Logo de NAUTOPIA y de la Comunidad Nautópata    NAUTOPIA: Privacidad, Seguridad y Libertades Civiles    Foro Local de TARRACO, Tarragona

  

ANILLO     CONTACTAR     CULTURALIA    DOWNLOADS     KIOSKO     FORO         HOME
 

 Translate 
 
 

by maty / translated by daexma  rev. 0.1

INTERVIEW TO RICHARD MARKO by NAUTOPIA

Strategic Programmation's Chief of  ESET: Slovack antivirus NOD32

 

Index

  1. Photography

  2. Notes about the interview

  3. People who sent questions

  4. Some questions received with the interview already finished

  5. Self-Criticism

 

Took Part

  • interviewees: Richard Marko (RM), Vicente Coll (VC)
  • interviewer: maty
  • questionary: We ask some nautópatas and the users of the OT del GDUTB list that supports THE BAT! email client, to send us questions. We have tried to make a mix  of them.

 

Interview

In the interview made in the Madrid's SIMO 2002, our first cuestion made to Anton Zajac, ESET's Vicepresident Executive , we wanted to expound it to Richard Marko ESET's Chief of Strategic Programation  and NOD32 heuristic's direct reponsible.

1. The heuristic of the antiviral programs shows more reliability's problems. ¿When NOD32 will have dairly updates, even more than once at day? It would have a good heuristec and a earlier update virus database then.

RM: The idea is that heuristic is less reliable every time is not right, it is most the opposite. We work improving the heuristic. Every time it has more reliability and I think the results guarantee this.

VC: Tom Takamoto, the Japanesse distribut of  NOD32, of CANON Systems, made an stadistic few mounths ago about in-the-wild virus that NOD32 had detected through heuristic, along the immediately previous year. The result indicated that approximately 80% of the new virus of  in-the-wild list,  had been detected by NOD32 by means of the standard heuristic and the advanced heuristic. The comparative is public and it is in our web  http://www.nod32-es.com/.

 

Re-question: then, What is the slope of efficiency of the heuristic one of the antivirus KAV 4. * of KASPERSKY due to? so they bet for several daily updates.

RM: I don't know, that would have to ask it  to KASPERSKY. But I believe that Kaspersky has another philosophy. They don't improve the heuristic, so you/they have to bet for more upgrades.

VC: This same week the Bagle.B and the Netsky.B virus have appeared. Both have been detected by NOD32 by means of advanced heuristic . Why to be bothered in taking out daily upgrades if 80% of the virus are detected with heuristic? ESET works so much in improving the heuristic that in the upgrades. The sum of both it is the true effectiveness of the antivirus.

 

2. The v1 slackened againts the Trojan in comparison with the ratios of KASPERSKY and McAFEE. What have you done in this field?

- SECURITY LINKS:  Antivirus vs Antitroyanos -

RM: The heuristic can also detect Trojan, but that we make is to add  more and more signatures. With the time, the Trojan's  detection ratios will increase. But for an user, the important thing it is to detect the samples that there are in his computer, because there are many Trojan and badware files that only exist in private collections.


To detect more Trojan doesn't mean that an antivirus protects you better than other, because the important thing is to detect the samples that can infect computers.

 
We are working on improving the IMON to include the detection of the traffic of the http port, so through that to avoid Trojan's intrusions in this way, and we want to add ftp and other protocols, all in the IMON and with advanced heuristic to improve the detection of Trojan. All that, added to the continuous inclusion of signatures in the bases.
 

Modulo IMON del antivirus NOD32 v2

 

Imagen

By Spanish distributor's courtesy: Inside beta of the new IMON module with HTTP support.

 

3. Are the Trojans difficultly to detect through heuristic? In this case, why severals daily updates of the bugs base are not offered? as it happens at the present time whit KASPERSKY.
 

