Running program files on XP with non-executable extension?

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

--

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?

On Wed, 02 Nov 2005 09:48:50 GMT, JS <j_simmonmds@nomailthankyou.com>
wrote:

>I figured this would stop my XP Pro from running it if I double
>clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
>me about it again. Even with the dummy extension letters! Surely
>such a program file is now safe enough?
>

Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.


Jim.

James Egan wrote:

> Not always.
>
> As an example you might try renaming a MS Word .doc file to (say) .hje
> or some other extension which doesn't have a specific association with
> another program and then double clicking it. You will see that it
> still opens in Word because the file structure is still recognised as
> a word document even though you renamed it.

Mine ask what to open the program with when I do that. :)

Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Regards,
Dustin Cook
http://bughunter.atspace.org

In comp.security.misc JS <j_simmonmds@nomailthankyou.com> wrote:
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
> --
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> Is this just an oddity in 'AntiVir PE'?

Yes. AntiVir PE should find the virus signature wether the file has the
name a or b.

> Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?

Yes - if AntiVir PE is programmed dumb enough to use the old 16bit API.
I'm hoping, this will _not_ be true...

*ohmyFSM*,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister

On 2 Nov 2005 06:59:31 -0800, "Dustin Cook"
<bughunter.dustin@gmail.com> wrote:

>> As an example you might try renaming a MS Word .doc file to (say) .hje
>> or some other extension which doesn't have a specific association with
>> another program and then double clicking it. You will see that it
>> still opens in Word because the file structure is still recognised as
>> a word document even though you renamed it.
>
>Mine ask what to open the program with when I do that. :)
>
>Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Hmm. I wonder why that is?

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Incidentally, Bart Bailey posted a registry hack (see below) to get
all unassociated extensions to open with notepad.


Jim.


Newsgroups: alt.comp.anti-virus
Subject: Re: Wirtualna Polska's antivirus program??
From: Bart Bailey <bartman@nethere.net>
Date: Thu, 31 Jul 2003 18:27:17 -0700

In Message-ID:<qr9jivsker61p8nu3k66bkhofjjfn9n75e@4ax.com> posted on
Fri, 01 Aug 2003 01:10:22 +0100, James Egan wrote:

>(IIRC Bart Bailey has a reg hack solution for all unregistered
>suffixes)

OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart

James Egan wrote:

> Hmm. I wonder why that is?

I might have applied a registry tweak some time ago when I hardened the
box. Autorun is disabled as well.

Essentially, if I click on a file to open that windows doesn't know the
extension of, it asks what to do with it. I'm pretty sure its a
registry key I changed.

> Which version of MS Word did you use? With Word 2000 it opens
> correctly (with a wrong extension) on both win9x and winxp.

Word 2000. The later versions are too much like an html editor to me.

Regards,
Dustin Cook
http://bughunter.atspace.org

On Wed, 2 Nov 2005, JS wrote:

> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
>
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
>
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?

The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
Clues. The market's too small to justify the effort."
-- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005

Norman L. DeForest wrote:
> On Wed, 2 Nov 2005, JS wrote:
>
> > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > virus guard says may be a virus.
> >
> > I wanted to get more info about this file, so I disabled it by
> > adding a couple of random letters to the extension.
> >
> > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> >
> > I figured this would stop my XP Pro from running it if I double
> > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> > me about it again. Even with the dummy extension letters! Surely
> > such a program file is now safe enough?
> >
> > --
> >
> > I found that if I add the random letters *before* the EXE then
> > AntiVir PE's guard does not detect it as a virus.
> >
> > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> >
> > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > because of something in XP Pro which might truncate the letters in
> > a file's extension after the first three letters?
>
> The file can be found by both its long filename "BLUESKY.EXEHJ" and
> by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
> "BLUESK~1.EXE"). It's still an executable file as long as its short
> name has an executable extension.
>
> The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
> or "BLUESK~1.HJE".

