Main » 2011 » Март » 16 » Kaspersky Lab or to and fro
12:46
Kaspersky Lab or to and fro

Today, the Internet appeared 2 news about Kaspersky Lab,
one as always positive, the other as always negative:

The first story:
The company Kaspersky Lab has patented in Russia five technologies information security. Patents filed by the Federal Service for Intellectual Property, Patents and Trademarks (Rospatent).

Upd: the answer came from employees of Kaspersky

Patent number 2,363,045 describes a new method of treating your computer against malicious programs that actively against the removal. Method, written by Michael Pavlyuschik, allows us to identify a malicious program, which has on one machine multiple copies running in different processes, block the activation of some copies of others, and completely remove them from the ROM and RAM.

Patent number 2,363,047 describes a technology to detect spam in text and bitmaps. The technology, developed by Eugene Smirnov, do not require a machine recognition of graphic images and provides fast and high level of detection of unwanted messages in images. Method is resistant to such a spammer tricks, like turning the text and the writing of his wave, split frames and lines, adding a different noise components.

The patent number 85249 is described a hardware anti-virus for the treatment of computer systems infected with malware. The main function of the anti-virus is to prevent the spread of malware by filtering data received by the device of external memory. The author is a patented anti-virus - Oleg Zaitsev.

Rospatent also issued by Kaspersky Lab patent number 85,247 on the method of identifying spam using lexical vectors. Method, authored by Andrey Kalinin, can effectively identify spam e-mail messages by analyzing their vocabulary and lexical computing vectors.

Kaspersky Lab has also received patent number 85,248 on technology management software license keys. The technology optimizes the management of license keys to change the terms of the modification in the number of computers that are installed licensed program. Authors of technology - a group of experts from Kaspersky Lab as part of Alexei Kalgin, Andrew Kulaga, Damir Shiyafetdinova, Andrew Kazachkova, Stefan Le Hira, Philippe Bodmer and Demema M Billy.

"It is important to understand that patent - a monopoly on the technology described in it, which is a direct prohibition to use it to third parties without permission. In Russia there is no patent jurisprudence, as well as the very patent court, but soon, when all it appears, manufacturing companies will be very important to the safety and protection for its technology, which is why Kaspersky Lab patents and their innovative solutions and Russia ", - comments patents Kashchenko Hope, head of intellectual property management company.

According to the company, is currently patent offices of various countries are considering more than three dozen patent applications, Kaspersky Lab, describes the unique innovative technologies in the field of information security.

The second story about the discovery of competitors in the new line of Kaspersky Internet Security 2010:
Technology Sandbox («sandbox or Green Zone -« safe environment "), which first appeared in the complex decision of Kaspersky Internet Security 2010 (antivirus, antispam , protection from attack), has attracted attention of competitors LC. Recall that the Sandbox allows you to run any suspicious programs and Web sites in an isolated virtual space.

"We could not refrain from testing the new technology of our colleagues - say company representatives. Dr. Web. - Since the idea of ??"sandbox" is not new, and quite a lot of antivirus companies for a long time have a similar design, but also due to the fact that our anti-virus laboratory is constantly engaged in research in this area, such information is, of course, is great interest to us. "

To perform the first test file manager FAR was placed in a "sandbox" and launched for execution - describe their experiment in "Doctor Web". - Then, from the web were taken four exploits the vulnerability of Windows. Viruses were not zadetektirovany means KIS (did not work either heuristics or HIPS) and launched for execution. As a result, all the exploits have fulfilled their purpose (the transition to kernel mode OS), and "sandbox" and not carry out its mission, as evidenced by a blue screen of death Windows (BSoD). Operating system has suffered an absolute harm. "

In another test was performed to test the ability to isolate the changes to the file system inside the Green Zone. "Normal operations on files will not affect the performance of the primary system - continue to" Doctor Web ". - But changing the default file name syntax to its counterpart via the network redirector (as did, for example, virus Win32.Ntldrbot), you can get full access to the outside of the sandbox and the ability to modify critical facilities. Thus, a simple batch file (bat) from the two lines can easily delete the file c: \ ntldr, which leads to the complete failure of the entire system after a reboot.

