False positive?

Icarus Media

Icarus Media

F95 Comedian
Donor
Game Developer
Jun 19, 2019
7,785
29,392
anne O'nymous said:
*put on his "I'm a wise elder" clothes*

Precisely, we were all new once, whatever to what this "new" apply. And newbs, there's a lot of them on this part of the forum. It's where most of those who know nothing come when they face a problem ; sometimes they don't even know that they should ask somewhere else.
What would have you done in their place, knowing near to nothing to those magical boxes named "computer", when seeing someone with shiny badges give what seem to be a solution to your problem ?

I'm not complaining, and will even less press the other r-button, it would be hypocritical. But I really think that some kind of warning, not too obvious, would have been better. Most of those who would follow what was wrote, would also not have a single clue how to fix the new issue ; and now no way to ask for help.

*quickly remove those uncomfortable clothes*

And please, don't force me to wear them again, they make me feel old and even more grumpy that I'm already.
Click to expand...
Sorry Grandma, I'll be a good boy now.
 
  • Haha
Reactions: anne O'nymous
Losersriot

Losersriot

Well-Known Member
Jul 7, 2021
1,330
2,213
A virus is not a file, it is a few bytes of a file, and that is only as long as the file is never opened. After that, the virus exists EXCLUSIVELY in RAM, and only writes itself to disk when the laptop is switched off. When the laptop is switched on, the virus deletes all traces of itself from the hard drive. Therefore, it is useless to scan the hard disk.
 
  • Like
Reactions: D_Morius
anne O'nymous

anne O'nymous

I'm not grumpy, I'm just coded that way.
Modder
Respected User
Donor
Jun 10, 2017
10,113
14,801
Losersriot said:
A virus is not a file, it is a few bytes of a file, and that is only as long as the file is never opened. After that, the virus exists EXCLUSIVELY in RAM, and only writes itself to disk when the laptop is switched off. When the laptop is switched on, the virus deletes all traces of itself from the hard drive. Therefore, it is useless to scan the hard disk.
Click to expand...
I guess that it explain why, in movies, when their computers are under attack they always solve this by removing the power plug. This way the virus have no way to know that the computer is turned off, and then can't save itself on the hard drive, what make it totally disappear... :WaitWhat::FacePalm:


More seriously, there's so much wrong in the so few lines you wrote. And by "so much" I mean everything.

While it's true that viruses mostly exist in the RAM, they also, and before everything else, spread themselves by infecting as much executable as possible, and they stay inside them. This also apply to simple malware, as well as the most complex worn.
It's why the historical method used by anti-virus is to identify a signature, that is a part of the binary code significant to a given threat and expected to be unique to it. But of course, with the proliferation of threats and the constantly increasing number of software, this uniqueness can't be guaranteed, what explain the false positive that sometimes happen. Be noted that, while anti-virus now rely on behavior analysis, the use of signatures is still a thing. Despite the false positives, it stay a reliable and fast detection method.
It's also why anti-virus have cleaning features and disk scanners. Removing a threat from the RAM do not mean that your computer is now threats free. A copy can still be in this software that you only use twice a year, patiently waiting for you to run the said software, in order for it to infect again your computer.
 
  • Like
Reactions: D_Morius
Icarus Media

Icarus Media

F95 Comedian
Donor
Game Developer
Jun 19, 2019
7,785
29,392
anne O'nymous said:
A copy can still be in this software that you only use twice a year, patiently waiting for you to run the said software, in order for it to infect again your computer.
Click to expand...
So don't do what Winterfire was talking about and download Milfy City? Seems to have a virus that drains people's money.
 
  • Haha
Reactions: Carpe Stultus
Carpe Stultus

Carpe Stultus

Engaged Member
Sep 30, 2018
3,402
8,838
anne O'nymous said:
I guess that it explain why, in movies, when their computers are under attack they always solve this by removing the power plug. This way the virus have no way to know that the computer is turned off, and then can't save itself on the hard drive, what make it totally disappear... :WaitWhat::FacePalm:


More seriously, there's so much wrong in the so few lines you wrote. And by "so much" I mean everything.

While it's true that viruses mostly exist in the RAM, they also, and before everything else, spread themselves by infecting as much executable as possible, and they stay inside them. This also apply to simple malware, as well as the most complex worn.
It's why the historical method used by anti-virus is to identify a signature, that is a part of the binary code significant to a given threat and expected to be unique to it. But of course, with the proliferation of threats and the constantly increasing number of software, this uniqueness can't be guaranteed, what explain the false positive that sometimes happen. Be noted that, while anti-virus now rely on behavior analysis, the use of signatures is still a thing. Despite the false positives, it stay a reliable and fast detection method.
It's also why anti-virus have cleaning features and disk scanners. Removing a threat from the RAM do not mean that your computer is now threats free. A copy can still be in this software that you only use twice a year, patiently waiting for you to run the said software, in order for it to infect again your computer.
Click to expand...
Telling others to not force you to wear the "wise elders cloths" again and yet you put them on again all by yourself. It would seem like you don't dislike them as much as you say. :sneaky:
 
