Re: clamav and magic byte
OK, last try to convince you... :)
> It's not a bug, it's a design property of such ssystems
In other words: it is a design error (feature).
As I point out my whitepaper, the "changed" viruses STILL detected with the
SAME signature.
And then, "a magic" - you change the FIRST byte to anything and the virus is
detected, but when you change to "M" (exe magic byte) - the AV fails.What is
your conclusion?
Regards,
Andrey Bayora.
----- Original Message -----
From: "Florian Weimer" <fw@deneb.enyo.de>
To: "Andrey Bayora" <andrey@securityelf.org>
Cc: <debian-security@lists.debian.org>
Sent: Thursday, November 03, 2005 11:25 PM
Subject: Re: clamav and magic byte
> * Andrey Bayora:
>
> >> "...Andrey Bayora just describes one way to create new viruses, there
are
> > countless others."
> >
> > Please, read http://www.securityelf.org/magicbyteadv.html - there
> > are 13 CVE numbers issued for this BUG.
>
> Often, CVE numbers are assigned because vendors release updates, not
> to bless a bug in some way.
>
> > If it is not - why AV vendors issues patches for this "issue"?
>
> Apparent inaction (leading to a potential loss in market share) is
> more expensive than pushing out updates to customers, it seems.
>
> > The "new viruses" opinion comes mostly from AV companies that did not
want
> > to believe that their AV has such trivial BUG.
>
> It's not a bug, it's a design property of such ssystems.
>
> To be clear, the issue you point out is real, but this is the
> fundamental problem with client-side antivirus software: It can only
> detect things which haven't been specifically crafted to go
> undetected. Since (most?) signatures are publicly available, it's
> pretty easy to tweak your malware until it passes popular scanners.
>
> In this round of Core Wars, the piece of software which was written
> last almost always wins.
>
>
Reply to: