[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dvd-discuss] Gedanken Experiement -Unix and Norton



> Well that's the question. What is copyrightable in their NAV 
> definition file? The signature of the virus? That's a fact. 

> The definitions file is no more than a listing of virus and 
> signatures for them-a listing of facts this is no more 
> copyrightable than the telephone book.

I wouldn't be so sure of that,  it would depend on the nature of
the signatures.  I doubt that the signatures are just checksums,
because some viruses are self-modifying, and some viruses deliberately
alter non-code bytes inside themselves to try and mask themselves 
against pattern matching virus scanners.  The database probably includes
entries based on many different algorithms, and the selection of the
algorithm and matching zones for each virus would be a very creative
process.

For instance:

Say a virus is 800 bytes long.  The virus scanner might initially
scan for bytes 100-180 of the virus, then confirm the hit by checking
bytes 220-242 of the virus.  That would be a conscious decision on 
the part of the database author and could have been made for a 
variety of reasons.  Say, for instance, the previous version of the 
database checked bytes 100-152 of the virus, but someone submitted
a bug report and it turned out that those same bytes coincidently
occurred in a piece of 1980s freeware, thus triggering a false 
positive.  The virus database could have been updated in any number
of ways -- for instance it might have checked additional bytes 
that were a known part of the freeware program, but known to not be 
part of the virus, in order to suppress the false positive.  Or it
could have checked additional bytes that were known to be part of the
virus.  

I would certainly characterize the process of building a virus matching 
database as a highly creative process.  There's a LOT of creative 
decisions that could potentially go into such a database, not merely
checksums.  It would not be be safe to characterize such a database as 
being merely a listing of uncreative facts without knowing a lot about 
the decisions that went into creating it.