From: Antony S. <Antony@Soft-Solutions.co.uk> - 2004-01-11 12:56:10
|
On Sunday 11 January 2004 12:42 pm, Fridrik Skulason wrote: > >> 3) If the virus code does not get executed, the ideal behaviour would > >> be to report the program as corrupted by the "so-and-so" virus, > >> but failing to report the virus at all, or allowing the program > >> to execute is not really a "failure" as such... there is no active > >> virus in the program. > > > > How do you know whether the virus code gets executed without performing > > an exhaustive test on what the entire code does under all input > > conditions? > > You analyse the virus code and determine how it "infects" the host program. This seems like something of an undefinable problem to me - very much like the Church - Turing proof I referred to earlier. Much easier in practice to detect the viral code and not bother about what it's doing there - just report it anyway. > > if viral code is found it should be reported as such. > > It may not be practical to find the virus code if it is not executed - for > example if the virus is heavily polymorphic. If that is the case then you don't have yourself a very good virus scanner? What's to stop the virus writer creating such heavily polymorphic code and making sure that it *does* get executed? You'd surely want your A-V engine to pick it up then.... Antony. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? Please reply to the list; please don't CC me. |