MCHE Version 2 Update
- Comments: 4
- Written on: May 1st, 2007
First, I will apologize in advance that it has been so long since my last MCHE. This are going very well on the MCHE development, albeit a bit past due. The program was set for a February release, but on the eve of that release some advanced testing revealed that in certain conditions, the MCHE was deleting valid files and data from our test computers.
What Was The Problem
We could not let the MCHE out the door in that condition. With some work we found that the program was doing what it was supposed to do, it’s just that so many spyware infections have files that are named the same as Windows files, that it can be hard to tell them apart. Obviously we want to delete an explorer.exe that is a spyware file, but not explorer.exe the Windows file.
What Caused the Problem
Initially we hoped to maintain a “whitelist” of hashes for files we knew were legitimate, therefore ensuring that they would never be deleted by the MCHE. We are still using this approach as a component of our false detection prevention, however alone it was simply not enough.
In a mere 24 hours, one of our cron computers (set up to download every conceivable update automatically and add them to the hash database) received more than 50 new program hashes.
Because there are so many whitelisted programs out there that happen to bear the same file names as spyware infections, the algorithm we were using (name on spyware list + name not on whitelist + name not on local exclusions list = remove infection) was not cutting it.
What Did You Do to Fix The Problem
We had to retool the scanning algorithm to be more picky about the pattern matching for spyware detections. We modified the formula to – file name on blacklist + file hash on blacklist + hash NOT on whitelist + hash not on local exclusions list = remove spyware.
Obviously building a list of hashes for known malware infections is a LOT more time consuming than building a list of safe hashes. and we are now testing that new matching algorithm. If it passes testing OK, we are ready to go. If not, then that is exactly why I have stopped posting firm release dates.
Stay tuned for additional updates this week as the program progresses through testing.
- If you liked this post, subscribe to my feed!
- Comments: 4