"Syncme" <Syncme.TakeThisOut@nojunk.com> to "Frederic Bonroy" to "Syncme":
> >> To site a few examples:
> >> Apache - Open source web server currently used by 60% if the internet.
> >
> > Hmmm... to be honest I doubt that it is as complex as a modern
> > anti-virus program. To be even more honest, I have no idea. 
>
> Not sure either but i would think its more different than more complex.
I'd side with Frederic (and indirectly with Kurt, from his comments elsewhere
in this thread) -- the internal complexity of modern virus detection engines
(this does not include Clam's engine -- it is decade-plus old technology only)
puts them amongst the most complex of software development projects.
> >> Linux - An operating system designed from scratch started by 1 student
> >> (can't get more complex than that)
> >
> > Since you mentioned computer science students elsewhere, here is a
> > thought: computer science students are usually taught the basics of
> > operating system design. They are not taught virus scanner design
> > however... in fact, not many people know how scanners operate internally.
A further comment I'm surprised Kurt and Frederic did not make here...
The projects "Syncme" offers as examples of the open-source community dealing
with large, presumably rather complex, development projects are examples of
products that have grown "organically". Both were started many years ago --
one, just a few years after the first AV engines were started. They have had
many years to develop along with the increasing sophistication and complexity
"expected" of them. However, whilst Linux and Apache are both good examples
of "state of the art" projects, there status, as such, is largely dependent on
the fact that both "grew up" with the needs and developing interest in such
products. The world (well, important parts of it) was "ready" for a cheap,
reliable, Unix-ish, POSIX-ish (maybe) OS when Linux started (well, shortly
thereafter actually and after Linux had developed "enough" to show it
(probably) "had the right stuff". Ditto the "need" for a cheap, reliable web
server (recall that although Netscape gave away its browser for personal (and
education?) use, it charged like a wounded bull for its web _server_) neatly
matched the genesis and early development of Apache.
Antivirus software is quite different. Depending where in the corporate pile
you are, there has been a strongly felt "need" for AV software for more than
a decade; it almost became a critical, "must have" item with the arrival of
macro viruses and became essential with the arrival of the mass-mailers.
Open Antivirus, Clam, et al. came late to this party (long after the "need"
had been filled), so would have had to play serious catch-up if they were to
become the Linux or Apache of the AV world. Not only have they not played
catch-up, they have hardly developed at all (nor shown much interest in, or
inclination to, develop) along the lines obvious to anyone with a few clues
about how known virus scanning works and what is necessary to have a
reasonably competent, by late-90's standards, scanner.
The reason is (largely) because there are enormous problems, from an open
source perspective, for the potential developer of a new virus detection
engine, to overcome.
> Virus wrtiting and Antivirus design is offered as electives in various
> universities.
And these courses are (with about two or three notable exceptions) offerred
by academics with as much clue about what the antivirus problem is and how to
tackle it as the implementors of Open AntiVirus, Clam, etc clearly have.
<<snip>>
> The virus definitions a certainly available on the net. They are all over
> the place along with the viruses.
Excuse me?
You have no idea how modern (i.e. not ClamAV, not OAV) virus detection
engines work, do you?
There is very little "virus definition" information available on the net,
short of reverse engineering a detection engine and its "virus definition"
database, but if you can do that _AND_ get meaningful virus detection
information for your own engine, you would almost certainly have the skill
and knowledge to be able to design your own engine from the ground up.
> That's how most av companies get them. All the av companies do is develop
> signatures for them for recognition.
Are you confusing "virus samples" with "virus definitions"? I guess if your
mindset of virus detection is "grep on steroids" then I can see how you
could make such a naive mistake...
> Anyway, there are open source av projects out there.
> openav
> clamav, clamwin
> softlabsav
> Perhaps not as popular because possibly people and developers don't know
> about them.
And they all suffer basically the same problems (as they are really based
on the same engine).
> Using someone else's definitions is out of the question because they
> wouldn't give it up to a competitor. How do you explain the 300 or so other
> av companies out there? I'm quite sure they don't share too much considering
> they are in direct competition. Not all of them are as big as MacAfee and
> Symantec. I'm sure that some only consist of a few people that actually are
> core developers.
We do share samples, all the time. The marketeers won't tell you that,
but the virus analysts at all the major AV companies spend a great deal of
effort developing and maintaining strong trust relationships with other
analysts. This eases sample acquistion between companies...
> If there are rouge virus writers can write tiny programs that open
> connections on your computer and connect to thousands of other computers and
> all be controlled remotely and decipher passwords and turn on cameras [even
> drink the beer from your fridge 
] while bouncing of an other thousand
> computers to make tracing impossible, I'm sure there are people out there
> that can write a program that looks for signatures in application and email
> attachments.
Ahh yes, you clearly suffer the "virus detection == signature scanning"
mindset...
--
Nick FitzGerald
>> Stay informed about: Av with the lowest overhaed 
FAQ
Profile
Private Messages
Log in
