The document discusses challenges to traditional antivirus principles from developments in technology, proposes a framework with high granularity processing for an embeddable antivirus engine, and analyzes how the engine, database, and configuration can be improved to address these challenges. It identifies problems with established criteria for detecting viruses and responsibilities for cleanup, and advocates for more adaptive approaches.
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
Signatures are dead! We need to focus on machine learning, artificial intelligence, math models, lions, tigers and bears, Oh My!! - STOP!! - How many times have we heard all these buzzwords at conferences, or our managers saying that solution X will solve all our problems. I don't know about you, but I was tired of listening to the hype and the over-use of these terms that really made no sense.
One thing is true, signatures are dead. Today's malware is created with obfuscation and deception and our opponents do not play fair. Do you blame them? They want to get in. Who needs to rob a bank anymore at gun point when the security door is left open and traps are easy to bypass. Thank you Powershell! So what's the answer? Is it Next Generation AV or EDR, or it is Security 101? Over the past 5 months, we have invested significant time building a business case for an Endpoint protection system - understand the problem, creating testing scenarios to evaluate 5 solutions in the market. Over 30,000 pieces of malware were put to the test from our internal private collection, as well as known and unknown samples freely available. With all of the marketing hype, brochureware and buzzwords, it's hard to know what's the real deal. As we talk to colleagues from other companies, one thing is clear, many still struggle with good testing methodologies, what malware to test and how to test their endpoint security.
We will discuss key considerations used in our decision-making process. Testing malware for our company was important, but it was not our only testing criteria. We looked at the ease of installation on the agent, use of their UI, SaaS, on-prem, hybrid, reporting, performance of agent using different system resources, how much the agent replied on their cloud intelligence compared to on-box performance, powershell scenarios, and a variety of other factors. Companies additionally need to take into consideration the cost of any potential new infrastructure, cost per seat, professional services, one off costs, 1, 2, 3 year terms and other factors. Ultimately, we want to extend our resources to help others in the industry and discuss key differences between the solutions that were evaluated.
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
This document summarizes a presentation given by Dr. Engin Kirda on reacting to advanced cyberattacks in real-time using Lastline's detection platform. The presentation discusses how malware has become more sophisticated, evasive, and targeted. Lastline takes a unique approach to detection by using full system emulation in their sandbox environment, which allows them to detect malware that evades traditional antivirus solutions and virtualized sandboxes. The Lastline platform components work together to analyze suspicious files, correlate events into high-level incidents, share threat intelligence, and help automatically mitigate breaches across an organization's network in real-time.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
Cansecwest - The Death of AV defence in depthThierry Zoller
The document discusses vulnerabilities in antivirus software. It notes that antivirus software has a large attack surface due to parsing thousands of file formats and being programmed in unmanaged languages. While antivirus vendors claim their software implements defense in depth, the document argues this is not truly the case as the software itself is left unprotected. It provides examples of bypassing antivirus detection by exploiting flaws in how the software parses file formats. The authors advocate that vendors should flag files they cannot fully scan as "unscanned" rather than reporting them as clean.
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
In this talk, given at the 8th International Conference on Malicious and Unwanted Software (MALWARE 2013), researchers from Fraunhofer AISEC present their paper "An Antivirus API for Android Malware Recognition".
The proposed API, if added to the main Android distribution or to third-party distributions such as Cyanogenmod, would significantly increase the effectiveness that antivirus software can achieve on Android. Currently, antivirus software on Android is very limited in its capabilities and very easy to circumvent for malware, as demonstrated by our previous work -> http://ais.ec/techreport - ON THE EFFECTIVENESS OF MALWARE PROTECTION ON ANDROID,
AN EVALUATION OF ANDROID ANTIVIRUS APPS by Rafael Fedler. These platform-based antivirus shortcomings are addressed by the paper presented in this talk.
The document discusses unknown vulnerability management (UVM) which involves detecting vulnerabilities, including zero-days, building defenses, and deploying patches. The UVM process includes attack surface analysis through fuzz testing software, reporting issues found, and mitigating risks through patch verification and IDS rule development. Key challenges are communicating issues without leaks, reproducing bugs easily, and ensuring patches do not introduce new issues.
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
Signatures are dead! We need to focus on machine learning, artificial intelligence, math models, lions, tigers and bears, Oh My!! - STOP!! - How many times have we heard all these buzzwords at conferences, or our managers saying that solution X will solve all our problems. I don't know about you, but I was tired of listening to the hype and the over-use of these terms that really made no sense.
One thing is true, signatures are dead. Today's malware is created with obfuscation and deception and our opponents do not play fair. Do you blame them? They want to get in. Who needs to rob a bank anymore at gun point when the security door is left open and traps are easy to bypass. Thank you Powershell! So what's the answer? Is it Next Generation AV or EDR, or it is Security 101? Over the past 5 months, we have invested significant time building a business case for an Endpoint protection system - understand the problem, creating testing scenarios to evaluate 5 solutions in the market. Over 30,000 pieces of malware were put to the test from our internal private collection, as well as known and unknown samples freely available. With all of the marketing hype, brochureware and buzzwords, it's hard to know what's the real deal. As we talk to colleagues from other companies, one thing is clear, many still struggle with good testing methodologies, what malware to test and how to test their endpoint security.
We will discuss key considerations used in our decision-making process. Testing malware for our company was important, but it was not our only testing criteria. We looked at the ease of installation on the agent, use of their UI, SaaS, on-prem, hybrid, reporting, performance of agent using different system resources, how much the agent replied on their cloud intelligence compared to on-box performance, powershell scenarios, and a variety of other factors. Companies additionally need to take into consideration the cost of any potential new infrastructure, cost per seat, professional services, one off costs, 1, 2, 3 year terms and other factors. Ultimately, we want to extend our resources to help others in the industry and discuss key differences between the solutions that were evaluated.
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
This document summarizes a presentation given by Dr. Engin Kirda on reacting to advanced cyberattacks in real-time using Lastline's detection platform. The presentation discusses how malware has become more sophisticated, evasive, and targeted. Lastline takes a unique approach to detection by using full system emulation in their sandbox environment, which allows them to detect malware that evades traditional antivirus solutions and virtualized sandboxes. The Lastline platform components work together to analyze suspicious files, correlate events into high-level incidents, share threat intelligence, and help automatically mitigate breaches across an organization's network in real-time.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
Cansecwest - The Death of AV defence in depthThierry Zoller
The document discusses vulnerabilities in antivirus software. It notes that antivirus software has a large attack surface due to parsing thousands of file formats and being programmed in unmanaged languages. While antivirus vendors claim their software implements defense in depth, the document argues this is not truly the case as the software itself is left unprotected. It provides examples of bypassing antivirus detection by exploiting flaws in how the software parses file formats. The authors advocate that vendors should flag files they cannot fully scan as "unscanned" rather than reporting them as clean.
An Antivirus API for Android Malware Recognition Fraunhofer AISEC
In this talk, given at the 8th International Conference on Malicious and Unwanted Software (MALWARE 2013), researchers from Fraunhofer AISEC present their paper "An Antivirus API for Android Malware Recognition".
The proposed API, if added to the main Android distribution or to third-party distributions such as Cyanogenmod, would significantly increase the effectiveness that antivirus software can achieve on Android. Currently, antivirus software on Android is very limited in its capabilities and very easy to circumvent for malware, as demonstrated by our previous work -> http://ais.ec/techreport - ON THE EFFECTIVENESS OF MALWARE PROTECTION ON ANDROID,
AN EVALUATION OF ANDROID ANTIVIRUS APPS by Rafael Fedler. These platform-based antivirus shortcomings are addressed by the paper presented in this talk.
The document discusses unknown vulnerability management (UVM) which involves detecting vulnerabilities, including zero-days, building defenses, and deploying patches. The UVM process includes attack surface analysis through fuzz testing software, reporting issues found, and mitigating risks through patch verification and IDS rule development. Key challenges are communicating issues without leaks, reproducing bugs easily, and ensuring patches do not introduce new issues.
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
In this talk, researchers from Fraunhofer AISEC demonstrate how Android can be made immune against all current local root exploits. The techniques detailed in this talk significantly raise the hurdles for successful potent attacks on Android devices and strongly limit the capabilities of malware. Currently, any app with Internet access can download code via the network at runtime and execute it, without the user or the system noticing. This includes malicious code such as root exploits. These flaws are addressed by the paper presented in this talk, entitled "Native Code Execution Control for Attack Mitigation on Android". The presentation was given at the 3rd Annual Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'13), colocated with the ACM Conference on Computer and Communications Security 2013 (CCS'13) in Berlin, Germany.
If you are interested in our techreport "On the Effectiveness of Malware Protection on Android" please visit http://ais.ec/techreport
Bh us 11_tsai_pan_weapons_targeted_attack_wpgeeksec80
This document discusses modern document exploit techniques used in targeted attacks. It begins with background on advanced persistent threats (APTs) and the common use of document exploits in targeted attacks. Recent attacks are described that use hybrid document exploits embedding Flash exploits in Office files. The document outlines future techniques attackers may use, including advanced fuzzing focused on ActionScript Virtual Machine (AVM) instructions, improved just-in-time (JIT) spraying to bypass exploit mitigation technologies, exploiting Flash sandbox policies to leak information, and defeating behavior-based protections by leveraging Windows Management Instrumentation (WMI) and COM objects.
