Trend Micro scanner in MS...

Hugo van der Kooij hvdkooij at vanderkooij.org
Tue Nov 3 23:19:26 GMT 2009 

On 11/02/09 22:19, Jameel Akari wrote:
>
> Slightly off-topic I suppose.
> Is anyone here using a current release of Trend's AV for Linux?
>
> I'm not directly finding anything in Trend's current products for Linux
> that provide command-line scanners which MailScanner are looking for
> (i.e. vscan).
>
> Instead you have "ServerProtect" which basically seems only on-access
> (with a kernel module, ugh) or "InterScan VirusWall" which seems to have
> 'isvw-scan' but needs a 4GB install of other junk I don't need in order
> to work.
>
> Am I missing something obvious here?

Yes. The fact that Trend Micro and other AV vendors know that there is 
no way you can stop malware just by using signature detection the way 
people used to think about malware scanning.

I know that Dr Web refuses to enter there product to enter any test that 
is in effect just a static signature test.

ClamAV is old school in this regard as they still do signature scanning 
instead of looking more into the behaviour of applications and how they 
access resources.

Because interaction with the OS is very important in this philosophy, 
they focus on the weakest and most prolific OS at hand. And all the 
serious AV vendors either work in that dirction or are moving towards 
that direction.

I did a test about 3 years ago and ploughed through 2 months worth of 
samples and suspects and there were about 10000 new variants present. 
With signature scanning you need 10000 signatues to get them. Perhaps 
slightly less.

If you can detect behaviours and detect anomalies in them you may need 
just 100 behaviour rules which all of them will break.

As far as signature scanning goes. ClamAV does an amazing job. But it 
will be limited to the design of signature detection.

Signature detection in email may still work to a reasonable extend. But 
it becomes highly unpractical in webbased slutions. And I think most 
bots propogate themselves through websites. (Hijack a favicon, .....)

So now you know why there is now commandline scanner from Trend Micro. 
It simply does not fit in their philosophy. And historically Trend Micro 
is not the best in signature detection in my experience.

Hugo.

More information about the MailScanner mailing list