Bingo. :) I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:1130955591.143391.24290@o13g2000cwo.googlegro ups.com...
>
> Norman L. DeForest wrote:
> > On Wed, 2 Nov 2005, JS wrote:
> >
> > > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > > virus guard says may be a virus.
> > >
> > > I wanted to get more info about this file, so I disabled it by
> > > adding a couple of random letters to the extension.
> > >
> > > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> > >
> > > I figured this would stop my XP Pro from running it if I double
> > > clicked it by mistake. But my antivirus guard 'AntiVir PE'
warned
> > > me about it again. Even with the dummy extension letters!
Surely
> > > such a program file is now safe enough?
> > >
> > > --
> > >
> > > I found that if I add the random letters *before* the EXE then
> > > AntiVir PE's guard does not detect it as a virus.
> > >
> > > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> > >
> > > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > > because of something in XP Pro which might truncate the letters
in
> > > a file's extension after the first three letters?
> >
> > The file can be found by both its long filename "BLUESKY.EXEHJ"
and
> > by its short DOS-compatable file name (which may be "BLUESKY.EXE"
or
> > "BLUESK~1.EXE"). It's still an executable file as long as its
short
> > name has an executable extension.
> >
> > The short filename for "BLUESKY.HJEXE" would either be
"BLUESKY.HJE"
> > or "BLUESK~1.HJE".
>
> Bingo. :) I changed the extension.. like I thought the poster did.
But
> I did it thru console, not explorer... So the extension really is
> something windows doesn't know what to do with. heh.
>
Seem to recall there is a "featrue" in NT such that by default it only
considers the first 3 characters of a file extension as significant,
although there is a registry change that can turn this off and take
all characters into consideration.

Sorry, can't remember what it is.

JS wrote:
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.

This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes. If you add a "v" in front
of the exe extension, it is no longer read as an executable. You will
also notice the icon of the file changes.
You could also rename it by a second extension after the exe - exe.abc



>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

The executable is disabled but it is still a malicious file. It can
be reactivated by changing the extension back to exe.

>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?

Leythos wrote:
> In article <4369728B.4080900@wapda.com>, ekron@wapda.com says...
>
>> This is what an anti-virus program will do if you choose to rename
>>the file to keep it for observation purposes
>
>
> Not true, that's what SOME Av products will do if you rename the file.

Then those that don't do it that way probably use the double extension
method. I know of a program that uses this method, but in both cases the
file is disabled so no program can open it.


> We have our AV software set to scan EVERY file on access, except the
> database and exchange store files (as defined by MS and the Av
> provider), but if you were to rename myvirus.exe to myvirus.txt, it
> would still be detected as a virus.

The AV program I use gives the renaming option of a malicious file
found by placing one letter in front of the exe to disable it, but does
not rename it as a file that can be executed such as txt in your
example. The purpose of renaming a malicious file is to disable it, so
no program can open it.

>
> Good settings for any AV product would be to scan all files accessed.
>
In a corporate environment, I would agree.

Poster 60 wrote:

> In a corporate environment, I would agree.

I would disagree for home users. Scanning every single file would only
increase the chance of false alarms.

Regards,
Dustin Cook
http://bughunter.atspace.org

Leythos wrote:

> That may be true, but the same would be true for exe files. The chance
> of a false alarm is minimal in todays world of quality AV scanners. In
> the 7 years we've had Symantec Corp edition set to scan ALL files on
> access we've never seen a false hit.

It's actually harder to accidently flag a good exe as a bad one, then
it would be to accidently hueristically determine some .txt file is a
virus. This isn't from personal opinion, thats a stated fact in the
antivirus industry. While I appreciate improvements have been made, the
underlying principles of how a virus scanner works has not changed much
in the last few years.

For example, frisk; maker of f-prot, has an option on the dos scanner
to indeed, scan all files. This is settable via the "/dumb" switch. He
named it dumb, because scanning all files on a hard disk, even ones
that cannot possibly contain executable code, is a dumb thing to do.

As I said, I've been in the vx side for many years. I'm well versed on
both aspects of it, from antivirus perspective as well as vx
perspective. I'm not giving my opinion per say, I'm giving that of the
general consensus of both the Av and Vx side of things.

Regards,
Dustin Cook

Leythos <void@nowhere.lan> wrote:

> In article <4369728B.4080900@wapda.com>, ekron@wapda.com says...
> > This is what an anti-virus program will do if you choose to rename
> > the file to keep it for observation purposes
>
> Not true, that's what SOME Av products will do if you rename the file.
> We have our AV software set to scan EVERY file on access,

Overkill, and time wasteful.

