Case 3:17-cv-05659-WHA Document 126-21 Filed 06/28/18 Page 1 of 5
`
`Exhibit 17
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 126-21 Filed 06/28/18 Page 2 of 5
`
`VIRUS BULLETIN CONFERENCE, SEPTEMBER I 995 • i
`
`Proceedings of
`The Fifth International
`Virus Bulletin Conference
`
`I llllll llll/ 111111111111111 lllll lllll 1111111111111
`47550378
`
`Return Date:
`
`for RMS
`'1Be only
`
`13.M.lf 0:i :_ ·.~ Q ,l} ~ .L
`S
`Request Ref. No.
`LL04484 REAPP SLOAN
`If no other library indicated please return r?af?i.
`The British Library Document Supply Centre, Boston Spa,
`Wetherby, West Yorkshire, LS23 780
`
`VIRUS BUUETIN CONFERENCE 0 1995 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3Y~ England.
`T~ +44 (0)123S SSS139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`

`

`Case 3:17-cv-05659-WHA Document 126-21 Filed 06/28/18 Page 3 of 5
`VIRUS BUL1£TIN CONFERE.NCE, SEPTEMBER /995 • 225
`
`SCANNERS OF THE YEAR 2000: HEURISTICS
`
`Dmitry 0. Gryaznov
`
`S&S International Pie, Alton House, Gatehouse Way, Aylesbury, Bucks, HPl 9 3XU, UK
`Tel +441296318700 · Fax +44 1296318777 · Email grdo@sands.co.uk
`
`INlRODUCTION
`
`At the beginning of 1994, the number of known MS-DOS viruses was estimated at around 3,000. One year
`later, in January 1995, the number of viruses was estimated at about 6,000. By the time this paper was
`written (July 1995), the number of known viruses exceeded 7,000. Several anti-virus experts expect this
`number to reach 10,000 by the end of the year 1995. This large number of viruses, which keeps growing
`fast, is known as the glut and it does cause problems to anti-virus software- especially to scanners.
`
`Today, scanners are the most frequently used type ofanti-virus software. The fast-growing number of
`viruses means that scanners should be updated frequently enough to cover new viruses. Also, as the number
`of viruses grows, so does the size of the scanner or its database, and in some implementations the scanning
`speed suffers.
`
`It was always very tempting to find a final solution to the problem; to create a generic scanner which can
`detect new viruses automatically without the need to update its code and/or database. Unfortunately, as
`proven by Fred Cohen, the problem of distinguishing a virus from a non-virus program is algorithmically
`unsolvable as a general rule.
`
`-
`
`Nevertheless, some generic detection is still possible, based on analysing a program for features typical or
`not typical of viruses. The set offeatures, possibly together with a set of rules, is known as heuristics.
`Today, more and more anti-virus software developers are looking towards heuristical analysis as at least a
`partial solution to the glut problem.
`
`Working at the Virus Lab, S&S International Pie, the author is also carrying out a research project on
`heuristic analysis. The article explains what heuristics are. Positive and negative heuristics are introduced
`and some practical heuristics are represented. Different approaches to a heuristical program analysis are
`discussed and the problem of false alarms is explained and discussed. Several well-known scanners
`employing heuristics are compared ( without naming the scanners) both virus detection and false alarms rate.
`
`1 WHY SCANNERS?
`
`If you are following computer virus-related publications, such as the proceedings of anti-virus conferences,
`magazine reviews, anti-virus software manufacturers' press releases, you read and hear mainly 'scanners,
`scanners, scanners'. The average user might even get the impression that there is no anti-virus software
`other than scanners. This is not true. There are other methods of fighting computer viruses-but they are not
`
`VIRUS BULLETINCONFERENCE©l995 VIMlSBulletinLtd,21 The Quadrant, Abingdon,Oxfordshire, OX143YS, England.
`Tel +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`-
`
`

