Comments on: ConsumerReports beats up anti-virus, then gets beat up http://michaelgracie.com/2006/08/17/consumerreports-beats-up-anti-virus-then-gets-beat-up/ Clever Tagline Unavailable At Publication Time Wed, 07 Jan 2009 20:17:40 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Matt Sergeant http://michaelgracie.com/2006/08/17/consumerreports-beats-up-anti-virus-then-gets-beat-up/comment-page-1/#comment-218 Matt Sergeant Fri, 18 Aug 2006 15:00:18 +0000 http://www.michaelgracie.com/consumerreports-beats-up-anti-virus-then-gets-beat-up/#comment-218 So the big problem with commercial AV is that it's designed for the desktop. Even when it's deployed to stop viruses in email it is looking at attachments because that's what they know - files. We saw that there were specific techniques used in email that made viruses easier to detect and implemented them. Also there's ways we can examine executables that the AV vendors just can't do (because of the desktop thing). A good way of thinking about this is that on the typical desktop there's millions of files and executables, but for the most part nobody emails them to eachother (you don't email someone notepad.exe). So a false positive on a desktop scanner can be really critical, but when you're just scanning email you know you can be a bit more aggressive. Finally, all viruses are basically evolutions of the one that came before it. Virus writers don't tend to write a brand new virus - they take their previous code and modify it slightly, tweaking it until they find it gets through the version of McAffee or Sophos they have installed. Then they send it out. So we create heuristics that can detect variations on the themes. I make it sound simpler than it is really - but we saw this flaw in the usual AV techniques and took the opportunity to fix it. So the big problem with commercial AV is that it’s designed for the desktop. Even when it’s deployed to stop viruses in email it is looking at attachments because that’s what they know - files. We saw that there were specific techniques used in email that made viruses easier to detect and implemented them.

Also there’s ways we can examine executables that the AV vendors just can’t do (because of the desktop thing). A good way of thinking about this is that on the typical desktop there’s millions of files and executables, but for the most part nobody emails them to eachother (you don’t email someone notepad.exe). So a false positive on a desktop scanner can be really critical, but when you’re just scanning email you know you can be a bit more aggressive.

Finally, all viruses are basically evolutions of the one that came before it. Virus writers don’t tend to write a brand new virus - they take their previous code and modify it slightly, tweaking it until they find it gets through the version of McAffee or Sophos they have installed. Then they send it out. So we create heuristics that can detect variations on the themes.

I make it sound simpler than it is really - but we saw this flaw in the usual AV techniques and took the opportunity to fix it.

]]> By: Michael Gracie http://michaelgracie.com/2006/08/17/consumerreports-beats-up-anti-virus-then-gets-beat-up/comment-page-1/#comment-217 Michael Gracie Thu, 17 Aug 2006 19:01:57 +0000 http://www.michaelgracie.com/consumerreports-beats-up-anti-virus-then-gets-beat-up/#comment-217 <p>Not much use in an outbreak..."very"</p> <p>Thanks for the point, Matt. I think all readers (plus me) would love some additional explanation on what you guys do differently. May be set an example for the commercial folks (proprietary methods exclusive, of course)?</p> Not much use in an outbreak…”very”

Thanks for the point, Matt. I think all readers (plus me) would love some additional explanation on what you guys do differently. May be set an example for the commercial folks (proprietary methods exclusive, of course)?

]]> By: Matt Sergeant http://michaelgracie.com/2006/08/17/consumerreports-beats-up-anti-virus-then-gets-beat-up/comment-page-1/#comment-216 Matt Sergeant Thu, 17 Aug 2006 18:43:26 +0000 http://www.michaelgracie.com/consumerreports-beats-up-anti-virus-then-gets-beat-up/#comment-216 Not all anti-virus works like that. Though all the commercial ones do which is why we wrote our own. You're spot on though - Graham doesn't want the cat let out of the bag that most AV software only detects viruses they've already seen before. Not much use in an outbreak really. Not all anti-virus works like that. Though all the commercial ones do which is why we wrote our own. You’re spot on though - Graham doesn’t want the cat let out of the bag that most AV software only detects viruses they’ve already seen before. Not much use in an outbreak really.

]]>