On Feb 9, 2012, at 3:27 AM, G.W. Haywood wrote: > Chuck Swiger wrote: >> Oh, sure...when this issue was first noticed, anti-virus providers >> started doing things like obfuscating or encrypting the malware >> signatures. However, since malware generally also tries to conceal >> itself, anti-virus software tries to un-obfuscate stuff (with >> varying degrees of success). It's a circumstance where you can >> chicken-and-egg indefinitely. > > I'm not convinced that a PATTERN which matches a virus 'signature' must > necessarily trigger the detection of the signature by another scanner. > For example "[Vv][iI][Rr][uU][Ss]" matches "Virus" but it doesn't look > even remotely like it. Maybe I haven't had enough chocolate today and > I don't understand the problem well enough...
Oh, I don't claim that every signature must look like malware to another scanner. But it's almost certain that the EICAR signature is floating around, and that's explicitly designed to be representable as an ASCII string without wildcards or [] charsets. You don't have to match all signatures to have an issue, you just need one to appear in a form that the other scanner can recognize. >> Or you can simply decide to not quarantine or delete filesystem >> locations containing malware signatures. > > Giving malicious software a convenient place to stay? :) Indeed. :-) But if your system is compromised to the point where your A/V malware database location can be written to and changed by the bad software, you've already lost the round... Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
