards of on-line service providers) provided this copyright notice is included.
Copyrighted material contained within this document is used in compliance with the United States Code, Title 17, Section 107, "for purposes such as criticism, comment, news reporting, teaching"
Disclaimer: All comments or statements are solely my own, and do not reflect or represent any organization's that I may be associated with.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: Oct 16, 1997;