The Participant Observer Problem
>What I don't understand is how it is possible to misidentify a proper Windows system file. Surely MS can provide something like SAH256 hash values of every legitimate build they have released in the last decade or so?<
Yes, but the ultimate pwn is the Rootkit that can simulate the calculation of clean hashes. If this arrived on the machine before the AV engine could detect it then it would be difficult if not impossible to detect subsequently using an in situ scan. The AV engine would be relying on a corrupt source of information when checking file signatures.
Biting the hand that feeds IT
