home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 1999 July
/
Chip_1999-07_cd.bin
/
zkuste
/
TBAV
/
tbav_9x
/
NO_VSUM.TX_
/
NO_VSUM.TX
Wrap
Text File
|
1999-01-11
|
3KB
|
48 lines
Many people have asked us why TBAV isn't listed in Patricia Hoffman's
VSUM. The reason is that we don't agree about the way the scanner should
be tested.
Patricia Hoffman states that we have to implement an option to disable
heuristic analysis completely. Otherwise she will refuse to test TbScan.
She thinks it isn't fair that TbScan detects viruses using heuristic
analysis while other products have to do it without heuristics. She also
told us that she only wants to count results which have been achieved by
using signatures.
We view things differently. In our opinion, it is solely up to the
developer of the scanner which method he uses to detect viruses. Whether
he uses signatures, detecting algorithms, or code analyzers simply isn't
your or her business. But Patricia Hoffman requires us to handicap our
product, by implementing a switch to disable heuristics. For you, the
end-user, such an option to suppress the detection of something that is
obviously a virus wouldn't make sense at all.
TbScan uses four methods to detect viruses (if we do not count CRC
checking). The four methods are:
- Signature searching (for 'standard' viruses)
- Specific algorithmic detection (for complex polymorphic viruses)
- Generic algorithmic detection (for the 'Trivial' family of viruses).
- Heuristic analysis. (to detect trivial and unknown viruses).
Another method, NOT used by TbScan, is the detection of new viruses by
searching for some very generic signatures, also a type of heuristics.
According to Patricia Hoffman, this is allowed, since it makes use of
signatures. We can of course explain to Patricia Hoffman that our
heuristics actually consists of the detection of many one-byte
signatures, but it simply isn't her business, and we don't want to have
to discuss and defend our product just to get it tested anyway.
It isn't clear to us why methods 1,2, and 3 are allowed, while we have to
disable method 4. Is it because we have the only products which uses
some degree of heuristics by default? Who was the first one who used
specific algorithmic detection to detect the 'Washburn' related viruses?
Did he also have to disable this because it wasn't fair that the other
ones were not yet able to implement algorithmic detection?
Anyway, we have not been able to convince Patricia Hoffman that she
should test a product 'as is'. If you want to see our product tested
in VSUM, feel free to send a complaint to Patricia Hoffman.