This seems like fair game, and it benefits the consumer by keeping the anti-virus people on their toes.
Kaspersky has demonstrated a weakness: that the firms copy each other's data and blindly trust each other as well as the initial submissions. They have a submission process for infected files which can be demonstrably abused to inject false positives.
Also this:
> Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
What?? Infected files are always similar to clean files. An infected MS Word 2010 still looks mostly like MS Word 2010 and is even usable as such. Knowing clean from infected is the bread and butter of anti-virus. They are supposed to take doctored files, and register them as malicious, while recognizing clean ones as clean. If similarity between dirty and clean them causes a false positive, you would think that this is a fundamental problem. It shows they are using some weak heuristics to guess that files are clean instead of, say, strong checksums. They are guessing whether that DLL belonging to MS Word 2010 is clean or not because they have no idea what clean looks like, and Kaspersky has shown that they can be induced to guess wrong.
A proper implementation would detect so much as a single bit difference between a clean file and an altered one.
Rather, they must be working off the assumption that there is some minimum difference between a viable infection and the clean file. In keeping with this, there is a database of the known dirty files only, and not of the clean reference files. Anything close to the dirty example within some small "edit distance" is just a variation on dirty and is declared dirty. Anything distant is either a different, unknown form of dirty, or clean. Either way it is declared clean. If that's how things work in an AV program, it has a weakness. Competitors should be merciless in identifying and exposing that weakness, because that's good for the consumer in the end.
A lot of new malware is self-modifying. In situations where this is the case checksums lose most if not all of their value. Heuristics in such situations are really the only viable option.
Kaspersky has demonstrated a weakness: that the firms copy each other's data and blindly trust each other as well as the initial submissions. They have a submission process for infected files which can be demonstrably abused to inject false positives.
Also this:
> Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
What?? Infected files are always similar to clean files. An infected MS Word 2010 still looks mostly like MS Word 2010 and is even usable as such. Knowing clean from infected is the bread and butter of anti-virus. They are supposed to take doctored files, and register them as malicious, while recognizing clean ones as clean. If similarity between dirty and clean them causes a false positive, you would think that this is a fundamental problem. It shows they are using some weak heuristics to guess that files are clean instead of, say, strong checksums. They are guessing whether that DLL belonging to MS Word 2010 is clean or not because they have no idea what clean looks like, and Kaspersky has shown that they can be induced to guess wrong.
A proper implementation would detect so much as a single bit difference between a clean file and an altered one. Rather, they must be working off the assumption that there is some minimum difference between a viable infection and the clean file. In keeping with this, there is a database of the known dirty files only, and not of the clean reference files. Anything close to the dirty example within some small "edit distance" is just a variation on dirty and is declared dirty. Anything distant is either a different, unknown form of dirty, or clean. Either way it is declared clean. If that's how things work in an AV program, it has a weakness. Competitors should be merciless in identifying and exposing that weakness, because that's good for the consumer in the end.