> except the
> database and exchange store files (as defined by MS and the Av
> provider), but if you were to rename myvirus.exe to myvirus.txt, it
> would still be detected as a virus.
>
> Good settings for any AV product would be to scan all files accessed.

God forbid.

Regards
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Leythos wrote:

> That's great for them and you - not being snide here, but, as I said
> before, never seen a false positive on more than 1500 systems, and we'll
> continue to use it scanning all files on access.

I have no problems with what you do. I was just stating what the
majority of those on both sides professionally feel. You know, the guys
who write the viruses, and the guys who write the products that hunt
for them. You wouldn't be the first end-user to assume he/she knows
better how to use a product then it's creators tho.

Regards,
Dustin Cook

From: "Leythos" <void@nowhere.lan>

| In article <1131033952.512278.87400@g47g2000cwa.googlegroups. com>,
| bughunter.dustin@gmail.com says...
>> As I said, I've been in the vx side for many years. I'm well versed on
>> both aspects of it, from antivirus perspective as well as vx
>> perspective. I'm not giving my opinion per say, I'm giving that of the
>> general consensus of both the Av and Vx side of things.
|
| That's great for them and you - not being snide here, but, as I said
| before, never seen a false positive on more than 1500 systems, and we'll
| continue to use it scanning all files on access.
|

{ just to stir the pot a bit... }

Since I monitor many virus News Groups, including Symantec's, I have come across *many*
False Positive declarations from many AV vendors.

I recently (10/6) dealt with one situation by Symantec in reference to; iun6002.exe which
was falsely declared as a Trojan.Dropper.

Then there was the case of Symantec falsely declaring Backdoor.Graybird (9/16) in was a temp
file created by Spy Sweeper.

I'm still wondering when Avast will stop falsely declaring the VBS/RedLof in Trend Micro's
sysclean utility.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Leythos wrote:

> Funny, how many networks have you designed and maintain that have NEVER
> been compromised?

For myself, several. Still using a small one at home.. heh.

Zvi Netiv's claim to fame is invircible, and his remarkable knowledge
of drive data layout. The guys good at recovering from many nasty
things... He's also (shudder, I can't believe I'm saying this, He's a
sworn enemy of mine) a respected Antivirus side person. But, like I
said before man, You don't need to take our words for it. Do as you
wish.

Regards,
Dustin Cook

On 3 Nov 2005 14:34:02 -0800, "Dustin Cook"
<bughunter.dustin@gmail.com> wrote:

>> Funny, how many networks have you designed and maintain that have NEVER
>> been compromised?
>
>For myself, several. Still using a small one at home.. heh.


Both you and pax admitted (on usenet) to accidentally infecting your
own machines.


Jim.

Leythos wrote:
> In article <aghkm1tjfd53jjrrhblug111uu7d0q3sij@4ax.com>,
> support@replace_with_domain.com says...
>
>>Leythos <void@nowhere.lan> wrote:
>>
>>
>>>In article <4369728B.4080900@wapda.com>, ekron@wapda.com says...
>>>
>>>> This is what an anti-virus program will do if you choose to rename
>>>>the file to keep it for observation purposes
>>>
>>>Not true, that's what SOME Av products will do if you rename the file.
>>>We have our AV software set to scan EVERY file on access,
>>
>>Overkill, and time wasteful.
>
>
> Depends on the environment, not everyone has data they don't care about.
>
>
>>>except the
>>>database and exchange store files (as defined by MS and the Av
>>>provider), but if you were to rename myvirus.exe to myvirus.txt, it
>>>would still be detected as a virus.
>>>
>>>Good settings for any AV product would be to scan all files accessed.
>>
>>God forbid.
>
>
> Funny, how many networks have you designed and maintain that have NEVER
> been compromised?
>

Afraid we too scan everything. While I agree this is wasteful of
resources, it really doesn't have enough impact in real world
environment to be an issue.

We scan files on write, open and modify. Overkill yes, but our flip
flops have yet to unionize.

We wake our system on weekends (during non-work hours) to do full scans.
One advantage to this is it is an easy way to flag something that is
talking outbound when it's not supposed to, yes it does happen.

We even open IE on a intranet page to ensure something doesn't
communicate that wasn't caught with other methods. Pretty easy to
identify the firewall communication.while this method is by no means a
check for much, it is surprising it finds sometimes. When the net is
loaded with users it can hide activity when your dealing in multiple t3s
and T9s and dual gigabit between subnets.

