SlideShare una empresa de Scribd logo

Failure Of Antivirus

A
amarnath

The document summarizes the limitations of signature-based anti-virus software. It notes that anti-virus software relies on virus signatures but new viruses are constantly emerging. Retrospective testing shows that anti-virus software is often only able to detect a small percentage of new, zero-day threats even when the software is up-to-date. The document questions the methodology of some anti-virus software testing and advocates for improved testing standards and techniques.

TecnologíaEducación
1 de 16
Descargar para leer sin conexión
The Failure of Anti-Virus Software (?) Prepared By: Robert W. Beggs, CISSP CISA 25 OCtober 2006 Slide 1 © DigitalDefence, Inc. 2006
Introduction • Robert Beggs, CISSP, CISA - 15+ years experience in Information Security - Military, biomedical research, consulting, financial services background • DigitalDefence - 9-1-1 for Data Security Incidents - Focus on providing incident management services (prevent, detect, respond) - Target Canadian enterprises Slide 2
State of the Nation … •100,000 – 180,000 viruses believed to exist “in the wild” •“Infinite amount” in virus zoos •At least 250 new malware programs (worms, Trojans, spyware, hacker tools) released per day •To stop them, we use AV software … Slide 3
http://www.gfi.com/documents/rv/msecpcmag04.pdf Slide 4
State of the Nation … •AV software is primarily signature-based – examines software for the “signature” of a known virus •It’s worked for 20 years, right? Slide 5
Limitations of Signature-Based Scanners • No common definition of “malware” • Collections of malware biased according to collection method; no common repository • Signatures reactive; out of date • Attackers write code to beat top AV software • “Queen Bots” (Paul Vixie and David Dagon, BH06) - Repacks bot with new key, multiple packers - Dead / random code (“polymorphism”) - Automated randomization of signatures •Is this really a problem? Slide 6
7 Day Analysis (Virustotal.com) Uses 20+ AV engines to analyze suspect malware Slide 7
Issues #2 – Response Times (http://www.gfi.com/whitepapers/why-one-virus-engine-is-not-enough.pdf) hours ! e e = 49 McAff Slide 8
The Consumers Report Test (2006) • Created 5,500 new virus variants derived from six categories of known viruses, “the kind you’d most likely encounter in real life” • We infected our lab computer with each of 185 of them to see whether the products could better detect viruses that were actively executing, based on their behavior • Scanned more than 100,000 clean files (false positives) • The AV industry freaked! Slide 9
Consumer Reports Redux … • Ethics and morality of “creating a virus” • Created 5500 viruses, used 185 per test bed – the same 185? (consistent methodology problem) • Consumer Reports tested antispyware applications – but they did not test against any spyware for their antispyware testing - Instead, their entire test of antispyware applications was based on running applications against Spycar, a set of applications that mimic spyware behavior (http://sunbeltblog.blogspot.com/2006/08/consumer-reports-testing-scandal-its_25.html) Slide 10
So, How Do You Test AV Software? • On-demand testing • NOTE: Due to copyright restrictions, data from AV Comparatives is NOT presented directly in this report • For the most current data, go to: http://www.av-comparatives.org/ Slide 11
But How Do We Detect New Viruses? • Retrospective testing • Take AV software that’s up-to-date; make an image on a defined OS platform • Lock the image away for 3 months (“yesterday”) • Take it out (“today”) and reinstall image • Test it against malware that is current “today” • The % detection = how good “yesterday’s” AV software was at detecting zero day threats • No need to write new viruses! Slide 12
Let’s Try Retrospective Testing … • NOTE: Due to copyright restrictions, data from AV Comparatives is NOT presented directly in this report • For the most current data, go to: http://www.av-comparatives.org/ • You will find that the virus detecting ability drops from 90%+ to as low as 7% when you perform this testing AV software based on signature recognition is not very good at detecting zero-day malware! Slide 13
References • www.virusbtn.com • www.av-comparatives.org - Review their methodology, and results - When I post this presentation, will only link to their data • www.wildlist.og - The viruses that are really spreading in the wild • http://www.av-test.org/ - Cross-reference of virus names used by vendors • http://www.mcafee.com/common/media/vil/pdf/imuttik_VB_c onf_2001.pdf - Good overview of testing methodologies, failure of using incomplete testing sets Slide 14
The Canadian Information Security Newsletter • FREE information to Information Security and Privacy specialists • Canadian-focused • Provides information on: - Upcoming events, conferences - Feature articles, items of interest - Canadian security and privacy news items • Subscribe at: - www.digitaldefence.casubscribe Slide 15
Contact Slide 16

Recomendados

Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 

Recomendados

Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus Intelligence
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1TECHNOLOGY CONTROL CO.
 
SunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware UnmaskedSunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware Unmaskednicholaskeuning
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Avc report25
Avc report25Avc report25
Avc report25Era Brown
 

Más contenido relacionado

La actualidad más candente

Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
SunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware UnmaskedSunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware Unmaskednicholaskeuning
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 

La actualidad más candente (19)

Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2
 
Exodus intel slideshare 2019
Exodus intel slideshare 2019Exodus intel slideshare 2019
Exodus intel slideshare 2019
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
SunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware UnmaskedSunbeltLabs Quarterly Briefing Malware Unmasked
SunbeltLabs Quarterly Briefing Malware Unmasked
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 

Similar a Failure Of Antivirus

Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Avc report25
Avc report25Avc report25
Avc report25Era Brown
 
