redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#1 杀毒软件优劣之用户标准--微点PK杀毒软件
杀毒软件哪个好
杀软第一的凭测,有没有猫腻?用户眼中的评测标准是什么?评测标准,听听我们的声音
杀毒软件的评测琳琅满目,就如明星界的一个个颁奖项目一样,各发各的将,各做各的事,没有统一的权威.即便有,那么他们的标准是什么,有没有猫腻,有没有实际调查我们用户的体验和经验,调查力度又怎样呢?
好的凭测,不是来自任何所谓的组织,而是来自用户自身的感受.
那么什么是好的标准呢,我们用户眼中的标准又是什么呢,倡导大家谈一下,建议讨论主题如下:
1 凭测标准应该是那些方面(你认为):
比如安装速度\搜索引擎的处理速度\占内存的大小\占空间的大小\对其他软件的兼容(包括杀软)\软件运行后对其他操作的影响程度\软件的升级\界面的美观性\操作的便捷性和自主管理的便捷性\还有重要的是杀度的能力--包括主动防御、未知病毒的检测、已知病毒的查杀、事后的补救等等。
网上流传一个测试软件杀毒的方法,以此来评判软件的优劣,但是公开的信息,也便于让现有的软件商针对此代码进行改进,这样也就让此失掉了本身的意义。
摘录如下,大家可以玩以下:
由欧洲防病毒协会提供的代码绝对值得大家一试:看看你杀毒软件的能力吧!
测试方法:
1.鼠标右键点击桌面空白处,创建一个“文本文档”。
2.将下面这段测试代码复制到“文本”里,保存,然后可以直接右键点击这个文本,用杀毒软件扫描,也可以等一会,如果你的杀毒软件还行,会自动报毒并将该文本删除,那就可以初步放心了。
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
测试原理:
该段代码是欧洲计算机防病毒协会开发的一种病毒代码,其中的特征码已经包含在各种杀毒软件的病毒代码库里,所以可以用做测试病毒扫描引擎。
测试等级:
特等:复制完代码后便提示内存有病毒
优等:刚保存完就提示病毒(或者直接删除)
中等:保存后几秒提示病毒(或者直接删除)
下等:需自己启动病毒扫描查杀才提示病毒(或者直接删除)
劣等:无论怎么扫描都无法提示病毒(或者直接删除)
2 实际凭测
在一端时间后,根据大家所提交的凭测标准,我们进行一下整理,然后针对此进行相关测试,测试结果大家上传上来,建议包括以下内容:
系统运行环境:包括机子的配置(CPU、内存、硬盘等等)、和操作系统
、安装的软件等等
具体怎么测试,也请大家谈谈,最后检验一下我们自己定的凭测标准的凭测结果怎么样,
希望此能够给微点一点帮助,当然更希望微点对我们参与的人也要有好的回报啊哈,比如让我们免费使用啊!
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
 |
|
2007-1-30 11:16 |
|
chujl
中级用户
积分 245
发帖 242
注册 2007-1-17
|
#2
新事物需要新标准。
按照封建主的观点,资本主义就是一个坏东西
| |
※ ※ ※ 本文纯属【chujl】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 11:41 |
|
chujl
中级用户
积分 245
发帖 242
注册 2007-1-17
|
#3
楼主知道那段代码有什么危害吗?
| |
※ ※ ※ 本文纯属【chujl】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 11:42 |
|
gwg829
新手上路
积分 12
发帖 12
注册 2007-1-26
|
#4
这段代码不过是卡巴5里的一段代码
的确是欧洲计算机防病毒协会发布的
但是不会对计算机做出实质的损坏
他只是模拟了常见病毒的特征而已
一般的杀软依靠特征比较法 自然会报警
mp则是行为监控
对于这样的模拟病毒根本不理会的
因为这样的代码根本不具备损害电脑的能力
| |
※ ※ ※ 本文纯属【gwg829】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:10 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#5
哪个病毒代码绝对不会伤害到机器.请放心
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:10 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#6
需要说明的是,哪个代码的版本是比较久的,是2003年的应该是,为便于大家理解,摘录一段说明:
帖子太长
Let's have fun with EICAR test file
Date: Fri, 27 Jun 2003 10:35:23 -0700
To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Let's have fun with EICAR test file
This text is about eicar.com, a famous industry-standard test file designed
to check antivirus software working status. We'll first discuss fairly
in detail of what it's made, after which we'll "play" a little with it.
