Kaspersky Lab or here and there ...

Today, 2 news about Kaspersky Labs appeared on the Internet,
one is positive as always, the other is negative as always:

First story:
Kaspersky Lab has patented five information security technologies in Russia. The patents are registered by the Federal Service for Intellectual Property, Patents and Trademarks (Rospatent).

Upd: a response from Kaspersky workers appeared
')
Patent number 2,363,045 describes a new method of treating a computer from malicious programs that actively interfere with removal. The method, the author of which is Mikhail Pavlyushchik, allows you to identify a malicious program that has several copies running on different processes on the same machine, block the activation of some copies by others and completely remove them from the ROM and RAM.

Patent number 2,363,047 describes technology for detecting text and spam in raster images. The technology developed by Evgeny Smirnov does not require machine recognition of graphic images and ensures the speed and high level of detection of unwanted messages in images. The method is resistant to such spamming techniques, such as turning the text and writing it with a wave, dividing frames and lines, adding various noise elements.

Patent number 85,249 describes a hardware antivirus designed to disinfect computer systems infected with malware. The main function of the antivirus is to prevent the spread of malicious programs by filtering data coming to external memory devices. The author of the patented antivirus is Oleg Zaitsev.

Rospatent also issued Kaspersky Lab a patent number 85,247 for a method for identifying spam using lexical vectors. The method, authored by Andrei Kalinin, allows you to effectively find spam in email messages, analyzing their vocabulary and calculating lexical vectors.

Kaspersky Lab also received a patent number 85 248 on the technology for managing license keys of software products. The technology optimizes the management of license keys with a variable expiration date when modifying the number of computers on which the licensed program is installed. The authors of the technology are a group of Kaspersky Lab experts composed of Alexey Kalgin, Andrei Kulagi, Damir Shiyafetdinov, Andrei Kazachkov, Stefan Le Hire, Philip Bodmer and Demjém M. Billy.

“It is important to understand that the patent is a monopoly on the technology described in it, which is a direct ban on using it to third parties without any permission of the copyright holder. In Russia, there is no patent judicial practice, as well as the patent court itself, but soon, when all this appears, the manufacturing company will be very important to have protection and protection for their technologies, which is why Kaspersky Lab patents its innovative solutions Russia, ”- comments on obtaining patents Nadezhda Kashchenko, head of the company's intellectual property management department.

According to a company representative, at present, patent offices of different countries are considering more than three dozen patent applications of Kaspersky Lab, describing unique innovative technologies in the field of information security.

The second story about the discoveries of competitors in the new line of Kaspersky Internet Security 2010:
The Sandbox technology (“sandbox” or Green Zone - “safe environment”), which first appeared in the integrated solution of Kaspersky Internet Security 2010 (antivirus, antispam, protection against attacks), attracted close attention of its competitors LK. Recall that Sandbox allows you to run suspicious programs and websites in an isolated virtual space.

“We could not refrain from testing our technology of our colleagues,” say company representatives. "Doctor Web". “Since the idea of ​​sandboxes is not new and quite a lot of anti-virus companies have similar developments for a long time, and also because our anti-virus laboratory constantly conducts research in this area, such information is naturally of great interest to us.”

“To perform the first test, the FAR file manager was placed in the sandbox and launched for execution,” describe their experiment in Doctor Web. - Then, four exploits were taken from the Web that exploit vulnerabilities in the Windows operating system. Malicious files were not detected by KIS tools (neither heuristics nor HIPS worked) and were launched for execution. As a result, all the exploits fulfilled their mission (transition to the OS kernel mode), and the sandbox did not fulfill its mission, as evidenced by the blue screen of death of Windows (BSoD). The operating system suffered unconditional damage. ”

In another test, a test was made for the ability to isolate file system changes within the Green Zone. “The usual file operations didn’t affect the performance of the main system,” continue in Doctor Web. “But by changing the standard syntax of the file name to its counterpart via a network redirector (as did, for example, the Win32.Ntldrbot virus), you can get full access to the system outside the sandbox and the ability to change critical objects. Thus, a simple batch file (bat) of two lines easily deletes the file c: \ ntldr, which leads to the complete inoperability of the entire system after a reboot. "

Thus, according to representatives of Doctor Web, the Green Zone in fact does not guarantee at all that malicious programs cannot harm the operating system and user files, as was announced when KIS 2010 was launched.
And here you sit and think what is better, everything new that the developer is preparing for us, or is it better when developers are updating the old one?