Malware Removal Test OCT 2009
Malware Removal Test OCT 2009Malware Removal Test OCT 2009
Malware Removal Test OCT 2009Kim Jensen
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsImperva
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Bringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksBringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksSpiceworks
 
Limbtec Computer Security Presentation
Limbtec Computer Security PresentationLimbtec Computer Security Presentation
Limbtec Computer Security Presentationlimbtec
 
Cybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowCybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowKaseya
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 

Similar a Failure Of Antivirus (20)

Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Avc report25
Avc report25Avc report25
Avc report25
 
Avc Report25
Avc Report25Avc Report25
Avc Report25
 
Malware Removal Test OCT 2009
Malware Removal Test OCT 2009Malware Removal Test OCT 2009
Malware Removal Test OCT 2009
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Assessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus SolutionsAssessing the Effectiveness of Antivirus Solutions
Assessing the Effectiveness of Antivirus Solutions
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutions
 
Bringing Patch Management to Spiceworks
Bringing Patch Management to SpiceworksBringing Patch Management to Spiceworks
Bringing Patch Management to Spiceworks
 
Limbtec Computer Security Presentation
Limbtec Computer Security PresentationLimbtec Computer Security Presentation
Limbtec Computer Security Presentation
 
Cybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to KnowCybercrime Threats in 2012 - What You Need to Know
Cybercrime Threats in 2012 - What You Need to Know
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Failure Of Antivirus

  • 1. The Failure of Anti-Virus Software (?) Prepared By: Robert W. Beggs, CISSP CISA 25 OCtober 2006 Slide 1 © DigitalDefence, Inc. 2006
  • 2. Introduction • Robert Beggs, CISSP, CISA - 15+ years experience in Information Security - Military, biomedical research, consulting, financial services background • DigitalDefence - 9-1-1 for Data Security Incidents - Focus on providing incident management services (prevent, detect, respond) - Target Canadian enterprises Slide 2
  • 3. State of the Nation … •100,000 – 180,000 viruses believed to exist “in the wild” •“Infinite amount” in virus zoos •At least 250 new malware programs (worms, Trojans, spyware, hacker tools) released per day •To stop them, we use AV software … Slide 3
  • 5. State of the Nation … •AV software is primarily signature-based – examines software for the “signature” of a known virus •It’s worked for 20 years, right? Slide 5
  • 6. Limitations of Signature-Based Scanners • No common definition of “malware” • Collections of malware biased according to collection method; no common repository • Signatures reactive; out of date • Attackers write code to beat top AV software • “Queen Bots” (Paul Vixie and David Dagon, BH06) - Repacks bot with new key, multiple packers - Dead / random code (“polymorphism”) - Automated randomization of signatures •Is this really a problem? Slide 6
  • 7. 7 Day Analysis (Virustotal.com) Uses 20+ AV engines to analyze suspect malware Slide 7
  • 8. Issues #2 – Response Times (http://www.gfi.com/whitepapers/why-one-virus-engine-is-not-enough.pdf) hours ! e e = 49 McAff Slide 8
  • 9. The Consumers Report Test (2006) • Created 5,500 new virus variants derived from six categories of known viruses, “the kind you’d most likely encounter in real life” • We infected our lab computer with each of 185 of them to see whether the products could better detect viruses that were actively executing, based on their behavior • Scanned more than 100,000 clean files (false positives) • The AV industry freaked! Slide 9
  • 10. Consumer Reports Redux … • Ethics and morality of “creating a virus” • Created 5500 viruses, used 185 per test bed – the same 185? (consistent methodology problem) • Consumer Reports tested antispyware applications – but they did not test against any spyware for their antispyware testing - Instead, their entire test of antispyware applications was based on running applications against Spycar, a set of applications that mimic spyware behavior (http://sunbeltblog.blogspot.com/2006/08/consumer-reports-testing-scandal-its_25.html) Slide 10
  • 11. So, How Do You Test AV Software? • On-demand testing • NOTE: Due to copyright restrictions, data from AV Comparatives is NOT presented directly in this report • For the most current data, go to: http://www.av-comparatives.org/ Slide 11
  • 12. But How Do We Detect New Viruses? • Retrospective testing • Take AV software that’s up-to-date; make an image on a defined OS platform • Lock the image away for 3 months (“yesterday”) • Take it out (“today”) and reinstall image • Test it against malware that is current “today” • The % detection = how good “yesterday’s” AV software was at detecting zero day threats • No need to write new viruses! Slide 12
  • 13. Let’s Try Retrospective Testing … • NOTE: Due to copyright restrictions, data from AV Comparatives is NOT presented directly in this report • For the most current data, go to: http://www.av-comparatives.org/ • You will find that the virus detecting ability drops from 90%+ to as low as 7% when you perform this testing AV software based on signature recognition is not very good at detecting zero-day malware! Slide 13
  • 14. References • www.virusbtn.com • www.av-comparatives.org - Review their methodology, and results - When I post this presentation, will only link to their data • www.wildlist.og - The viruses that are really spreading in the wild • http://www.av-test.org/ - Cross-reference of virus names used by vendors • http://www.mcafee.com/common/media/vil/pdf/imuttik_VB_c onf_2001.pdf - Good overview of testing methodologies, failure of using incomplete testing sets Slide 14
  • 15. The Canadian Information Security Newsletter • FREE information to Information Security and Privacy specialists • Canadian-focused • Provides information on: - Upcoming events, conferences - Feature articles, items of interest - Canadian security and privacy news items • Subscribe at: - www.digitaldefence.casubscribe Slide 15
  • 16. Contact Slide 16