tag:blogger.com,1999:blog-7347279.post3022210316602642248..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: mcafee's catastrophic false alarmkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-7347279.post-46640382702293848582010-05-17T09:53:58.511-04:002010-05-17T09:53:58.511-04:00@kurt I just realized there's a way to limit t...@kurt I just realized there's a way to limit the resource consumption with digital signatures checking.<br /><br />Check the signature only after the AV engine has flagged the file as positive. If the signature is a valid Microsoft signature, don't take action.<br /><br />Almost all MS Windows executables are signed, but most don't contain the signature in the PE file itself, but in a separate catalog file.<br /><br />Windows File Protection uses digital signatures to check (and preserve) the integrity of critical files. WFP is the feature in Windows XP that automaticaly restores a deleted critical file.Didier Stevenshttp://DidierStevens.comnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-64982051652079305122010-04-29T10:20:09.932-04:002010-04-29T10:20:09.932-04:00@didier stevens:
while digital signatures give you...@didier stevens:<br />while digital signatures give you many of the same benefits as a whitelist, it's not quite the same. <br /><br />i guess it could be considered a highly distributed whitelist where the record of a particular executable's inclusion on that whitelist is stored with that executable, but from a whitelisting perspective there are a number of problems with this model - not the least of which being that you have to trust the signing party which is often the same folks who made the executable in the first place. also the signature is technically only meant to prove authenticity, not fitness for use or safety. whitelists don't prove these very well either, but at least they're usually generated with those concepts in mind.<br /><br />in the case of the particular suggestion i made above (using a whitelist to prevent false positives on critical system files) digital signatures probably would have sufficed if one were to limit oneself to checking only for microsoft signatures - but that assumes that all critical files are signed. i hope they are, but maybe some aren't, i don't know for sure.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-83253993327231155502010-04-29T08:58:19.656-04:002010-04-29T08:58:19.656-04:00Checking the AuthentiCode digital signature of Mic...Checking the AuthentiCode digital signature of Microsoft executables is another way to whitelist. But calculating the cryptographic hash is resource intensive.Didier Stevenshttp://DidierStevens.comnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-52523182734085420662010-04-27T10:51:44.339-04:002010-04-27T10:51:44.339-04:00good times!
-LonerVampgood times!<br /><br />-LonerVampAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-89272727213431949192010-04-24T04:36:35.555-04:002010-04-24T04:36:35.555-04:00@kurt wismer the week i had it installed; it when ...@kurt wismer the week i had it installed; it when something like this:<br /><br />false positive, false positive, false positive, one of those was when it told me that my IM client was in fact a virus (im pretty sure it wasnt :D) uninstall<br />TBH I can cope with false positives every now and again it is more the resource hog it is for such little payoff, plus if it came up with a file that i had never heard of and i was feeling too lazy to google it i would have just done what all those other poor people did and would now be without a PCPeachyhttp://pausescreen.wordpress.com/noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-73259219662734983762010-04-24T03:34:58.219-04:002010-04-24T03:34:58.219-04:00@peachy:
i agree, it did seem like amateur hour to...@peachy:<br />i agree, it did seem like amateur hour to me too, hence the tone of the original post (before the edited bit).<br /><br />i can't really speak much about the product, though, as i haven't used it since before they had dat files.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-79213582926823650482010-04-23T17:20:33.743-04:002010-04-23T17:20:33.743-04:00@kurt wismer stopping it from happening again is (...@kurt wismer stopping it from happening again is (of course)a good move that fact that it happened is a rookie move.<br /><br />Not that I rate Mcafee very high to begin with. I recently decided to buy it as there was a special on at my local pc superstore even though every fibre in my body told me not to. With AV as CPU heavy as their latest beast is, I would have expected it to keep my system far safer than what I had eventually decided was best for my set up. It wasn't the case; and I am back (quite happily I might add) to a free AV and safe from this horrendous mistake by the Mcafee team. which, no doubt has set back the trust built up between users who will never want to use anything with the Mcafee stamp of "excellence" on againPeachyhttp://www.games.retroist.comnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-73661969439384725042010-04-23T12:25:11.002-04:002010-04-23T12:25:11.002-04:00well, to mcafee's credit, it appears that they...well, to mcafee's credit, it appears that they're going to be implementing some of the ideas i presented in my post (<a href="http://siblog.mcafee.com/support/an-update-on-false-positive-remediation/" rel="nofollow">see here</a>). that should prevent this from ever happening again.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-30919112456693831712010-04-23T12:21:55.461-04:002010-04-23T12:21:55.461-04:00MaCafee completly screwed up my PC on April 22, ne...MaCafee completly screwed up my PC on April 22, never again will I use their crap. Thanks. MaCaffee for NOTHING. RickUnknownhttps://www.blogger.com/profile/01531098293234134619noreply@blogger.com