Hacker News new | ask | show | jobs
by ksk 3178 days ago
>If you know how the program works it may be easier to write an exploit."

BTW, this is true. Seeing the source code versus having to go through assembly listings - I know which one I'd pick if I had to find logic bugs.

>Why is this not applicable to virus detection algorithms?

Its not an algorithm, but a heuristic. If you want to look for a suspect, you don't announce "I'm looking for someone 5 feet 5 inches tall with a buzz cut who drives a ford and wears size 12 nike sneakers". In much the same way, security via heuristics doesn't mean creating a perfect detection system, because it doesn't exist. They want to make the game harder to play by hiding the rules of the game, not because they're sure that they're going to win. This is a real, tangible benefit for the customers. There is nothing really special about it, we've been using such ideas for centuries.
1 comments
colordrops 3178 days ago
How do you build a heuristic if not with an algorithm? Perhaps the entire AV model employed by Symantec is flawed.
link
ksk 3177 days ago
>How do you build a heuristic if not with an algorithm?

I don't know what that means. Perhaps superficially there is some overlap since both run on deterministic hardware, but a heuristic is completely different from an algorithm. Its a technique that can perhaps give you an imperfect answer to the question you're asking. An algorithm describes a method, which, if followed, gives you the answer. Here is an AV heuristic that I made up just now:

-Is it encrypted? +1 point

-Does it contain self modifying/unpacking code? +1 point

-Does it call OS APIs to monitor running programs? +1 point

-Does it run at startup? +1 point

-Does it have no UI? +1 point

-Does it try to punch a hole through NAT? +1 point

-Does its process name contain random strings? +1 point

If you get > 5 points, hash the executable and send the hash/executable for analysis.

>Perhaps the entire AV model employed by Symantec is flawed.

Well, for one, the heuristic isn't the "entire AV model". But what makes you think the entire AV model is flawed? Every major OS uses parts of the AV model.

link