You are supposed to have a reasonable background with COM files and assembly
language programming.
They call this Introduction
EICAR stands for "European Institute for Computer Antivirus Research".
What they are involved in won't require a great work of your brain (go
to www.eicar.org otherwise)...
A few years ago, they released a file, cleverly named eicar.com, designed
to help users to check their own antivirus (AV) software. Its official
name is "EICAR Standard Antivirus Test File" (ESATF). Here are some pieces
of information about it:
- - It's short, only 68 (44h) bytes in length. You won't spend too much
time or money downloading it. Furthermore, you can duplicate and distribute
it quickly.
- - It's made up of exclusively printable ASCII characters. Thus you can
easily create it with any plain text editor if you have no mean to download
it. Here's its contents:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Figure 1. ESATF ASCII form.
As you can see, there are solely capital letters, digits or punctuation
marks; no space or character from outer space. The third symbol is the
upper case letter "O", not zero.
- - It's not a virus at all (using a true one to test your AV would be
really irresponsible), just a legit and safe DOS COM file! When running,
it only prints the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" string on your
screen (more details about its implementation below). The choice of COM
file is just a practical consideration: a way to be sure to "run" correctly
from DOS OSes to the last Windows OSes...
Every AV should react when facing ESATF. It's a now well known industry-
standard test file and all credible running AV must "detect" it. Actually,
it should behave "as if" ESATF was a virus: appropriate warning message
(some display something like "File infected with EICAR-Test-File" but
they ought to be less stressful; ESATF isn't a virus and AVs shouldn't
frighten novices) locking access to the file, putting in quarantine,
etc. Note it's a safe and easy way to ensure yourself your AV is really
and correctly working (maybe the opportunity to observe your first digital
"viral" incident)... and that's what ESATF has been designed for!
EICAR provides also two zipped versions of ESATF in order to test dispositions
of AVs to deal with zip archive files. One is the "code" seen above (Figure
1) just zipped. The last one is the zipped version... zipped one more
time (a double zip archive). Therefore, you can assess the AV unzip level
as well.
Looking inside ESATF guts
Here's the disassembled code of eicar.com. Traditionally, memory locations
are specified using the segment ffset notation, but as segment values
don't matter within the context of this article, they are omitted:
Step Offset Opcodes Instruction
01 0100 58 pop ax
02 0101 354F21 xor ax,214Fh
03 0104 50 push ax
04 0105 254041 and ax,4140h
05 0108 50 push ax
06 0109 5B pop bx
07 010A 345C xor al,5Ch
08 010C 50 push ax
09 010D 5A pop dx
10 010E 58 pop ax
11 010F 353428 xor ax,2834h
12 0112 50 push ax
13 0113 5E pop si
14 0114 2937 sub [bx],si
15 0116 43 inc bx
16 0117 43 inc bx
17 0118 2937 sub [bx],si
18 011A 7D24 jge 0140
19 011C 45494341
522D5354
414E4441
52442D41
4E544956
49525553
2D544553
542D4649
4C452124 DB "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
20 0140 48 dec ax
21 0141 2B482A sub cx,[bx+si+2A]
Figure 2. ESATF disassembling.