  • Like
Reactions: D_Morius
anne O'nymous

anne O'nymous

I'm not grumpy, I'm just coded that way.
Modder
Respected User
Donor
Jun 10, 2017
10,113
14,801
Carpe Stultus said:
Telling others to not force you to wear the "wise elders cloths" again and yet you put them on again all by yourself. It would seem like you don't dislike them as much as you say. :sneaky:
Click to expand...
Is it a way to subtly tell me that it isn't the clothes but my old age ? :cry: :p
 
Losersriot

Losersriot

Well-Known Member
Jul 7, 2021
1,330
2,213
anne O'nymous said:
I guess that it explain why, in movies, when their computers are under attack they always solve this by removing the power plug. This way the virus have no way to know that the computer is turned off, and then can't save itself on the hard drive, what make it totally disappear... :WaitWhat::FacePalm:
Click to expand...
Your HDD is not exclusively place to store information in WWW. The network worm does not need your HDD, it has its own HDD somewhere on the WEB. Where your computer's address is stored as well. :HideThePain:
 
anne O'nymous

anne O'nymous

I'm not grumpy, I'm just coded that way.
Modder
Respected User
Donor
Jun 10, 2017
10,113
14,801
Losersriot said:
Your HDD is not exclusively place to store information in WWW. The network worm does not need your HDD, it has its own HDD somewhere on the WEB. Where your computer's address is stored as well. :HideThePain:
Click to expand...
And once again, so many wrongs in what you said.

[Note: I haven't done network and security admin works since a bit more than a decade, therefore be indulgent.]
The World Wide Web is just a part of Internet. One of the many protocols that can be used over it, and the less likely to be used by worms since, client side (your side) it do not accept incoming connections. It's used to spread virus and malware, but it only exceptionally spread worms.
No, worms are spread through the many other protocols. Mostly through
You must be registered to see the links
(e-mails), like the well known
You must be registered to see the links
, but it's far to be the only way. By example,
You must be registered to see the links
was targeting directly the OS through its own networks sharing capabilities, while
You must be registered to see the links
was relying on five different methods, including backdoors left by other worms. And obviously there's the worms that aren't explicitly designed to target personal computers, like by example
You must be registered to see the links
, or even not at all designed to target them, like the more recent, because I'm not just an old fuck,
You must be registered to see the links
.

After all, between the servers (direct or indirect like
You must be registered to see the links
or
You must be registered to see the links
) and
You must be registered to see the links
, there's more "stand alone" computers connected to Internet that there's personal computers connected to it. And for them you can be sure that they will be up 24/24 7/7, while having a static IP address. Like they also are remotely administered, sometimes by people would don't have a single clue regarding what they are doing, you've more chance to pass unnoticed in a too big part of them.
Since they are in constant use, it's also more difficult to quickly clean them. I don't remember what worm it was (perhaps ILOVEYOU, but no guaranty), but I remember one that was so virulent that it led to a world wide network load near to 99% for near to five hours. It was in the mid 00's, a time where the whole network was only exceptionally facing a 50% load. Yet most ISP where doing their share, less than 30 minutes after the start of the attack (because it was an attack against the network), my ISP was already dropping all incoming infected e-mails. To help you have an idea of the spreading speed of this worm, I received near to a hundred of those e-mails on my main address... yes, in less than 30 minutes ; it make an average of one every ~15 seconds just for one e-mail address.
Plus, with high speed internet connections, individuals are more likely to be connected through a "one to many" box and not through the good old "one to one" modem. Therefore there's a
You must be registered to see the links
layer and incoming connections are less likely to reach a destination ; unless badly configured, the box will not know to what computer it should forward the connection and therefore it will simply drop it. /!\ WARNING /!\ this do not prevent you to use an IP filter (a firewall), it just add a layer to the security of your computer(s) if the box is correctly configured.

So, in a way it's not false to say that worms don't need our hard drives. But it's the same for any threats, including malwares and viruses. Before reaching our computer, they were located somewhere else ; a somewhere that sometimes happen to be a network server.
But it's totally wrong the way you present it, because no the worm you get are not located on a server somewhere on the network, waiting for you to go back online to infest your RAM once again. And, of course, even less located on their own server.
It would be so easy to stop a worm if it was the case. Each
You must be registered to see the links
corresponding to a network communication contain both the emitter and received IP address. And since worms are bigger than the average
You must be registered to see the links
, the emitter IP address can't be
You must be registered to see the links
; else the receiver wouldn't be able to ask for the next packet and the worm wouldn't be sent entirely. This mean that it just need one competent admin to know what server host the worm. Starting there, in less than one hour all routers around the world would be reconfigured to just drop any packets coming from this server, stopping definitively the infection. It would also put the pressure on the admin of the said server, since his server would be totally isolated outside of the network until he can prove that he cleaned it.

So, yeah, you should stop trying to talk about worms, viruses, malwares, and probably also more globally about computer security.


Hmm... Yeah, I know, I must have a thing for those clothes...
 
  • Like
Reactions: TheWolflower and D_Morius
You must log in or register to reply here.
Top Bottom