Thus, as stated by Doctor Web », Green Zone actually completely no guarantee that malware can not harm the operating system and user files, as was stated when running KIS 2010.
And here you sit and think that's better, everything is new for us to prepare the developer, or better when developers modify the old?

And here is itself a response from odnog of workers Kas

Today at CNEWS released material under the name hacked sandbox. As follows from the text, Kaspersky Lab said that comment on a competitor will not.

On a personal note I will say that in polite society generally recognized rules of ethics is the first to send notification of newly discovered vulnerability vendor, receiving an answer from him, possibly correct, and then to drain the information in public.
The fact that some people in the DrWeb on the ethics of long spit - we remember (riveting exploits for antivirus products to our web handles Mr. Gladkikh ~ since the way was already 3 (?) 4 (?) Years and similar to the functional solution to the DrWeb and still not that clear - destroy, not build), so that no particular surprise to me that not all causes.
So, as said - no comment. Only one story. One of ...
The results are here. And how was it - under the cut.

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 2:26 PM
Subject: drweb and CreateProcess

Hello!
I found funny and at the same time a serious bug in the coolest Avery R))

Baga them is to misuse the function CreateProcess.

They have a couple like that used by:
.data
CommandLine db «C: \ Program Files \ DrWeb \ drwebupw.exe», 0
CommandLine2 db «C: \ Program Files \ DrWeb \ drwebupw.exe / go », 0
.code
_start:
invoke CreateProcess, offset CommandLine, offset CommandLine2, ...
What is wrong:)

As a result, if there is a file C: \ Program.exe - then he will be running:)
As soon as it starts to update besides updater will run and we've found:). And while the process is complete Program.exe - update does not install:)
STE true for all versions of 4.44

A 5-ke see they're partially corrected this Bagua (see simply no parameters are passed), but when the installation Update runs drwreg.exe-check and re-did C: \ Program.exe start.

Baga - fire:)
From: Alexander Gostev
Sent: Tuesday, June 16, 2009 2:29 PM

Well, you write them vulnerability notification?

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 3:19 PM

Even to me they do not want to write Nitsche:) With this attitude to the tests on the amplitude and sayings such as Sharova on sinyus-can I send the current M)

going to fold on the problem and what will be published on the am, if not fall within a week.

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 4:01 PM

OK.
And to send them is not aware of?

From: Alexander Gostev
Sent: Tuesday, June 16, 2009 4:05 PM

And at what address - and on their website listed should be:)

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 5:04 PM

They really do not have such a campaign email, wherever it was possible to send a letter bagoy:)

Now nly driven obnovlyator them here bug:

0107F4C0 0042B96B / CALL to CreateProcessA from drwebupw.0042B965
0107F4C4 00000000 | ModuleFileName = NULL
0107F4C8 00D0A650 | CommandLine = «C: \ Program Files \ DrWeb \ drwreg.exe-check»
0107F4CC 00000000 | pProcessSecurity = NULL
0107F4D0 00000000 | pThreadSecurity = NULL
0107F4D4 00000000 | InheritHandles = FALSE
0107F4D8 00000000 | CreationFlags = 0
0107F4DC 00000000 | pEnvironment = NULL
0107F4E0 003F4CE8 | CurrentDir = «C: \ Program Files \ DrWeb \»
0107F4E4 0107F510 | pStartupInfo = 0107F510
0107F4E8 0107F500 \ pProcessInfo = 0107F500

That is a bit earlier, I was mistaken - visually it seemed that the bug is
when creating a process drwebupw.exe, was the same when creating process
drwreg.exe by obnovlyatorom. STE but it does not change the

From: Alexander Gostev
Sent: Tuesday, June 16, 2009 5:33 PM

Then write a well-known for:
support @
vms @

+ possible (generally accepted in the industry for such cases).
Security @
vulnerability @

July 2, after two-plus weeks, DrWeb has released a patch for this vulnerability. (End of response worker CAS)

And my personal opinion that it is not and does not answer, but simply an indication of other errors.
No that would write how and what will be done to eliminate, and what to do right now, the user 10 versions of KIS (as naprime article google which recognized the mistake and told why it all happened.
Views: 587 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: