Metascan Multi-scanning Technology


Published on

The evolving threat landscape, why multi-scanning is needed, and OPSWAT's Metascan technology

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 1 min
  • <why multiscanning>Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines <technology overview of Metascan>What is Metascanwhy use MetascanCurrent feature set <different implementations of Metascan>Out of box solution: MDTADemo of (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA <Managing Metascan>Introduction to the management station
  • registers over 55,000 new malicious programs every day.
  • Green is zero hour detectionYellow is 2 min to 5 daysRed is more than 5 days
  • Taken from the National Vulnerability DatabaseNumber of CVS found with a search of ‘antivirus’ – results were from various AV products
  • What is Metascan online? It is just slightly customized version of Metascan. Of course, it is not all of Metascan and lets dig into further to know more about MetascanOnMetascan is multiscanning solution with different layers and various API which overcome the challenge of using multiple antivirous. Flexible integration options from low level integration to out-of-box solution such as slightly modified version of Metascan.
  • Metascan Multi-scanning Technology

    1. 1. Metascan® Multi-scanning TechnologyTony Berning March 2013Product
    2. 2. Agenda Introduction to Multi-scanning The evolving threat landscape Why multi-scanning? Metascan Additional Uses of Metascan Getting started with Metascan
    3. 3. The Evolving Threat LandscapeFrom hacking for fun to cracking for profit
    4. 4. The Evolving Threat Landscape Cyber warfare… Virus/Worm Era Spyware and Adware E-Crime … 1998 2002 2006 2010 2012 Motivation Opportunity Methods  15 minutes of fame  Improved connectivity  Quiet Attacks  Borderline legal  Increase in users, web  Primary vectors ways of making traffic & searches. web & mobile money  More time on  Phishing attacks  Make money fast Facebook, Twitter and  Attacks focused by exploiting YouTube on specific sites  Stuxnet , DuQu  Easier to find personal  Targeted Attacks and Flame details -> used to infiltrate organizations  Cyber warfare
    5. 5. The problem:Too much malware, insufficient detection
    6. 6. The Problem Insufficient Detection by any one Anti-Malware Product Over 130,000 new maliciousThe rapid growth in the amount of malware continues to programs appearaccelerate every dayNo AV vendor can keep up with the number of new malwarevariants “Cyber attacks on America’s critical infrastructure increased 17-fold between 2009 and 2011.” on/2012/0808/Help-wanted-Geek-squads-for- US-cybersecurity
    7. 7. The SolutionMultiple Anti-Malware Engines
    8. 8. Why Use Multiple Anti-Malware Engines? Increase malware zero hour detection rates Decrease malware detection time after an outbreak Increase resiliency to anti-malware engines’ vulnerabilities
    9. 9. The Solution Every engine misses somethingNo anti-malware product is perfect but together they have a greater rateof detection due to their unique features 100% Engine 1 Detection Rate: Engine 2 Detection Rate:
    10. 10. Improve Detection Using Multiple Anti-Malware Engines This graph shows the time between malware outbreak and detection by six anti-malware engines for 75 outbreaks over three months. No vendor detects every outbreak. Only by combining six engines in a multi- scanning solution are outbreaks detected quickly. By adding additional engines, zero hour detection rates increase further. Zero hour * Source: detection 5 min to 5 days No detection at 5 days
    11. 11. Multiple Engines Increase Resiliency to Anti-Malware Engine Vulnerabilities Anti-malware product vulnerabilities from the National Vulnerability Database 70 60Number of Vulnerabilities in Antivirus products [CVEs] 50 40 30 20 10 0 2005 2006 2007 2008 2009 2010 2011 2012 Year
    12. 12. MetascanMulti-scanning solution
    13. 13. What is Metascan? Multi-scanning engineA server application with a local and network programminginterface that allows customers to incorporate multiple anti-malware engine scanning technologies into their securityarchitecture  Supports 0 to 30 anti-malware engines [and growing!]  Simultaneously scans files with all engines  Scan directories, files, archives, buffers, and boot sector  Automatic online definition updates or manual offline updates
    14. 14. What is Metascan? Multi-scanning engine Flexible and scalable API driven solution  Many programming Interfaces – C++ Java PHP C#/ASP.NET RESTful (Web API)/HTTP CLI[command line interface] Analyzes files locally on a single server or remotely accesses files from Windows, Macintosh, or Linux systems
    15. 15. Metascan Who uses Metascan? Analysts who research threats in binaries  CERTs (Computer Emergency Response/Readiness Teams)  Government agencies  Federal and State Law enforcement agencies  Computer forensic analysts IT security managers who seek to control data flow  Files from public facing sharing/upload sites  Data moving across internal security domains  Detect infected attachments Independent software vendors seeking to identify threats in their binaries  False positives  Accidental infections
    16. 16. Metascan Standard packagesMetascan is available inpreconfigured packages thatinclude 0-16 embeddedengines Best performance from fully embedded engines Easy to use – engines update automatically or as a single offline package
    17. 17. Metascan Custom packagesCreate your own custom packages Add engines to any standard package –  For example; create Metascan 20 by adding McAfee, Symantec, Kaspersky and Sophos to the Metascan 16 standard package Pick and choose from our custom engine list to create your own custom package (currently up to 30 engines)
    18. 18. Additional Uses of MetascanMetascan Online (• Online implementation of Metascan with 40+ engines• Upload and Scan files• Lookup by file hash• Web Interface and REST APIMetadefender• Metascan client that examines the content on physical media such as USB flash drives, CDs and DVDs.• Available as standalone software or as a physical kiosk
    19. 19. Getting Started with Metascan For more information on Metascan and Metadefender go to: For a free 30 day trial of Metascan and Metadefender go to: If you would like more information about purchasing Metascan or Metadefender please contact OPSWAT Sales at: If you have feedback or questions about Metascan or Metadefender contact OPSWAT Product Management at: