Know sod all about this sort of stuff, but heard this party on the BBC:

He said that corporations couldn't make money out of selling anti-virus type software unless it was 'heuristic', by which he meant the software had to know about a particular virus before it could scrag it. He said what was needed was software that didn't need this, but could detect the activity of any virus, without knowing its precice identity - something like that anyway.

So couldn't some free software person come up with something of the sort and potentially do a great deal of damage to the comercial people? Just asking have no idea myself.

(Incidentally, without irony they said he used to be a crim but was now legit: he was a 'hacker' but now works for a bank.)

I think the biggest issue is what is "virus activity". Changing system files, installing root kits, changing browser settings?

By that definintion anti virus programs themselves, "browser customizers", tweak tools,and anything from symantec are considered viruses. Applying security updates could be considered a virus too.

soule

He said that corporations couldn't make money out of selling anti-virus type software unless it was 'heuristic', by which he meant the software had to know about a particular virus before it could scrag it. He said what was needed was software that didn't need this, but could detect the activity of any virus, without knowing its precice identity - something like that anyway. I think you maybe have that backwards.

Virus scanners now are mostly non-heuristic, though some have a heuristic mode that you can turn on. (And some scanners' heuristic modes are better than others.) They all have a specific set of signatures that they check the file's bytes against; if the file has a set of bytes in it that match a certain signature, it'll flag the file as infected. But it's almost trivially easy for a virus writer to get around this kind of thing (and in fact they did, when the WMF buffer overflow was going around); all they have to do is trivially encode the code that runs the virus (the stuff that the scanner would normally trigger on), then include some code to decode it before running it. If each file has a different "key" for the encoding, that's even better -- no virus scanner on the planet will catch that, even in heuristic mode: virus scanners don't scan files in memory as they're running, only whenever they're accessed. Unless you do a full scan; then some will scan memory. But you'd have to be executing the virus at the time you ran the full scan to catch it, and many (if not most) viruses now include code to disable various virus scanning programs.

(As a simple example of an encoding, the virus could store a 128-bit random value somewhere in itself, then repeatedly XOR that value against 128-bit chunks of its code before writing the result out to the file. Before running the code, it could redo the XOR so that the original bits come back. There's now absolutely nothing that the virus scanner can trigger on, because each different value for the 128-bit "key" will give you a different set of output bytes. But the decoder knows the "key", so it can get the original instructions back -- which haven't changed.)

Plus, with each new virus, signature-based scanners require that you get an update to your signatures -- conveniently ensuring a constant stream of revenue to the scanner's authors. (Well, in some cases. I would be willing to bet that some virus scanners don't charge for signature updates, but I don't know for sure.)

Those are two reasons why virus scanners based on signatures are horribly stupid.

Now, heuristic-based scanning, where you check for a set of patterns instead of hard signatures (e.g., "anyone calling this particular API is probably a virus"), would be better but still not foolproof. As soulestream has pointed out, it's hard to decide what behavior determines a virus: format.com and a disk-formatting virus probably have similar code in them. How to decide which one to allow and which one to flag?

It's interesting how Linux solves the virus problem. Start here: http://linuxmafia.com/~rick/faq/index.php?page=virus#virus and read all the way down. It's not that viruses are hard to write for Linux; they're easy. The difference is that you can't do anything with them because nobody runs as root. (Well, almost nobody.) ;)

It's interesting how Linux solves the virus problem. Start here: http://linuxmafia.com/~rick/faq/index.php?page=virus#virus and read all the way down. It's not that viruses are hard to write for Linux; they're easy. The difference is that you can't do anything with them because nobody runs as root. (Well, almost nobody.) ;)
Bookmarked. I've read it before, but it'll be handy to have around next time that obnoxious Windows user tells me how Linux is going to get viruses just like everyone else. :)

Thanks. To my surprise I find it weirdly interesting. :)