Tuesday, March 20, 2007

a question from panda labs

the folks at panda have floated a question on their blog... it's an interesting question but since they don't seem to have any comment feature available on their blog there does not appear to be any direct way to give them feedback on the question...

in simple terms, given a file format that supports a feature heavily abused by malware purveyors, should anti-virus companies be detecting instances of that filetype where that feature is actually being used and if so what do you tell people who use that feature legitimately?

my answer is yes, absolutely, add detection for files using features known to be abused by malware... of course years ago i was also completely in favour of having anti-virus products detect the MtE mutation engine in spite of the fact that (according to dr. solomon) some knucklehead (my words) was using it legitimately in a code obfuscation product... i don't think i managed to change dr. solly's mind on the matter, though...

now this new case would probably mean some interesting things when it comes to office documents... and then there's html files with embedded scripts... oh, and it would be really cool (though i doubt many would agree) if you could detect multi-media files that make use of digital rights malware technology..

ok, so maybe you have to stick to the format-features that are seeing widespread abuse right now (i still think drm would apply, but anyways) but this is absolutely a worthwhile thing to do - widely abused format-features represent significant risk and tools need to be available to manage (ie. avoid) that risk... that's what you tell the people using those format-features legitimately...

alternatively, don't approach this as something for a virus scanner to naively detect (ie. an entry in the blacklist) but rather as a context in which to apply some sort of whitelisting so that people can add authorization for trustworthy content providers... or hey, why not combine the two - treat such files as potentially unwanted objects or greyware that you detect but include the ability to add exclusions for certain types of content... i think you'll find that files utilizing such widely abused features fit reasonably well into the greyware classification...

2 comments:

Unknown said...

I think this falls into the same realm as pop-up window warnings in browsers. They are not always bad, but I'd rather be informed when they're attempting to do things as opposed to reacting only after the fact.

Obviously, the feature should be a toggle so someone watching legit QuickTime movies regularly won't have to suffer through and become numb to the alerts.

Then you have other questions. Should Panda (AV vendors) be determining when legit features are potential abusers? That seems slightly more subjective than identifying unwanted malware. Should they be acting as the information source for average users in evaluating threats and possible malware attempts? Should QuickTime (Apple) fix their sh!t and take out unnecessary features that ended up being used for ill more than any positive benefit?

It's an interesting question, and for now, I'd prefer to answer their question by saying, "yes, alert on that stuff."

kurt wismer said...

"Obviously, the feature should be a toggle so someone watching legit QuickTime movies regularly won't have to suffer through and become numb to the alerts."

as i understand it, they'd only be alerting on those quicktime movies that actually used href tracks... the impression i get is that most quicktime files don't use that feature in the first place so there shouldn't be a lot of false alerts...

"Then you have other questions. Should Panda (AV vendors) be determining when legit features are potential abusers?"

when it comes to features being used to spread malware, anti-malware companies are in pretty much the best position to know when it's happening and which features are being abused...

"That seems slightly more subjective than identifying unwanted malware."

no, it's just a matter of identifying which features are being used to spread that which has already been determined to be malware...