In the good old times of MS-DOS you could easily hook execute-only - but in Windows, trying to run the file always involves read. And most people appreciate a warning that they are about to copy malware to the thumb drive they're going to give to a friend.
-
-
Advice #2: Scan once and never again until the file is modified. We've tried that. It doesn't work. It just involves additional unnecessary work to keep track of what was modified when.
1 reply 0 retweets 1 like -
And what if, as you were explained in the comments, initially the scanner didn't catch the malware but now does? If you never re-scan, because the file didn't change, you're going to miss it permanently.
3 replies 0 retweets 5 likes -
Advice #3: Scan only executable stuff. Well, duh. What do you think we're doing? Except the problem is, do you know how goddamned much is "executable", depending on the circumstances?
1 reply 0 retweets 3 likes -
I wish it were just EXEs. You can probably think of Office documents and scripts. And XML files. And HTML files. And RTF files - which can't contain macros but can contain exploits. And PDF files, for the same reason. And, and, and.
1 reply 0 retweets 4 likes -
I think Microsoft's browser is "clever" enough to find HTML with JavaScript in the middle of all kinds of crap, like JPEG files, for instance.
1 reply 0 retweets 3 likes -
Look, I know that you don't have a very high opinion of the developers of AV software - but we aren't exactly idiots, OK? Some of us have been at this stuff probably for longer than you've been alive.
1 reply 0 retweets 3 likes -
Trust me - if there's a nasty trick, we've probably seen it already. If there was a clever way to do something - we're either using it already, or we've tried it in the past and saw that it doesn't work.
1 reply 0 retweets 2 likes -
For our products to be used, there is one thing of paramount importance - and, sadly, that's not the ability to detect malware (although it is that for me). The most important thing is to cause minimum disruption most of the time.
1 reply 1 retweet 5 likes -
Because if we don't achieve this, nobody uses our product, no matter how good it is at detecting malware. So, we use every trick in the book to make user we're fast on a clean system - because that's usually how our products are used.
2 replies 0 retweets 1 like
The linked SO issue was O(n²m) (n=bytes written, m=# of relevant virus definitions) write performance which is not tolerable for something that should be O(n).
-
-
Replying to @RichFelker @SwiftOnSecurity
The linked issue might have been caused by some kind of engine bug or a bug in a definition. Yes, these happen. We've had it happen in our product too. It's unfortunate, but they do get fixed.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.