Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: microsoft!c-rossgr@uunet.uu.net Newsgroups: comp.virus Subject: Re: Tequila virus (PC) Message-ID: <0010.9105281939.AA08091@ubu.cert.sei.cmu.edu> Date: 28 May 91 15:15:02 GMT Sender: Virus Discussion List Lines: 58 Approved: krvw@sei.cmu.edu >From: Padgett Peterson > >Ross: It would be interesting if you, Frisk, & I ever get together >at a bar but they'll have to provide a padded room & unbreakable glasses. Hey, take some time off and come on over to the UK this September for Ed Wilding's little get together in the Channel. I expect it to be *very* good [for those who are not aware of it, the Virus Bulletin is having an international virus seminar where just about everybody who is anybody will either a)be speaking or b)be in the audience making fun of those who are speaking. It ain't cheap, but I think it'll be real good.] >>Sorry: I don't count "wild card" strings as a search pattern. There's >>too much chance for false positives. >Why do you disagree with "wild cards"? For example, if I find a boot >sector that contains MOV AX,[413] MOV [413],AX I would >suspect a virus reguardless of what went on in the area. >To me a variable length "wild card" to replace would be >very useful in this case. In our tests for Virex-PC's scanner, we throw it up against a coupla network servers filled to the brim with every piece of software we can find. When we let a new scanner with new strings loose on it, any false positives based upon our string library and our program library will show up quickly. I've found far too many false positives with wild card patterns than with either fixed patterns or algorithmic pattern matching schemes. Since false positives remove some of the credibility of the product with corporate clients, we've worked long and hard to make sure that we don't have them: only two false positives to date for a product about a year old; that's not too bad at all (> 400 strings in the current release). When I report that there is a virus in a program or in a boot sector, I want to be sure. >I agree that the potential for false positives exists, but as an >intial mechanism that determines a maxterm/minterm decision tree >structure or to provide a public signature without revealing to much >of the viral design, such a "wild card" function would be very >effective. Part of the advantage of working hard on a fast search engine: some cycles to spare. If I put in a search string that is "wild carded" and get a hit on some program to verify later with some other method, why not just check that other method first? That's what I'm doing with about a half dozen viruses and I was able to accept a 1-2% hit on speed as a consequence of the action of checkinbg completely for the virus instead of playing with wild cards. Although I understand the desire for wildcarding (it certainly makes turning out a new piece of code a quick turnaround!), I just don't think it buys enough to feel safe with. But, well, to each their own! Cheers! Ross