RM: There are three virus upgrades a week Officially, but there are more usually. And it is not that the Trojan  are more difficult than the worms, it just we use more time to improve the worms' detection because we believe that they are more important because they have bigger propagation and they spread very quickly. In the case of the worms it is really important to have detection when they appear in-the-wild

 

4. The NOD32 v1 didn't revise the compressed files appropriately, except in the ZIP format. When the v2 will revise other formats, as 7z, ace, cab, rar (habitual in many discharges) and others as tar.gz or the famous UPX?
 

RM: The v2 already has suppport for rar 3, gz, lha. We want to add cab in a little time. But the compressed files are not so important. The packers like UPX or ASPack, Petite, FSG,... that nod32 already supports in the v2 are more important. But the advanced heuristic also contains what we call "universal unpacker" or "generic unpacker" that is capable of "unpack" many other formats "on the fly" without it supports them directly.


It is a general algorithm that makes that it is unnecessary to upgrade the antivirus continually with each upgrade or new revision of the packer in question. It also happens that the virus authors change the code of the packer so that the antiviruses are not able to "unpack" the file in question, the problem doesn't exist with the "generic unpacker".
 

VC: Richard Marko is the creator and advanced main developer of the advanced heuristic. In one way or other, everything will finish mentioning the heuristic that is it that he better knows :P

UPX Ultimate Packer for eXecutables

 

5. NOD32 v2 incorporates the IMON module to revise the incoming mail in our system, without using the plugins use for the mail agents like THE BAT! When will it revise other ports like ftp, http, https,...?
 

RM: The support for http is almost ready, it is just in phase beta and it will be thrown soon (in fact  are my partners  who are in charge of that and I don't know the exact dates) 

Re-question: And ;what about the  https? Is it foreseen? Do you think it is neccesary?

RM: Sincerely, I don't know if my partners plan to include the support to that format, but we want to add the advanced heuristic to the AMON as well, so that it checks all the new files that go coming in the computer.

Heuristica avanzadaVC: The advanced heuristic is extraordinarily effective to detect new virus and Trojan, but it has the inconvenience that it can slow down  the files' checking, diminishing the computer's effectiveness. Richard doesn't only work in improving the virus detection by means AH, also in increasing his speed. When the speed is sufficiently acceptable, it will also be included in the AMON. I can say that the last two weeks Richards has been in my company, he has been working in the AH. In fact, my partners and me see only letters to the Matrix's style, but he says something about assembler code and that that will improve the heuristic, and we believe him: P

RM:  When including the AH in the AMON we will make unnecessary the support for each different protocol (as https)

Modulo AMON del antivirus NOD32 v2. ¿Heuristica Avanzada?

A  possible integration of the Advanced Heuristica have been added to the image.

 

6. POP3 is the protocol to revise mail. When  IMAP protocol will be added?
 

RM: Sincerely, I cannot respond to that question. That is took by my partners. It is in the whishlist, but it is the same thing that with the https. Maybe we will include it in the IMON, or maybe we will include it in the AMON directly. Although I believe that we will  include it in the IMON surely, but I don't know the dates

Correo IMAP en OPERA 7.50

Opera 7.50 browser's Mail Module. POP3 and IMAP protocols, also  Webmail.

 

7. The EICAR antivirus test  is an excellent tool to detect if the antivirus works, but commonly it is eliminated by perimeter's antivirusl programs. antiviruses perimetrales. Does the industry foreseen to develop an final user's EICAR, that will be detectec by Workstations' antivirus and another one for Mail Servers ?

RM: I don't think so. I have never heard something similar.

VC: In the top spheres, maybe...... but I  haven't  heard projects of that neither.

RM: In fact the search engine and the signatures are the same for all the products. It is dificult waiting that the industry splits engines or signatures to detect differents samples files as the EICAR.

EICAR test antivirus

 

8. Do you plan to implement firewalls, simliar to the other companies'  multifunción suites?

RM: Some day in the future, probably yes, but we work in improving the antivirus and don't  scatter resources in diferent products. Avery day we have new programmers in the company and it is problable we create a new team for firewalls, not now.