And here is the answer from one of the employees of Kas

Today on CNEWS came a material called hacked the sandbox. As follows from the text, Kaspersky Lab stated that they would not comment on the competitor’s actions.

On my own behalf, I’ll say that in a decent society, the generally accepted rules of ethics are first sending a notification of a detected vulnerability to a vendor, receiving an answer from him, possibly correcting it, and only then merging information into public.
The fact that some comrades from DrWeb do not care about ethics for a long time - we remember (riveting exploits for our web antivirus with Mr. Smooth handles ~ since then, by the way, 3 (?) 4 (?) Years have passed, and a solution similar in functionality DrWeb still does not have that clear - to break, not to build), so all this does not cause any special surprises to me.
Therefore, as well as it is told - any comments. Just one story. One of…
Her results here. And how it was - under the cut.

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 2:26 PM
Subject: drweb and CreateProcess

Hello!
Found a funny and at the same time a serious bug at the coolest Averfs))

The bug they have is the misuse of the CreateProcess function.

They have a similar couple:
.data
CommandLine db "C: \ Program Files \ DrWeb \ drwebupw.exe", 0
CommandLine2 db "C: \ Program Files \ DrWeb \ drwebupw.exe / go", 0
.code
_start:
invoke CreateProcess, offset CommandLine, offset CommandLine2, ...
What is not right :)

As a result, if there is a file C: \ Program.exe, then it will be launched :)
As soon as it starts updating, in addition to the update, our file will also be launched :). And until the Program.exe process is completed, the updates will not be installed :)
STE is correct for version 4.44

In 5-ke, they partially fixed this bug there (it’s just that the parameters are not transmitted), but when installing updates, drwreg.exe -check is run and again C: \ Program.exe is launched.

Baga - fire :)
From: Alexander Gostev
Sent: Tuesday, June 16, 2009 2:29 PM

Well, will you write them vulnerability notification?

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 3:19 PM

Even I don’t want to write anything to them at all :) With such an attitude towards tests on AM and Sharov’s statements like that on syius, I can send their current F)

I will reset about the problem and what will be published on us if they do not fit in a week.

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 4:01 PM

OK.
And where to send them not in the know?

From: Alexander Gostev
Sent: Tuesday, June 16, 2009 4:05 PM

And to what address - and on their website should be listed :)

From: Vasily Berdnikov
Sent: Tuesday, June 16, 2009 5:04 PM

They really don’t have such an email where they could send a letter with a bug :)

Now I’ve driven them up to grabs, here’s the bug:

0107F4C0 0042B96B / CALL to CreateProcessA from drwebupw.0042B965
0107F4C4 00000000 | ModuleFileName = NULL
0107F4C8 00D0A650 | CommandLine = "C: \ Program Files \ DrWeb \ drwreg.exe -check"
0107F4CC 00000000 | pProcessSecurity = NULL
0107F4D0 00000000 | pThreadSecurity = NULL
0107F4D4 00000000 | InheritHandles = FALSE
0107F4D8 00000000 | CreationFlags = 0
0107F4DC 00000000 | pEnvironment = NULL
0107F4E0 003F4CE8 | CurrentDir = "C: \ Program Files \ DrWeb \"
0107F4E4 0107F510 | pStartupInfo = 0107F510
0107F4E8 0107F500 \ pProcessInfo = 0107F500

That is, I had previously made a bit of a mistake — it seemed visually that the bug was
when creating the process drwebupw.exe, it turned out the same when creating the process
drwreg.exe by the updater itself. But STE thing does not change

From: Alexander Gostev
Sent: Tuesday, June 16, 2009 5:33 PM

So write to the well-known:
support @
vms @

+ possible (common in the industry for such cases).
security @
vulnerability @

July 2, after more than two weeks, DrWeb released a patch fixing this vulnerability. (end of the CAS employee’s response)

And my personal opinion is that not and not the answer, but simply an indication of other errors.
There is no way to write how and what will be done to eliminate, and what to do right now by the user of version 10 of the KIS (as, for example, in a google article in which they admitted mistakes and told why it all happened.