`

`Case 3:17-cv-05659-WHA Document 126-21 Filed 06/28/18 Page 4 of 5
`226 • GRYAZNOV: SCANNERS OF THE YEAR 2000: HEURISTICS
`
`as popular or as well known as scanners; and anti-virus packages based on non-scanner technology do not
`sell well. Sometimes people who are trying to promote non-scanner based anti-virus software even come to
`the conclusion that there must be some kind of an international plot of popular anti-virus scanner producers.
`Why is this? Let us briefly discuss existing types of anti-virus software. Those interested in more detailed
`discussion and comparison of different types of anti-virus software can find it in [Bontchev I], for example.
`
`1.1
`SCANNERS
`So, what is a scanner? Simply put, a scanner is a program which searches files and disk sectors for byte
`sequences specific to this or that known virus. Those byte sequences are often called vints signatures. There
`are many different ways to implement a scanning technique; from the so-called 'dumb' or 'grunt' scanning
`of the whole file, to sophisticated virus-specific methods of deciding which particular part of the file should
`be compared to a virus signature. Nevertheless, one thing is common to all scanners: they detect only known
`viruses. That is, viruses which were disassembled or analysed and from which virus signatures unique to a
`specific virus were selected. In most cases, a scanner cannot detect a brand new virus until the virus is
`passed to the scanner developer, who then extracts an appropriate virus signature and updates the scanner.
`This all takes time - and new viruses appear virtually every day. This means that scanners have to be
`updated frequently to provide adequate anti-virus protection. A version of a scanner which was very good
`six months ago might be no good today if you have been hit by just one of the several thousand new viruses
`which have appeared since that version was released.
`
`So, are there any other ways to detect viruses? Are there any other anti-virus programs which do not depend
`so heavily on certain virus signatures and thus might be able to detect even new viruses? The answer is yes,
`there are: integrity checkers and behaviour blockers (monitors). These types of anti-virus software are
`almost as old as scanners, and have been known to specialists for ages. Why then are they not used as
`widely as scanners?
`
`1.2 BEHAVIOUR BLOCKERS
`A behaviour blocker ( or a monitor) is a memory-resident (TSR) program which monitors system activity
`and looks for virus-like behaviour. In order to replicate, a virus needs to create a copy of itself. Most often,
`viruses modify existing executable files to achieve this. So, in most cases, behaviour blockers try to
`intercept system requests which lead to modifying executable files. When such a suspicious request is
`intercepted, a behaviour blocker, typically, alerts a user and, based on the user's decision, can prohibit such
`a request from being executed. This way, a behaviour blocker does not depend on detailed analysis of a
`particular virus. Unlike a scanner, a behaviour blocker does not need to know what a new virus looks like to
`catch it.
`
`Unfortunately, it is not that easy to block all the virus activity. Some viruses use very effective and
`sophisticated techniques, such as tunnelling, to bypass behaviour blockers. Even worse, some legitimate
`programs use virus-like methods which could trigger a behaviour blocker. For example, an install or setup
`utility is often modifying executable files. So, when a behaviour blocker is triggered by such a utility, it's up
`to the user to decide whether it is a virus or not - and this is often a tough choice: you would not assume that
`all users are anti-virus experts, would you?
`
`But even an ideal behaviour blocker (there is no such thing in our real world, mind you!), which never
`triggers on a legitimate program and never misses a real virus, still has a major flaw. To enable a behaviour
`blocker to detect a virus, the virus must be run on a computer. Not to mention the fact that virtually any user
`would reject the very idea of running a virus on his/her computer, by the time a behaviour blocker catches
`the virus attempting to modify executable files, the virus could have triggered and destroyed some of your
`valuable data files, for example.
`
`VJRUSBULLETINCONFERENCE©1995VirusBulletinLtd,21 TheQuadrant,Abingdon,Oxfordshire,OX143YS, Fngland.
`Tel. +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`

`

`Case 3:17-cv-05659-WHA Document 126-21 Filed 06/28/18 Page 5 of 5
`232 • GRYAZNOV: SCANNERS OF THE YEAR 2000: HEURISTICS
`
`positive heuristics. This way we shall score top most points in the reviews. But what about the users? They
`normally run scanners not on a virus collection but on a clean disks. Thus, they won't notice our almost
`perfect detection rate, but are very likely to notice our not-that-perfect false alarms rate. Tough choice.
`That's why some developers have at least two modes of operation for their heuristical scanners. The default
`is the so-called 'normal' or 'low sensitivity' mode, when both positive and negative heuristics are used and
`a program needs to trigger enough positive heuristics to be reported as a virus. In this mode, a scanner is
`less prone to false alarms, but its detection rate might be far below what is claimed in its documentation or
`advertisement. The often-used (in advertising) figures of 'more than 90 per cent' virus detection rate by
`heuristic analyser refer to the second mode of operation, which is often called 'high sensitivity' or
`'paranoid' mode. It is really a paranoid mode: in this mode, negative heuristics are usually discarded, and
`the scanner reports as a possible virus any program which happens to trigger just one or two positive
`heuristics. In this mode, a scanner can indeed detect 90 per cent of viruses, but it also produces hundreds
`and hundreds of false alarms, making the 'paranoid' mode useless and even harmful for real-life everyday
`use, but still very helpful when it comes to a comparative virus detection test. Some scanners have a special
`command-line option to switch the paranoid mode on; some others switch to it automatically whenever they
`detect a virus in the normal low sensitivity mode. Although the latter approach seems to be a smart one, it
`takes just a single false alarm out of many thousands of programs on a network file server to produce an
`avalanche of false virus reports.
`
`2.5 HOW IT ALL WORKS IN PRACTICE: DIFFERENT SCANNERS COMPARED
`Being myself an anti-virus researcher and working for a leading anti-virus manufacturer, I have developed a
`heuristic analyser of my own. And of course, I could not resist comparing it to other existing heuristic
`scanners. We believe the results will be interesting to other people. They underscore what was said about
`both virus detection and false alarms rates. As the products tested are our competitors, we decided not to
`publish their names in the test results. So, only FindVirus of Dr Solomon 's Anti Virus Toolldtis called by its
`real name. All the other scanners are referred to with letters: Scanner_A, Scanner_B, Scanner_ C and
`Scanner_D. The latest versions of the scanners available at the time of the test were used. For Find Virus, it
`was version 7.50- the first version to employ a heuristic analyser.
`
`Each scanner tested was run in heuristics-only mode, with normal virus signature scanning disabled. This
`was achieved by either using a special command-line option, where available, or using a special empty virus
`signature database in other cases.
`
`The test consisted of two parts: virus detection rate and false alarms rate. For the virus detection rate S&S
`International Pie ONE OF EACH virus collection was used, containing more than 7,000 samples of about
`6,500 different known DOS viruses. For the false alarms test the shareware and freeware software collection
`of SIMTEL20 CD-ROM (fully unpacked), all utilities from different versions of MS-DOS, IBM DOS,
`PC-DOS and other known files were used ( current basic S&S false alarms test set).
`
`When measuring false alarms and virus detection rate, all files reported were counted; reported either as
`' Infected' or ' Suspicious'. Separate figures for the two categories are given where applicable.
`
`In both parts of the test, the products were run in two heuristic sensitivity modes, where applicable: normal
`or low sensitivity mode, and paranoid or high sensitivity mode. The automatic heuristic sensitivity
`adjustment was prohibited, where applicable.
`
`The results of the tests are as follows:
`
`VIRUS BUUETIN CONFERENCE ©1995 VJ.ruS Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX143YS, England.
`Tel +44 (0)1235 555139. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
`without the prior written permission of the publishers.
`
`