VC: In this case and with Richard's permission, I should manifest that Ontinet.com is offering "bundles" NOD32 + OUTPOST PRO for reduced prices by the purchase of boht products, as well as discounts to NOD32' user that buys OUTPOST PRO and te opposite.

 

9. In our  nautópata/nautópica comunity there are some expert people  in the prevention of intrusions and in the detection of vulnerabilities present in the systems.

Idoru/David FM (David Fernandéz Madrid) is progamming a firewall. He keeps in mind the common deficiencies of Windows' software firewalls, among them, that they don't operate as a state firewalls, contrary to LINUX's IPTABLES or the disapointness VISNETIC in Windows. He wants to ask you some questions:
 

David FM: Signatures, unknown hostile code chunks detection, runtime analysis, as one of the main developers of NOD32, which of these techniques do you think can be ported to the next generation firewalls for preventing our services from being exploited with hostile executable code? Is planning NOD32 something about it besides the already done?

SSM System Safety Monitor

SSM System Manger Monitor, to avoid "DLL injection" in Windows.

 

RM: How can unknown hostile code chunks be detected efficienly? If you can detect that code, a way to fight against your algorithm can be surely found.

The idea that you can fight against something that you know, against worm than send themself through internet, against backdoors that wait outcoming calls to delete files, execute code, but with vulnerabilities in general, is difficult, is other thing because every time is not the same, anybody know what problems do apache or IIS have.

It seems to me is a bit different. Of course something can be prepared. You can looking for similarities among attacks and looking for algorithms to fight against this kind of attacks, but I don´t belive something to much generic to solve this problem can be created.

 

VC: Richard, but you work to detect virus than we don't know before they appear, even using infecton techniques that have not been already used by means advanced heuristic, and you do this very well. Why this is different with firewalls?

RM: The heuristic can be effective against badware which reproduce itself, but always based in techniques related to the operative system, registry changes, etc... Whereas as far as a OS, IIS, etc's vulnerability in not knowing, the firewall can not be prepared to avoid it. You can prepare something general.

The probles is that I don't work with firewall, so I can't answer well. Without knowing the problem deeply, is talk by talk without saying something clever.

KERIO 2.1.5 Reglas "maty"

 Kerio 2.1.5 firewall  with "maty's" rules proposed by NAUTOPIA

 

10. What kind of relationship do you have with Virus Bulletin?

RM: An official relationship. We always see Virus Bulletin's stuff during the VB's conferences and we talk to them, but not more than other antivirus companies. We believe they do their work very well, we have a great respect to their job and sometimes we publish articles in their magazine or we make presentations in conferences, exactly as the other companies.

 

11. Why do you belive that other companies decided not  to take part in the VB's test again? As is the case of the Spanish  PANDA, that left after their bad results reporting the little seriusness of the tests, adulterated by SOPHOS.

RM: I belive that probably PANDA is the only one important company that don´t present itself to the VB, and you can see that SOPHOS don't have the better results. I belive that the tests have more seriousness that any others tests that I know.

MATY: The Peruan antivirus PER (Jorge Machado) don't present itself neither.

RM: I have never heard about PER antivirus.

MATY: http://www.nautopia.org/enlaces_seguridad.htm

 

12. In the Spanish Computers' magazines, NOD32 is usually among the worse whereas PANDA is among the first. What do you think this is due to?

VC: The magazine Computer Hoy Junuary (nº 139) shows a comparative. Panda 1st y 3th. NOD32 6th of 9.

RM: I don't know neither magazines nor test. If I don't know how they make it, how can I comment the results?

MATY: We ask it because is something that we are reporing from  NAUTOPIA since the beginning.

Nobody has bottered himself on ask us Ontinet.com which are the which are the command line's better options or the scaner's ones to detect the virus, nobody has never asked what we recommend to the users they turn on or turn off, and absolutely all the detection's test are made using the scaner not modules like the  IMON.

The scaner has the advanced heuristic's option that never is used in the magacines' camparatives, and remember ourself that a lot of virus are not added because they are already detected by means of AH, that slope the detection's stadistics.

