sherpya at netfarm
Nov 18, 2006, 9:13 AM
Post #3 of 3
(915 views)
Permalink
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
aCaB wrote:
> Will you ever stop making a fool of yourself?
>
> Facts:
> 1) You cannot type an email address correctly
uh what do you mean?
> 2) You failed to find the updated signatures.pdf (hint: it's well hidden
> in CVSROOT/docs/signatures.pdf) which would have answered all your sig
> related questions.
still incomplete (i.e. the signing server?)
> 3) You didn't understand that reporting how to bypass an antivirus, on a
> public mailing list is not very responsible, expecially considering that
> you "produce" and AV toolkit as well and someone may do the same to you
> one day.
I don't "produce" an av toolkit I'm only adding some stuff on a win32
port of clamav, I just made an example about upx unpacker flaw I don't
think I cannot talk about it in the ml.
> 4) You build an AV without bothering writing signatures for it or not
> even checking malware trends. If you would have done that you'd probably
> know that unpacking is not rocket science but rather a best effort
> approach (hacked UPX is more popular than plain UPX, did you know?).
> Additionally, you'd know that the crappy and easily bypassed UPX code is
> worth 5-10% detection in your ClamWin.
I don't build an AV, and my ClamWin (it's not mine) is only a GUI
for clamav port so the main code comes directly from clamav.
> Having said that (since you seem unaware of that), the good way to act
> is opening a bug report and providing a patch to make UPX handling more
> robust. Since up to day you failed to do that, you can well kiss my arse.
I really don't feel to send bug/fixes/patches here since as also expected
in this email I get always ignored.
> 5) LOL, I really felt on the floor at this one. You want to implement a
> generic unpacker which *executes* malicious code in order to dump it
> from memory!
> Do you feel smart? Don't you wonder why all other windows AV's invest
> money and resources into writing emulators (or even sandboxes)? They
> must be all crazy don't they? All you have to do is dumping and
> rebuilding à la procdump, right?
smart? I'm not reinventing the wheel, m$ added WriteProcessMemory to do this,
really I'm not doing anything uncommon or *smart*, also you misunderstood me
I don't want to __run__ malware I would "benefit" from the fact the malware is
already loaded in memory.
> If you were old enough and if you knew what you were doing you'd
> probably recall about someone else, back in the dos age, who was feeling
> very smart. And you'd also remember about a virus which was only
> spreading when scanned by the smart guy's AV.
>
I was searching for cooperation not to be offended...
if my work is not appreciated here... never mind...
I hope it will be useful to someone else...
Regards
- --
Gianluigi Tiesi <sherpya [at] netfarm>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXz9E3UE5cRfnO04RAnBpAKCih/6A9TG3vB6Nj0GPJnXenbiBPwCfWXtC
OppJ3fUNPlLzTZyQVwcbUcU=
=IPtN
-----END PGP SIGNATURE-----
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
|
