Though probably their customers are mainly corporate "intranet" environments where users open random content with Acrobat, Office etc and the high bit is to just halve (1) the daily mass malware infections - which are not av focused yet.
(1) or whatever the average AV detection rate is these days.
A/Vs are largely attack vectors, a huge number of malware already tries to detect if an A/V is present and then uses it to get SYSTEM level privilege fairly easily.
The number of actually good A/Vs is low and in my opinion, simply use Microsoft Defender on Windows. For 0-days it's detection rate is, to my knowledge, not significantly worse than any other A/V and unlike other products they properly integrate into the system and don't disable almost all security measures of the kernel like ASLR and friends so they can inject some garbage DLL into any process.
The best protection for the intranet customer is training and regular software updates. For the average user it's to tighten up security, lock them out and then run regular updates.
Also, top AV are better at catching viruses and have less performance impact than Defender.
https://www.av-comparatives.org/tests/performance-test-april... (Recent Defender has the most impact on system performance on all AV tested)
Obviously, it's up to you to choose between:
* Using Defender and suffer the worse system performance impact of all AV
* Not using AV but a higher risk of catching viruses
* Use third party AV with better detection and less performance impact but risk opening new vulnerability on your system.
Here's a bug found by Project Zero. The researcher had trouble getting the test case to Microsoft because Defender was running on their middleware boxes and would automatically scan it and die from the exploit testcase.
Defender has some advantages, notably not disabling security settings like ASLR or injecting DLLs.
It feels like grade-school collective punishment because the office dope is watching anime porn on sketchy sites on the office subnet.
According to the OP, F-Secure paid them a bug bounty.
The LGPL makes it perfectly legal for the closed-source antivirus component to not load any 7zip .so binary that is not signed by the antivirus vendor, of a known hash, or so on... and the code loading said shared-object need not be available or modifiable, just the code for the vulnerable .so they do ship.
Specifically, if forcing to sign a package with a different key (making it a different package) for private purposes is enough, or if the redistribution rights of the whole is required.
Finally, if you cannot replace the software because of code signing and no public debug mode, that seems incompatible too...
7-zip is licensed under LGPLv2.1. "do not restrict" is not a string that appears in v2.1 The entire second part you quoted was added in version 3.
However, F-Secure applies several patches to harden 7-Zip and to fix bugs that are not yet fixed in the public 7-Zip version. So it is not clear whether it is always such a good idea to do this.
massage the heap (what heap, where)
F-Secure: an antivirus
RAR: an ancient archival format
ASLR: address space layout randomization, a system which loads code at unpredictable locations to make exploits harder to write (as you don't know where to jump)
ROP chain: Return Oriented Programming. A way to circumvent non-executable memory protection and ASLR by manipulating the call stack to jump into to existing executable code segments (called gadgets) and chain them together as each returns to the next.
RarVM: an ill concieved mechanism allowing code to be embedded in RAR archives.