I never going to understand how Virus Bulletin show that NOD32 has never failled detecting virus samples, not even one in the last 4 years, whereas for zoo collections' detection the Spanish comparatives put us 6th of 9.

Modulo SCANNER ESCANER del antivirus NOD32 v2

NOD32 Scanner and NOD32 in DOS: Parameters to oerate under command line

 

When I begun to distribute AVP in Span in October of 1996 nobody took case of me. No one, absolutly nobody.

Nobody knew the program. Nobody included it in the comparatives. It cost me 2 years that somebody accepted me one sample of the program to analise, two years.

Is happening the same whit NOD32 now. If you read the Computer Hoy's comparative tha I indicate, says that neither kaspersky nor NOD32 include encyclopaedia.

Kaspersky has viruslist.com and NOD32 enciclopediavirus.com (yes, included  javascript).

Is that serious?, not for me.

IMON detecta bicho

 

13. Piratery: We have read about the most ingenious tricks to be able to use this antivirus on illegal way. Wouldn't you better make a free version of NOD whit less features, as Grisoft or Alwil do?

RM: You can do this question to  Anton in the next SIMO  d:^)

 

14. Work's habits (if he works in nomal hours or at night) his working place (at home, in one office). Does he have bosses that press him?, Flextime?

RM: I have flextime but I treat to work in normal hours because is difficult to work without resting properly. I treat to work in my enterprise's office (own dispatch). I have my own office with a bed, a guitar, espalires, so I can relax myself or thinking about what I am going to do in the next step, but simetimes I can work at home or here in Ontinet. I dont have problems with my bosses really. If the work I do is good there isn't reasons to press me.

 

15. Proyects outside the work ones... or, you don't touch the computer when you leave the work?

RM: I like my job, but programming is my job not my hobby. I don't use the computer at home if is not necessary because I hav some hobbies, like practicing sport gym, playing the guitar or traveling always that I have the chance and time.

 

16. What do you think about the proposal did from  NAUTOPIA to create a safe and aninymous net?

VC: He doesn't know.

MATY: http://www.nautopia.org/lssice_dia12/enrique_martin.htm. When he reads it, he could send my an e-mail so I include his opinion in the interview.

VC: I was explaining him the proposal, I will print it so he read it.

RM: I will answer in a very general way. I like the anonymity's idea because is good if every one can express his opinion without having problems with governments an so on, but personally I don't belive it will be able to create a really safe net. Maybe that net will be able to be saffer than Internet now, but I don't belive we will able to say that it is a 100% safe net.

VC: I remain you that he hasn't read the proposal.

MATY: But more than the actual one? yes, and IT'S FEASIBLE.

 

17. Which is your personal opinion about the security of Microsoft's products?

RM: I belive that Microsoft's products are more or less secure as anyone else, but Microsoft is so much strong and so many people use its programs, that crackers and virus makers treat to atack them because is more effective due to the quantity of users that used it.

VC: In our web and in encilopedia de virus, there is an exchange of ideas about this from Anton Zajac and Bill Gates in a meeting in Bratislava few weeks ago.

RM: I belive that there are produts that are very good and others that should be very much better, as Outlook for instance.

 

18. And to finish, what is your opinion about the Microsoft's mail programm.?

RM: I think that Outlook Express much better than Outlook. They are very diferent and I can't comment as only one product but as two different ones.

MATY: Do you recommend using an alternative mail program?

RM: For example, Outlook Express has the option of reading the e-mail as text only now. I belive that is somthing that should have being since the begining.

Unfortunately I don't know The Bat! for instance or others, so is difficult to comment it.  it is possible they are securly better than Outlook, but I don't really know it.

Bicho ya inofensivo en THE BAT!

 

MATY: We have arrive to the end of the interview at least. The two and half hours chatting through  FILETOPIA have being very instructive for our community and clarifies a lot of things.

We look forward to meet us in person, maybe in a new SIMO's edition,or who knows, in some seminar or congress about computing security organized by NAUTOPIA with the support of the DIPUTACIÓ de TARRAGONA and OASI/TINET.

