Re: Crap AV detection results

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Quoted text here. Click to load it

You sent them a text file?

Maybe sending the executable would get better results.



Re: Crap AV detection results

On Sat, 28 Mar 2009 20:42:56 -0400, FromTheRafters wrote:

Quoted text here. Click to load it

Why not? Most AV software will detect .BAT, .CMD and other script files
which are in text format.
Quoted text here. Click to load it

Which executable would that be?

The point is that it is as dangerous as .EXE file. If you plug a memory
stick with that specific file in its root directory into an unpatched PC
with autorun not disabled, it can cause that PC to become infected with a
worm that has been known to be in the wild for three months or more. And
33% of VirusTotal's chosen sample of representative AV programs that
purport to protect PCs from such infectors *don't detect it*.

Re: Crap AV detection results


Quoted text here. Click to load it

Indeed. That file is a little like the old "autoexec.bat" file. Consider
an entry like "@hrur4ttn.exe" in that file. Sure, it would be good to
detect such an entry, but you wouldn't really know much about the
malware itself without analyzing the actual "hrur4ttn.exe" file.

Quoted text here. Click to load it

The one the information file attempts to execute when autorun is
enabled - or the one it attempts to trick the user into executing by
making it look like a simple "open" action.

Quoted text here. Click to load it

It is not a patch, it is a configuration option. Sort of like having the
option to not boot from a floppy to avoid boot sector infector
propagation.

Quoted text here. Click to load it

The text file?



Re: Crap AV detection results

On Sat, 28 Mar 2009 21:57:17 -0400, FromTheRafters wrote:

Quoted text here. Click to load it

A patch is needed to fix the configuration option.
http://www.itworld.com/windows/63219/after-cert-warning-microsoft-delivers-autorun-fix

Quoted text here. Click to load it
Yes.

Re: Crap AV detection results

Quoted text here. Click to load it
http://www.itworld.com/windows/63219/after-cert-warning-microsoft-delivers-autorun-fix

True, but it is still an abuse of function rather than a software flaw
that needed to be patched.

In the above analogy, it is like setting the option not to boot from
floppy and yet still being able to boot from the floppy. If the
suggested option was to change the boot device order to make the floppy
the last option chosen - you could still get infected if the other
devices were not bootable for some reason. Changing the CMOS Setup
program to allow "disabling" of boot devices would be the equivalent of
the patch.

Quoted text here. Click to load it

I think you place too much emphasis on detecting this fragment of the
worm.



Site Timeline