We wake our machines nightly as required for patching. CPU cycles are
pretty cheap these days. Afraid I have not issue wasting the computer
time, they work cheap.

If you are not careful things hide in JAR files or other places may be
easily missed. Easiest to scan everything and march on. AV is the
easiest to manage these days, now if someone can just stop those damn
patches from breaking stuff I would be happy.

The idea here is to avoid doing system maintenance tasks that impact
user operations, that gets expensive very fast. You have to avoid
system downtime when it costs $100,000 an hour to bring networks down
due to a virus event.

Winged

Leythos wrote:

>
> Sorry for quoting it all, but those are the exact reasons we do the same
> - scan on access, nightly full system scans of ALL files. We've never
> had a virus/malware related downtime issue, ever.
>

I'm not sure why you continue to argue your position. I mean, if others
don't agree with you on risk mitigation, why do you care? The only
opinions that should count to you are those of your paying customers.
You really expect those who disagree with you to say: "ok, I see your
point. You're right." ?

Leythos wrote:

>
> Sorry for quoting it all, but those are the exact reasons we do the same
> - scan on access, nightly full system scans of ALL files. We've never
> had a virus/malware related downtime issue, ever.
>

I'm not sure why you continue to argue your position. I mean, if others
don't agree with you on risk mitigation, why do you care? The only
opinions that should count to you are those of your paying customers.
You really expect those who disagree with you to say: "ok, I see your
point. You're right." ?

James Egan wrote:
> On 3 Nov 2005 14:34:02 -0800, "Dustin Cook"
> <bughunter.dustin@gmail.com> wrote:
>
> >> Funny, how many networks have you designed and maintain that have NEVER
> >> been compromised?
> >
> >For myself, several. Still using a small one at home.. heh.
>
>
> Both you and pax admitted (on usenet) to accidentally infecting your
> own machines.

One machine James, not a LAN. :)

The LAN has never been infected by anything. The computer used for
virus work was a standalone unit. It had no access to the network.

Regards,
Dustin Cook
http://bughunter.atspace.org

Leythos <void@nowhere.lan> wrote:

> > > In article <4369728B.4080900@wapda.com>, ekron@wapda.com says...
> > > > This is what an anti-virus program will do if you choose to rename
> > > > the file to keep it for observation purposes
> > >
> > > Not true, that's what SOME Av products will do if you rename the file.
> > > We have our AV software set to scan EVERY file on access,
> >
> > Overkill, and time wasteful.

[snip]
> > > Good settings for any AV product would be to scan all files accessed.
> >
> > God forbid.
>
> Funny, how many networks have you designed and maintain that have NEVER
> been compromised?

There is no necessity to first be a sheep in order to become a shepherd. ;-)

Regards

James Egan wrote:
> On 3 Nov 2005 14:34:02 -0800, "Dustin Cook"
> <bughunter.dustin@gmail.com> wrote:
>
> >> Funny, how many networks have you designed and maintain that have NEVER
> >> been compromised?
> >
> >For myself, several. Still using a small one at home.. heh.
>
>
> Both you and pax admitted (on usenet) to accidentally infecting your
> own machines.

One machine James, not a LAN. :)

The LAN has never been infected by anything. The computer used for
virus work was a standalone unit. It had no access to the network.

Regards,
Dustin Cook
http://bughunter.atspace.org

Leythos <void@nowhere.lan> wrote:
> In article <Xzvaf.1600$5R2.518@trnddc08>, DLipman~nospam~@Verizon.Net

> > >> As I said, I've been in the vx side for many years. I'm well versed on
> > >> both aspects of it, from antivirus perspective as well as vx
> > >> perspective. I'm not giving my opinion per say, I'm giving that of the
> > >> general consensus of both the Av and Vx side of things.
> > |
> > | That's great for them and you - not being snide here, but, as I said
> > | before, never seen a false positive on more than 1500 systems, and we'll
> > | continue to use it scanning all files on access.
> >
> > { just to stir the pot a bit... }
[...]
> Which does not change the fact that I've not had the experience of false
> positives

The reason could be little experience, or assuming that all the alerts that you
saw were true positives, without confirming that they are indeed. Your
assertions do not sound credible.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Leythos <void@nowhere.lan> wrote:
> support@replace_with_domain.com says...

