<null DeleteThis @zilch.com> wrote:
<<snip>>
> The differing philosophies of the av vendors are interesting. The KAV
> analysts apprently see no danger in the .sud files and no reason to
> alert on them.
>
> Where's Nick? Whatcha think? What if these .sud files appeared in a
> malware collection used for testing av detection. Are they "crud" that
> shouldn't cause a alert? 
Who's right here? KAV or F-Prot?
I think both are kind of right...
I'm assuming you ran F-PROT with the "/dumb" (or perhaps "/collect")
switch -- I'd be quite surprised for it "false" on such files otherwise.
The confusion is over how to handle such odd-ball, non-natural but in a
sense "real" samples. From an AV-purist position, the Norton utility
that made these should have obfusctated them in some more thorough way
than just slapping a small header on them -- at a minimum XOR'ing the
file bodies, or perhaps compressing them with some proprietary alorithm
(or at least into a tweaked/proprietary format so they wouldn't be
recognized and automatically decompressed by another scanner).
> Personally, I'm glad that F-Prot alerted. It gives me a puzzle to chew
> on. I don't know how the damn Hackarmy sample wound up where it did.
> As I said, I don't use NAV. It's an old version of Norton Utilities I
> use sometimes for it's Speed Disk (defrag), Sytem Check, and NDD.
> Somehow, a recent System Check resulted in the subject .sud files
> being created (it seems). Certainly, I've been handling hackarmy
> samples I've downloaded from newsgroups to check and collect them. So
> that at least explains why a sample may have been in my c:\download
> directory. But I can't yet explain the Norton System Check behaviour.
Sorry -- can't help there either...
> Anyway, the question is, what's best for typical users? I'm reminded
> of old discussions of "false alarms" and "crud" and how av vendors
> aren't supposed to scare users unnecessarily. It's a continually
> interesting kind of issue and question.
Indeed.
The sysclean.exe "hit" is clearly a false alarm, but the .SUD files
are yet another of those very dubious grey areas where it is all too
easy argue faiurly convincingly that either of two opposite behaviours
is "right"...
--
Nick FitzGerald
>> Stay informed about: F-Prot for DOS 3.15 available 
FAQ
Profile
Private Messages
Log in
