On Fri, 21 Oct 2016, Steven M Jones wrote:
I didn't think modern A/V products included
complete historical sets of
signatures. I'm sure they can deal with ancient, simple bootloader
infections and such, but at some point I'd be concerned there's a gap
where something might be too new to be detected by the simplest
heuristics, but too old for a more sophisticated signature to be in your
common modern products.
But this isn't something I've had to deal with.
1) WHY would they delete older threats from their database? You are NOT
talking about a shortage of storage space!
2) Are you going to boot your machine from that image?
Is this an imagined problem?
YES.
The media panic over the Michaelangelo virus revealed much about the
anti-virus "industry".
Let's start with the NAME. There was no name IN the virus. It was a copy
of the "Stoned" virus that somebody added a nasty payload to (overwrite
100 sectors of disk). WHY was it named "Michaelangelo"? Because somebody
in the "anti-virus industry" looked at a calendar to see what was special
about March 6. If they had been in Texas, instead of using a KQED
calendar, it would have been named "Alamo", which is a far more credible
event to name a virus after. 'course it could have been completely random
choice, or termination date of somebody's employment.
Wikipedia says, "There is no reference to the artist in the virus, but due
to the name and date of activation it is very likely that the virus
writer intended Michelangelo to be referenced to the virus."
Hmmmm. Named after the date (by anti-virus people); because it was named
that, that confirms the accuracy of the name.
Certain college administrators declared that every machine that was
infected would have to be destroyed; "it is impossible to remove the
virus". Have I mentioned a colleague whom they tried to terminate for
removing machines from dumpsters?
At UC Berkeley, agressive scanning was done in student computer labs, and
"hundreds" of infected disks were found and DESTROYED. ZERO copies were
retained for ANY analysis. Nor was even a count kept, nor followup to try
to get students with infected disks to scan their home machines.
John McAfee predicted that 5 million computers would be wiped out.
The press were called in.
On March 6, there were apparently DOZENS of drives wiped. Few, if any
records kept to verify numbers.
McAfee, as expected, took full credit, and declared that the REASON why it
was dozens, instead of millions, was because his warnings were heeded.
Six months later, when he took his company public, he raised 42 million
dollars.
He is currently a fugitive as the "prime suspect" in the murder of his
neighbor in Belize (apparently NOT virus related)
The "Alameda" virus, with some similarities, but no payload, was
discovered at Merritt College. At sister campus, College Of Alameda,
an employee who is the brother of an ant-virus author requested naming
rights, and we all were glad to let him have that moment of family glory.
Later, after one of our students transferred to Yale, it was discovered
again, and named "Yale" virus.