[...]
> > > Which does not change the fact that I've not had the experience of false
> > > positives
> >
> > The reason could be little experience, or assuming that all the alerts that you
> > saw were true positives, without confirming that they are indeed. Your
> > assertions do not sound credible.
>
> I agree, if I was some slouch, I would think it not credible too, but as
> I've been doing this type of work since the mid 70's, I would think that
> I know a little about security by now :) I've designed everything from
> small 5 node SOHO's to 400 node medical centers,

So you say. How do I know that you aren't just boasting? Your stories sound
too fantastic to me. Do you claim that all the users of the 1500 networks that
you designed or managed are security super-aces like you and never blew it?

> of all the ones we
> manage, not one has been compromised, and I've only see a virus on two
> that we didn't manage, but that was due to letting a unclean laptop into
> the network, none of the other nodes were compromised.
>
> As for alerts of any type, they are always checked against two or three
> AV products, so I feel comfortable that my statements are true on our
> networks.

What are the alerts upon, since you claim that the systems you manage were never
compromised?

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Leythos wrote:
> In article <1131033952.512278.87400@g47g2000cwa.googlegroups. com>,
> bughunter.dustin@gmail.com says...
>
>>As I said, I've been in the vx side for many years. I'm well versed on
>>both aspects of it, from antivirus perspective as well as vx
>>perspective. I'm not giving my opinion per say, I'm giving that of the
>>general consensus of both the Av and Vx side of things.
>
> That's great for them and you - not being snide here, but, as I said
> before, never seen a false positive on more than 1500 systems, and we'll
> continue to use it scanning all files on access.

It may be rare, but it does happen.
http://www.google.co.uk/search?clien...=Google+Search
I've actually seen a tarball from Cygwin be reported as a virus.

Having said that, on corporate machine I would generally set it to scan
all files myself.
--
Flash Gordon
Living in interesting times.
Although my email address says spam, it is real and I read it.

David H. Lipman wrote:

> Since I monitor many virus News Groups, including Symantec's, I have come across *many*
> False Positive declarations from many AV vendors.

I don't know why you bother Dave. They won't listen to Ex Vx or AV.
They feel false positives are extremely low. They don't write the
products they use, but they know more about them then the rest of us.
Even the creators. *grin*


> I recently (10/6) dealt with one situation by Symantec in reference to; iun6002.exe which
> was falsely declared as a Trojan.Dropper.

Symantec foobared too eh? I recently had to remove that from BugHunter
as well, My own fault. It was an executable in the wrong folder, meant
for anaylsis, not inclusion quiet yet.

> I'm still wondering when Avast will stop falsely declaring the VBS/RedLof in Trend >Micro's
> sysclean utility.

Same here.

Regards,
Dustin Cook
http://bughunter.atspace.org

Leythos wrote:

> I talk with David on a personal/email level once a week or so, and I'm
> not some kid/hack that doesn't have a clue, but I don't need to know how
> Symantec AV works internally, only that it works in our environments.
> I'm sure you don't know how ALL AV products work at the internal levels
> either, or if you think you do, you're just what you claim I am.

Thats' great. David can verify who I claim to be quiet easily. Isn't it
fun dropping names for credibility? As for knowing how AV products work
internally, Back when I was active in VX; it was sorta my job to know
how the enemy worked at an intimate level as to avoid/disable/kill the
enemy before they could get me. As I said originally, I'm a coder.
Software is my thing. Your right tho, I never learned how Ewido's
routines work internally, but NAV I do. :)


> I've not had an issue with false positives with Symantec Corp edition
> software, at least not in the last 5 years, and we've not had a single
> virus inside our protected networks - and we test the servers and select
> workstations on a schedule with different vendors products, so I'm
> confident in saying that.

In all fairness, I'm not attacking you or your methods. So please don't
misunderstand my intentions. If more individuals like yourself took
security that seriously, I'd be a happier camper, as would many others.
:)

> I'm sorry you believe it can't be true, maybe you should look at how to
> secure entry points a little better and then you might understand how
> easy it is.

I didn't say I don't believe it to be true, Only that what your
claiming just seems a bit far fetched; Not the security of your
networks, but the no false alarms thing. That's all.