Re: today in the news

[Drsolly <drsollyp () drsolly com>]

On Tue, 25 Jul 2006, Florian Weimer wrote:

> * Dude VanWinkle:
>
> > "At the point we see it as a CERT, which is very early on -- the most
> > popular brands of antivirus on the market … have an 80 percent miss
> > rate. That is not a detection rate that is a miss rate.(")
>
> 80% seems fairly low, but it depends on how you count.

If you're writing a commercial malware, then you don't want the most 
popular AV products to detect it with their heuristics. So, you 
deliberately make it so that they don't, and you keep modifying it until 
that's the case. That's why 80% sounds right to me.
 
> > "So if you are running these pieces of software, eight out of 10
> > pieces of malicious code are going to get in," said Ingram.
>
> If you've got up-to-date OS patches and your AV software blocks the
> most widely used downloaders, the numbers are better.  Of course, it's
> still far away from risk-free porn surfing (or ad-clicking--has anyone
> notice ErrorSafe ads on Dilbert?), but I suppose you are unaffected by
> significantly more than just 20% of the malware floating around.
 
If you read the original research, they found an 80% non-detection rate 
for new malwares (the heuristisc scored 20%), when testing just three AV 
products. Other AV products did a *lot* better.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.