VC: We are going to continue inviting him to the SIMO. If he can come, will be a honor to meet Richard in one side and NAUTOPIA in the other side of the same table.

 

- THE END-

 

ANNEX

 

1. Photography

Entrevistados: Vicente Coll y Richard Marko (degustando una paella alicantina)Entrevistador: maty (invitado junto a wolffete a la paellada, mas se conformó con su régimen habitual: galletitas/cookies, a falta de calçots)

- Vicente Coll -                            - Richard Marko -                    - maty -        

 

2. Notes about the interview

  • The interview took place Friday 20th 2004. The initial questionnarie had 17 questions,

  • We were talking for almost 3 hours, in a FILETOPIA's private chat (the interview last more than 2 hours).

Imagen

Two logs: maty's connection fall, "sufferr" of ISP Wanadoo.

18:58| El chat Privado ha comenzado en el viernes, 20 de febrero de 2004, a las 06:58 PM (de Nautopia)

19:23| MATY> Se ha pedido a varios nautópatas y a los partícipes de la lista OT del GDUTB que da soporte al gestor de correo THE BAT! que nos envíen cuestiones. Hemos procurado realizar un compendio de ellas.

[ cuerpo de la entrevista y conversación "off the record" ]

21:43| VicenteColl> RM: Muchas gracias y hasta la próxima vez.
21:43| VicenteColl> ciao
21:44| MATY> bye
21:44| <<<<< Se ha ido: VicenteColl
21:44| <<<<< Se ha ido: MATY

  • We ask some nautópatas and the users of the OT of GDUTB list that supports THE BAT! email client, to send us questions. We have tried to make a good mix of them.

  • The interview was in Spanish, language that Richard Marko is studing, this is the reason of his two week's stay in Ontinyent/Ontinent (Alicante/Alacant province-CC.AA. Valenciana, Spain-).

  • Took part: Richard Marko (RM), Vicente Coll (VC) and maty.

 

3. People who sent questions

-=ToÑo.!=-, Alex Bergonzini, dabo, daexma, daredevil/jorgeph2001, Enrique Martin (support), Fabian J. González Berger, idoru/David FM, marcelo.ar, wolffete and maty

 

4. Some questions received with the interview already finished

  • Why the chains that are used to detect the viral exemplaries are so weak that in several cases changing them an only bit it to de viral exemplary, they can't detect it?

  • Do you belive that the big loss that companies suffer by computer virus, could be solved educating the finals ussers?

  • If all the companies educate their users and a governmental plan even in schools, destined to the knowledge of the PC, Do you think that the Avers would continue existing?

  • How do you expount yourself this new technique of source dropping (to let the source code) used by one of mydoomm's mutationt? Do you belive that could have an avalanche of mutations?

  • And what about the follow-up by others Vxer using this technique to overflow the system?. If this technique will be used by a lot of people, do you think the Vxers will obtain their innocence in the case they were captured?

  • Have there been negotiations or approximations by the differents Avers to unify the viral exemplaries' names? Maybe are they foreseen in the future?

  • Which opinion do you have about the vxtraders?

  • If NOD32 is the best antivirus that exist in the market, which would be the second?

  • Why antivirus campanies are not giving the importance that spyware have? Would be impossible to get a good antivirus-trojan-spyware program? If there is enough time ask about W32.rajoy.pif vacumm.

 

5. Self-Criticism

After the enterview, we can take note about some lacks:

  • Few data about the extension of the Imon's filtered.

  • Few information about the code anilizing  implemented on firewalls. More re-questions fault.

  • Some images of newesses nearly implemented.

  • A generic question about heuristic was no rose, so Richard Marko (RM) could have extended himself about the subject on he is specialized.

  

Paella: ¿Eso amarillo es comestible? d:^)

Eating or not  paellar,

that's the question. d:^)

 

 

- ANTIVIRUS y BICHOS -             - Artículos Varios -

 
 

 
 
 

NAUTOPIA.org © Copyleft 2004