Re: Antivirus- A Corrective Control?

[RobOEM <rd.seclists () gmail com>]

<rant>
Yeah, 'cause that works in real life..

> The biggest is Heuristic Scanning; it's looking for uncommon instructions,

Plz, define uncommon. Like 'uncommon system calls'? Really?

> encryption loops that shouldn't be there, things like that.

Now then, you detect obfuscation. That's a different thing. But then
again, lots of legit programs are obfuscated, packed, whatever, to
make reversing harder (so your shitty commercial secret isn't stolen).

> They then follow rules or set weights (like MX records) to the Application.

You mean spam detection. When spam writers will NEED to become as
skilled as virus writers to have a significative ROI, we'll see how
spam detection works. (protip: It will work with a list of trusted,
restrictive MX servers, which is much like code signing/ I'll only let
you install from trusted sources, isn't it?)

> If a rule is triggered, or the weight gets to high, the AV gets flagged.  This can easily prevent new malware, or a 
> mutation of a current piece of code.

Yeah, you definitively drank the kool aid. This just popped up in my
timeline, might be relevant:
http://www.infosecurity-us.com/view/19995/

TL;DR: Heuristics, while in theory might work, doesn't account for the
wacky ecosystem of totally legit programs that do weird/nasty stuff on
your machine. (Avast even 'heuristically' detects that my iGoogle's
breakpoints.json  file is malware, go figure). If you really think AV
is proactive, pls let me whip up a doc file you'll have to open on
your machine to explain you why it's not.

</rant>

Keep up the hoping,
rob'

On Thu, Aug 11, 2011 at 6:01 PM, Curtis 4syth <curtis () 4syth net> wrote:
> I don't think that's exactly the case.  AV systems can prevent SOME things before it "knows about it" via Signature 
> Update or whatever.
>
> The biggest is Heuristic Scanning; it's looking for uncommon instructions, encryption loops that shouldn't be there, 
> things like that.  They then follow rules or set weights (like MX records) to the Application. If a rule is 
> triggered, or the weight gets to high, the AV gets flagged.  This can easily prevent new malware, or a mutation of a 
> current piece of code.
>
> Curtis
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of gold flake
> Sent: Thursday, August 11, 2011 2:47 AM
> To: Sandeep Cheema
> Cc: security-basics () securityfocus com
> Subject: Re: Antivirus- A Corrective Control?
>
> > My 0.02$
> >
> > Preventive. Corrective would be if the machine has been compromised and the next task is to clean it.  But that's 
> > not how AV behaves ideally. An infected machine can never be cleaned fully but can be prevented completely from 
> > getting infected. If you got an AV in place, it should not get infected at all ( as per vandor's claims atleast
>
>
> I do not think so.  An AV can only play catch-up with the known
> threats and not prevent something it does not know about.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------