It seems to be a weird code just for printing a string on the screen
uh?! But don't forget one requirement from the authors: it must be possible
to create the file using a plain text editor, so they had to use only
alphabetic symbols, digits and common punctuation marks. To remove any
doubt, lower case letters and space were excluded. Thus, only subsets
of ASCII characters are available, ranging from 21h (exclamation mark:
!) to 60h (single opening quotation mark: ') and from 7Bh (opening brace:
{) to 7Dh (closing brace: }).
Here are ESATF characters hexadecimal codes:
00 01 02 03 04 05 06 07
00 58 35 4F 21 50 25 40 41
01 50 5B 34 5C 50 5A 58 35
02 34 28 50 5E 29 37 43 43
03 29 37 7D 24 45 49 43 41
04 52 2D 53 54 41 4E 44 41
05 52 44 2D 41 4E 54 49 56
06 49 52 55 53 2D 54 45 53
07 54 2D 46 49 4C 45 21 24
08 48 2B 48 2A
Figure 3. ESATF hexadecimal codes.
In a more classic way, we may write ESATF like this (Microsoft MASM code):
01 .386
02 .MODEL TINY
03
04 CODE SEGMENT USE16
05
06 ORG 100h
07
08 @START: jmp @GO
09
10 msg DB "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
11
12 @GO: mov DX,OFFSET msg
13 mov ax,0900h
14 int 21h
15 int 20h
16
17 CODE ENDS
18
19 END @START
Figure 4. ESATF-Like source code.
When running, result is the same as with ESATF, but the assembled final
file has a smaller size (48 bytes). Here is the disassembling of ESATF-
Like:
Step Offset Opcodes Instruction
01 0100 EB24 jmp 0126h
02 0102 45494341
522D5354
414E4441
52442D41
4E544956
49525553
2D544553
542D4649
4C452124 DB "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
03 0126 BA0201 mov dx,0102h
04 0129 B80009 mov ax,0900h
05 012C CD21 int 21h
06 012E CD20 int 20h
Figure 5. ESATF-Like disassembling.
Unfortunately, you can notice plenty of hexadecimal codes out of the
"allowed" range [21h-60h,7Bh-7Dh], particularly interrupts calls opcodes!
That's why ESATF designers chose to use a very common trick from the
"viral scene" to encode it: self-modifying code...
Let's debug (or spelunking ESATF)!
For an easier reading of the following, keep Figure 2 close to your eyes.
Once "launched", eicar.com is loaded in memory at address 100h, just
after the 256 (100h) bytes in size PSP (Program Segment Prefix). The
first instruction is:
01 0100 58 pop ax
In English, we move two bytes of the stack from the SS:[SP] address into
the AX register. Initially, SP is set to FFFEh and the 16 bits value
stored there is 0. Thus, we just move 0 into AX.
AX = 0 and SP = 0.
02 0101 354F21 xor ax,214Fh
0 XOR 214Fh = 214Fh. Opcodes show the 214Fh value "inverted" (4F21);
it's just because Intel microprocessors use Little Endian convention
to store bytes in memory: the least significant byte (also called low
byte) is stored first, at the lowest address, while the most significant
byte (high byte) is stored at the highest address.
AX = 214Fh and SP = 0.
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:20 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#7
以上还没有完 有感兴趣的 我把以后的附上 没有要的就算了 避免浪费空间
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:21 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#8
有的朋友对那段代码还是不了解,这里做个说明:
note that it's not a virus; it's just a pattern which virus scanners should all pick up
那不是病毒,只是检验病毒扫描引擎的测试样板
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:32 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
#9
大家可以用他来发邮件来进行检测,再发几个例子
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
综合说明:
Testing it
You should now have a system which can scan mail for viruses and spam. Using the setup from before, try sending an email to yourself. When it arrives, look at the header and make sure that it includes the strings to show it's been through MailScanner.
Now send an email containing the string:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
It should be delivered but flagged as {Spam?} - this test string is known as GTUBE and should be picked up by all spam checkers.
