Comments on: Quickpost: “An Old IE Trick” Revisited

By: Didier Stevens

Didier Stevens — Mon, 10 Nov 2008 18:18:44 +0000

What do you mean with “signature based or pattern based”? Are those 2 terms the same or different for you?

And I assume you’re referring to the proposition that an algorithm that has to decide if a program is a virus or not, can be mathematically proved to be a special case to the Halting Problem, for which Turing proved it was undecidable?

I don’t know the exact details of Fred Cohen’s proof, but are you sure that this applies to signature based detection? Because signature based detection means that an algorithm has to decide if a file contains a given sequence or several sequences of bytes (i.e. the signature). I don’t believe this particular algorithm is undecidable.

With signature based detection, it’s the virus analyst defining the signature (I’m excluding automatic signature generation here) that decides which samples are viruses.

By: Anonymous CS Guy

Anonymous CS Guy — Sat, 08 Nov 2008 00:50:28 +0000

There is this little thing called “The Halting Problem”. No algorithm will detect all possible variants regardless of the technique it uses – whether signature based or pattern based.

By: sidephase

sidephase — Fri, 07 Nov 2008 17:31:42 +0000

The one thing about BD from VirusTotal is that the engine it’s using is the freebie one. Of course, that’s an old engine…not exactly what I would call up to the task. I would love to test this out with the current version…