The exe generated by dmd unable pass Malware scan

David Wilson dw at botanicus.net
Thu Dec 13 10:04:50 PST 2007


On 12/12/07, Robert Fraser <fraserofthenight at gmail.com> wrote:
> Alexander Panek wrote:
> > On Tue, 11 Dec 2007 13:35:47 -0800
> > Robert Fraser <fraserofthenight at gmail.com> wrote:
> >
> >> b) Virus scanners are very useful in th modern world; when did they
> >> ever stop being so?
> >
> > Even though it is out of context: I  haven't ever found a need for a
> > "virus" scanner (the word virus in this context is hilarious) apart
> > from the time where I was searching for cracks for games using IE 5 on
> > Windows 98 when I was a kid.
> >
> > Point being: don't use malware or software that enables malware by
> > default. Then you also don't need resource-sucking software like
> > virus/malware scanners.
> >
>
> I agree that for users like us, malware scanners aren't too useful.
> However, there are a lot of people out there who would still open that
> mysterious attachment called "that document you requested.exe", which
> still makes a scanner useful both for ens users and for system
> administrators as a first line of defense.

I often make a point of removing virus checkers / "security suites"
from people's computers when I'm asked to fix a problem. The resulting
lack of "PORT SCAN PORT 123!!!!" and "DONT FORGET TO REGISTER!!z0r!!"
pop-ups gives the end user more wellbeing than the virus checker ever
could.

For any time where I would have use of a virus checker in the past 7
years, the virus checker has been unable to quarantine, among others,
Nimda and Slammer, for which a specialist tool was required. Even
trivial malware these days know how to disable, suspend, or otherwise
thwart the operation of popular virus checkers. For example, certain
products have (at least in the past) waited on a named global event to
allow the uninstaller to signal time to shut down if the user chooses
to uninstall. It is trivial (3 lines of code trivial) with the Windows
API to signal such an event.

For the cases where the virus checker could still run successfully,
the malware was not fully removed because the virus checker was unable
to detect every copy of it (I believe it's possible to lock a file or
process up on Windows such that it becomes effectively inaccessible
except to itself - for example, some software will start a "debugger"
on itself such that no other process can use that API. The filesystem
can apparently be similarly tricked).

For more structured environments, Windows has supported locking down
executed code by md5sum or Authenticode since at least Windows 2000.

As another example, a certain free checker, Clam-AV for Windows, has
no form of mandatory access control or on-demand scanning. It happily
sticks a little system tray applet on your machine that makes it look
like a scanner is in operation. Actually it pretty much does nothing.

Again - virus checkers are often reactionary snake oil that help
nobody. Even the free stuff like Spybot S&D often does a better job of
fixing the kinds of problem most users come across when they catch an
infection. The places where this isn't true are places that are less
affected by the lead-time required for an AV vendor to put out a
useful update - mail servers for example.


David.



More information about the Digitalmars-d mailing list