The document summarizes the results of an anti-virus file detection test conducted in March 2013 by AV-Comparatives on 20 antivirus products. It found that G DATA 2013 detected 99.9% of malware files with few false alarms, earning it the top award level. Microsoft Security Essentials detected 92% of malware with very few false alarms. Overall detection rates ranged from 99.9% to 91.2%, and false alarms ranged from 0 to 38 across the tested products. The test aimed to evaluate how well products can distinguish malware from good files through detection rates and false alarm results.
Machine Learning for Malware Classification and ClusteringAshwini Almad
1) Machine learning can be used as a replacement for antivirus software by using statistical techniques to learn patterns from large malware datasets.
2) Boosted decision trees are well-suited for malware classification because they perform like a game of 20 questions to maximize discrimination between malware and benign classes.
3) Features used in machine learning models require a balance between complexity, which provides more information but less explainability, and explainability, which provides insights to analysts but may not help classification.
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
This document provides an overview of a study on IoT malware. It discusses the challenges of analyzing IoT malware due to platform heterogeneity. It outlines the methodology used, which included collecting malware samples, metadata, and reports. Metadata and surveys of vulnerabilities and malware families are presented. The document describes a sandbox for dynamic analysis of IoT malware and provides example reports. It includes two case studies on the Hydra exploit and issues with metadata. Key takeaways focus on the importance of metadata analysis and improving vulnerability management and defense for IoT security.
Full stack vulnerability management at scaleEoin Keary
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack.
- While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context.
- Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Virus Detection Based on the Packet FlowAntiy Labs
This document discusses virus detection based on network packet flow. It begins by comparing coarse file name detection used in Snort to higher granularity detection using virus signature strings. It then addresses problems with detecting viruses at the network level versus the file level, such as handling encoded network transmissions and meeting requirements for signature codes. Finally, it proposes using virus detection modules in firewalls and gateways to screen for malware without fully restoring files.
PE Trojan Detection Based on the Assessment of Static File FeaturesAntiy Labs
The document discusses using neural networks and static file analysis to detect PE Trojans. It outlines how traditional signature-based detection works and proposes using a neural network model to analyze file features without signatures. The challenges of applying neural networks to the multi-dimensional structure of PE files are described, along with solutions around hierarchical testing and attribute normalization. An experiment showed 90% accuracy on unknown files but a 7% false positive rate on normal files.
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
The document provides an overview of how anti-virus software works and techniques used to bypass antivirus detection. It discusses how antiviruses use signature-based, heuristic-based, behavioral, and sandboxing techniques to detect malware. It also explains common techniques used to evade detection like packers, splitters, code obfuscation, and injection. The document concludes that while antivirus has improved, virus creators continually develop new methods to bypass protections and that additional security measures are still needed.
Is av dead or just missing in action - avar2016rajeshnikam
This document discusses whether antivirus (AV) software is dead or just missing in action. It begins by comparing traditional, signature-based AV to next-generation security products that use techniques like threat intelligence and machine learning. The document then debunks common security myths and discusses VirusTotal's role in evaluating next-gen AVs. Results from independent tests of various next-gen security products are presented. The document concludes that while no single product can solve all security issues, the approach to security needs to constantly evolve through layered defenses and beyond just next-gen hype.
Enormous growth and generation of data is happening in every day from various sources. The generated data is presented in various formats, i.e., in structured, unstructured, semi-structured, pdfs, docs, csvs, and raw file formats. All these files are not genuine or pure in all scenarios cause which is generated from identified and unidentified sources. The modern malware is designed with mutation characteristics, that means, it can change its behavior based on the properties of physical file. It is a contraction from malicious software. The tremendous growth of the data is very helpful to the malware designers to execute the malware files such as Virus, Trojans, and Ransomware in any file. The formation of modern malware poses a variety of challenges to the antivirus industries. In this paper, we are going to induce a system with a lightweight model to accurately detect the malware for industrial use with high accuracy. In this, we are identifying nine different types of malwares like Ramnit, Lollipop, Kelihos_ver3, Vundo, etc., on huge amount of data (0.5 TB) that is provided by Microsoft.
