Commercial virus checker failed ...

Michael H. Warfield mhw at WITTSEND.COM
Wed Jan 9 02:49:08 GMT 2002


On Wed, Jan 09, 2002 at 09:44:37AM +1000, Scott Farrell wrote:
> For me it would be fail over.

        Hmmm...  Good point.  I think.  But that's yet another REAL
GOOD reason for multiple scanners.  HA failover if one blows chunks.

> Occaisonally the virus update definition from CA for innoculate fails, and
> corrupts the whole of innoculate for a while, until you either reinstall,
> or wait for the next update (ugly).

        What happens then?  Does the program identify everything as a
virus or nothing as a virus.

> So in my case failover to the second scanner would be great.

        If the corruption results in nothing being tagged then you and
I are in perfect agreement.  Run three checkers and if any of them
identify it as a cybertoxin then quarantine the sucker.  If the
corruption results in everything being identified, then we have a
problem and the check has to be identified as faulty and flawed out.

> This probably also applies to DoS - it may not DoS both scanners at the
> same time.

        Haven't seen anything that would really DoS the scanner.  Somewhere
I've got that nasty gzip file "my_god_its_full_of_stars" and I've heard
of the zip of death (but haven't landed myself a copy yet).  Any other
known nasties?  (I collect them in my cybertoxin zoo.)  Zip is better
than gzip recursive explosive expandables if you want them to blow up
on scanning, except that gzip can be piped to itself for the recursion.  :-)
I don't even KNOW how big "my_god_its_full_of_stars" would gunzip to.

> regards
> Scott Farrell
>
> http://www.icconsulting.com.au
> ic Consulting - the people that make eBusiness happen.
> We offer e-business consulting and perform services. We deliver high impact
> consulting, and fast turn around projects for our clients.
> Ask us about Web Content Management,  Web Self Service, or working closer
> with your customers or suppliers.
>
> 0412 927 156,   02 9411 3622  mailto:sfarrell at icconsulting.com.au

        [...]

> > Not at the moment; there's not really any very good reason to do so, so
> far as
> > I'm aware.
>
>         Actually there are several that I'm aware and it's a feature which
> is a high priority to me.
>
>         #1 Reason...  There are many occasions when one virus scanner or
> another picks up a virus/worm and not the others.  No one product leads
> the field in this and I've heard recommendations to run at least three
> virus checkers in commercial development environments where deliverable
> product is prepared.
>
>         #2 Reason...  Sometimes one vendor is a little quicker than
> others to update signatures, either due to updaing schedule or ongoing
> research work - leading to reason #1.
>
>         #3 Reason...  Nameology.  Sometimes virus checkers vary in their
> terminology.  Correlating detection with field reports can be simplified.
> Some may argue that this isn't a "good reason" while others may consider
> it vital.  Depends on what you are doing with the information.
>
>         #4 Reason...  Even when several virus checkers can spot a virus,
> not all of them may be able to sanitize the material the same way or
> may behave differently..
>
>         All of the above boil down to reliablilty and reaction speed.
> Depending on one virus vendor is not a safe bet.  While even combinations
> of vendors can not be relied on totally (last virus go-round I worked on
> we were fighting an infestation of the goner_a worm for 5 hours before
> the FIRST vendor had their signatures updated and some were over a day)
> having multiple vendors is more reliable than picking one and praying.
> Next time, the guys (who I will not name) who came in first may be dead
> last.  Especially at a critical trottle point like a central email server.
>
>         Using multiple virus scanners is a lot like using multiple spam
> identifiers.  SpamAssassin is the epitomie of this.  You are more effective
> using multiple sources of information.

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!



More information about the MailScanner mailing list