Re: [Openantivirus-discuss]Re: virus code is never executed - virus or not?]]

[Antony S. <Antony@Soft-Solutions.co.uk>]

On Sunday 11 January 2004 12:42 pm, Fridrik Skulason wrote:

> >>   3) If the virus code does not get executed, the ideal behaviour would
> >>      be to report the program as corrupted by the "so-and-so" virus,
> >>      but failing to report the virus at all, or allowing the program
> >>      to execute is not really a "failure" as such... there is no active
> >>      virus in the program.
> >
> > How do you know whether the virus code gets executed without performing
> > an exhaustive test on what the entire code does under all input
> > conditions?
>
> You analyse the virus code and determine how it "infects" the host program.

This seems like something of an undefinable problem to me - very much like the 
Church - Turing proof I referred to earlier.

Much easier in practice to detect the viral code and not bother about what 
it's doing there - just report it anyway.

> > if viral code is found it should be reported as such.
>
> It may not be practical to find the virus code if it is not executed - for
> example if the virus is heavily polymorphic.

If that is the case then you don't have yourself a very good virus scanner?

What's to stop the virus writer creating such heavily polymorphic code and 
making sure that it *does* get executed?   You'd surely want your A-V engine 
to pick it up then....

Antony.

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the list;
                                                           please don't CC me.