SANS and Sensibility

SANS, who last year informed us that an unsound antivirus testing methodology ( involving the use of what may or may not have been viruses, but certainly seem to have been newly generated intended viruses) was entirely sound, and that antivirus products are totally reactive (heuristics? never heard of them…)  have once again treated us to the benefit of their wisdom in  their @Risk Vulnerability Alert newsletter.

 At the top of that item we learn, alarmingly, that “Trend Micro’s antivirus system is now a back door into systems on which it is deployed.” Further down we discover that what they’re referring to is a UPX parsing buffer overflow vulnerability which is addressed in pattern file 4.245.00. ( Not a nice thing to happen, and Trend users will certainly want to update and circumvent any lurking attempts to exploit the vulnerability, but the sky has not yet fallen. So what do we make of this little gem in the SANS Internet Storm Center’s Handler’s Diary? Apparently there is a trend for AV products to contain the same type of  vulnerabilities they claim to shield other software against. Well, it’s true that antivirus scanners often detect vulnerabilities as well as viruses, Trojans, spyware and a whole load of other stuff “the greatest minds in the information security industry” at SANS would know more about than I, a mere antivirus drone. But major antivirus labs are a little chary of claims that they detect 100% of viruses, let alone of all these things that aren’t viruses.

Who, ask SANS, will watch the watchers? (In Latin, of course, as you’d expect from the greatest minds in security.) I don’t know. I don’t know how antivirus companies can be expected never to make coding errors either. Nor do I know who will protect us from the misconceptions of instant experts…