Now try sending a message including the string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This shouldn't be delivered. EICAR is a standard virus test (note that it's not a virus; it's just a pattern which virus scanners should all pick up)
You can check if all this has worked by looking a the file /var/log/maillog – it's a plain text file and if you look through it you'll find lines like:
Jun 4 00:14:02 tconwl9 postfix/smtpd[69875]: connect from unknown[65.199.194.153]
Jun 4 00:14:16 tconwl9 postfix/smtpd[69875]: 3BA5F2093: client=unknown[65.199.194.153]
Jun 4 00:14:24 tconwl9 postfix/cleanup[69876]: 3BA5F2093: message-id=<20040603231412.3BA5F2093@tconwl9.cnwl.ac.uk>
Jun 4 00:15:17 tconwl9 postfix/smtpd[69875]: disconnect from unknown[65.199.194.153]
Jun 4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: from=<fxsjj@iname.com>, size=31680, nrcpt=1 (queue active)
Jun 4 00:15:17 tconwl9 postfix/qmgr[12866]: 3BA5F2093: to=<international.admin@cnwl.ac.uk>, relay=none, delay=65, status=deferred (delivery temporarily suspended: deferred transport)
Jun 4 00:15:19 tconwl9 MailScanner[64484]: New Batch: Scanning 1 messages, 31958 bytes
Jun 4 00:15:19 tconwl9 MailScanner[64484]: Spam Checks: Starting
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Message 3BA5F2093 from 65.199.194.153 (fxsjj@iname.com) to cnwl.ac.uk is spam, SpamAssassin (score=17.181, required 6, BAYES_99 5.40, MIME_MISSING_BOUNDARY 1.84, MISSING_MIMEOLE 1.59, MSGID_FROM_MTA_SHORT 3.03, NO_REAL_NAME 0.16, PRIORITY_NO_NAME 1.21, RAZOR2_CF_RANGE_51_100 1.10, RAZOR2_CHECK 1.05, X_MSMAIL_PRIORITY_HIGH 0.50, X_PRIORITY_HIGH 1.30)
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Spam Checks: Found 1 spam messages
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Spam Actions: message 3BA5F2093 actions are deliver
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus and Content Scanning: Starting
Jun 4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.zip Found the W32/Netsky.z@MM!zip virus !!!
Jun 4 00:15:25 tconwl9 MailScanner[64484]: /3BA5F2093/Notice.txt .exe Found the W32/Netsky.z@MM virus !!!
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: McAfee found 2 infections
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Infected message 3BA5F2093 came from 65.199.194.153
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Virus Scanning: Found 2 viruses
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Filename Checks: Windows/DOS Executable (3BA5F2093 Notice.txt .exe)
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Other Checks: Found 1 problems
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Saved infected "Notice.txt .exe" to /var/spool/MailScanner/quarantine/20040604/3BA5F2093
Jun 4 00:15:25 tconwl9 MailScanner[64484]: Saved infected "Notice.zip" to /var/spool/MailScanner/quarantine/20040604/3BA5F2093
This shows you that a computer at IP address 65.199.194.153 has tried to deliver a message for international.admin@Cnwl.ac.uk apparently from fxsjj@iname.com. Postfix has queued it and flagged it for deferred delivery. MailScanner checks at regular intervals and this time has found just 1 message waiting. It runs a spam check and decides it's spam (score 17.1 is nearly 3 times our safety level!)
MailScanner is configured to tag the message as spam but still to deliver it so it now virus scans it. This particular message has an attachment which it recognises as the W32/Netsky virus; it extracts the contents of the file and confirms that there is an .exe file inside which is the virus payload. MailScanner is configured not to deliver infected email so it saves this message to the quarantine folder.
| |
※ ※ ※ 本文纯属【redhat】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2007-1-30 12:33 |
|
redhat
新手上路
积分 34
发帖 28
注册 2007-1-21
|
|
|
2007-1-30 12:45 |
|
|