This document discusses whether antivirus (AV) software is dead or just missing in action. It begins by comparing traditional, signature-based AV to next-generation security products that use techniques like machine learning and threat intelligence. The document then debunks common myths about AV and security technologies. It analyzes results from tests of next-generation security products on services like VirusTotal. The document concludes that while no single product can stop all threats, security defenses continue to evolve beyond traditional AV through layered approaches.
This document provides an overview of computer viruses and anti-virus software. It defines what viruses are and how they spread, describes common types of viruses. It then explains what anti-virus software is, how it works to detect and remove viruses, and lists some popular anti-virus programs. It concludes with a brief history of anti-virus software development from the late 1980s onward.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.
From the OWASP Northern Virginia meeting August 6, 2009.
The document summarizes the limitations of signature-based anti-virus software. It notes that anti-virus software relies on virus signatures but new viruses are constantly emerging. Retrospective testing shows that anti-virus software is often only able to detect a small percentage of new, zero-day threats even when the software is up-to-date. The document questions the methodology of some anti-virus software testing and advocates for improved testing standards and techniques.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
This document outlines a system for collecting and analyzing malware using hardware virtualization. It discusses using virtualization to meet requirements of scalability, stealth, isolation and fidelity. The system captures over 115,000 malware samples and monitors their system calls and kernel heap allocations. It identifies limitations in using virtualization for analysis and contributions of the work in developing prototypes and identifying requirements that must be addressed. Future work areas are discussed, such as dealing with evolving malware techniques and hardware.
Still wrestling with patching 3rd party applications? We’ll walk you through the new “Latest Software Patches” widget available on Spiceworks and show you what valuable information can be learned about the state of your security. Find out what’s coming in the near future (specifically more patch management functionality built into Spiceworks) and how easy it will be to always keep your IT infrastructure secure.
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
In this talk, researchers from Fraunhofer AISEC demonstrate how Android can be made immune against all current local root exploits. The techniques detailed in this talk significantly raise the hurdles for successful potent attacks on Android devices and strongly limit the capabilities of malware. Currently, any app with Internet access can download code via the network at runtime and execute it, without the user or the system noticing. This includes malicious code such as root exploits. These flaws are addressed by the paper presented in this talk, entitled "Native Code Execution Control for Attack Mitigation on Android". The presentation was given at the 3rd Annual Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'13), colocated with the ACM Conference on Computer and Communications Security 2013 (CCS'13) in Berlin, Germany.
If you are interested in our techreport "On the Effectiveness of Malware Protection on Android" please visit http://ais.ec/techreport
Bh us 11_tsai_pan_weapons_targeted_attack_wpgeeksec80
This document discusses modern document exploit techniques used in targeted attacks. It begins with background on advanced persistent threats (APTs) and the common use of document exploits in targeted attacks. Recent attacks are described that use hybrid document exploits embedding Flash exploits in Office files. The document outlines future techniques attackers may use, including advanced fuzzing focused on ActionScript Virtual Machine (AVM) instructions, improved just-in-time (JIT) spraying to bypass exploit mitigation technologies, exploiting Flash sandbox policies to leak information, and defeating behavior-based protections by leveraging Windows Management Instrumentation (WMI) and COM objects.
The document summarizes the results of an anti-virus file detection test conducted in March 2013 by AV-Comparatives on 20 antivirus products. It found that G DATA 2013 detected 99.9% of malware files with few false alarms, earning it the top award level. Microsoft Security Essentials detected 92% of malware with very few false alarms. Overall detection rates ranged from 99.9% to 91.2%, and false alarms ranged from 0 to 38 across the tested products. The test aimed to evaluate how well products can distinguish malware from good files through detection rates and false alarm results.
Machine Learning for Malware Classification and ClusteringAshwini Almad
1) Machine learning can be used as a replacement for antivirus software by using statistical techniques to learn patterns from large malware datasets.
2) Boosted decision trees are well-suited for malware classification because they perform like a game of 20 questions to maximize discrimination between malware and benign classes.
3) Features used in machine learning models require a balance between complexity, which provides more information but less explainability, and explainability, which provides insights to analysts but may not help classification.
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
This document provides an overview of a study on IoT malware. It discusses the challenges of analyzing IoT malware due to platform heterogeneity. It outlines the methodology used, which included collecting malware samples, metadata, and reports. Metadata and surveys of vulnerabilities and malware families are presented. The document describes a sandbox for dynamic analysis of IoT malware and provides example reports. It includes two case studies on the Hydra exploit and issues with metadata. Key takeaways focus on the importance of metadata analysis and improving vulnerability management and defense for IoT security.
Full stack vulnerability management at scaleEoin Keary
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack.
- While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context.
- Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Virus Detection Based on the Packet FlowAntiy Labs
This document discusses virus detection based on network packet flow. It begins by comparing coarse file name detection used in Snort to higher granularity detection using virus signature strings. It then addresses problems with detecting viruses at the network level versus the file level, such as handling encoded network transmissions and meeting requirements for signature codes. Finally, it proposes using virus detection modules in firewalls and gateways to screen for malware without fully restoring files.
PE Trojan Detection Based on the Assessment of Static File FeaturesAntiy Labs
The document discusses using neural networks and static file analysis to detect PE Trojans. It outlines how traditional signature-based detection works and proposes using a neural network model to analyze file features without signatures. The challenges of applying neural networks to the multi-dimensional structure of PE files are described, along with solutions around hierarchical testing and attribute normalization. An experiment showed 90% accuracy on unknown files but a 7% false positive rate on normal files.
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
The document provides an overview of how anti-virus software works and techniques used to bypass antivirus detection. It discusses how antiviruses use signature-based, heuristic-based, behavioral, and sandboxing techniques to detect malware. It also explains common techniques used to evade detection like packers, splitters, code obfuscation, and injection. The document concludes that while antivirus has improved, virus creators continually develop new methods to bypass protections and that additional security measures are still needed.
Is av dead or just missing in action - avar2016rajeshnikam
This document discusses whether antivirus (AV) software is dead or just missing in action. It begins by comparing traditional, signature-based AV to next-generation security products that use techniques like threat intelligence and machine learning. The document then debunks common security myths and discusses VirusTotal's role in evaluating next-gen AVs. Results from independent tests of various next-gen security products are presented. The document concludes that while no single product can solve all security issues, the approach to security needs to constantly evolve through layered defenses and beyond just next-gen hype.
Enormous growth and generation of data is happening in every day from various sources. The generated data is presented in various formats, i.e., in structured, unstructured, semi-structured, pdfs, docs, csvs, and raw file formats. All these files are not genuine or pure in all scenarios cause which is generated from identified and unidentified sources. The modern malware is designed with mutation characteristics, that means, it can change its behavior based on the properties of physical file. It is a contraction from malicious software. The tremendous growth of the data is very helpful to the malware designers to execute the malware files such as Virus, Trojans, and Ransomware in any file. The formation of modern malware poses a variety of challenges to the antivirus industries. In this paper, we are going to induce a system with a lightweight model to accurately detect the malware for industrial use with high accuracy. In this, we are identifying nine different types of malwares like Ramnit, Lollipop, Kelihos_ver3, Vundo, etc., on huge amount of data (0.5 TB) that is provided by Microsoft.
This document discusses whether antivirus (AV) software is dead or just missing in action. It begins by comparing traditional, signature-based AV to next-generation security products that use techniques like machine learning and threat intelligence. The document then debunks common myths about AV and security technologies. It analyzes results from tests of next-generation security products on services like VirusTotal. The document concludes that while no single product can stop all threats, security defenses continue to evolve beyond traditional AV through layered approaches.
This document provides an overview of computer viruses and anti-virus software. It defines what viruses are and how they spread, describes common types of viruses. It then explains what anti-virus software is, how it works to detect and remove viruses, and lists some popular anti-virus programs. It concludes with a brief history of anti-virus software development from the late 1980s onward.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.
From the OWASP Northern Virginia meeting August 6, 2009.
The document summarizes the limitations of signature-based anti-virus software. It notes that anti-virus software relies on virus signatures but new viruses are constantly emerging. Retrospective testing shows that anti-virus software is often only able to detect a small percentage of new, zero-day threats even when the software is up-to-date. The document questions the methodology of some anti-virus software testing and advocates for improved testing standards and techniques.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
This document outlines a system for collecting and analyzing malware using hardware virtualization. It discusses using virtualization to meet requirements of scalability, stealth, isolation and fidelity. The system captures over 115,000 malware samples and monitors their system calls and kernel heap allocations. It identifies limitations in using virtualization for analysis and contributions of the work in developing prototypes and identifying requirements that must be addressed. Future work areas are discussed, such as dealing with evolving malware techniques and hardware.
Still wrestling with patching 3rd party applications? We’ll walk you through the new “Latest Software Patches” widget available on Spiceworks and show you what valuable information can be learned about the state of your security. Find out what’s coming in the near future (specifically more patch management functionality built into Spiceworks) and how easy it will be to always keep your IT infrastructure secure.
Rolling Out An Enterprise Source Code Review ProgramDenim Group
This document discusses rolling out an enterprise source code review program. It begins by providing background on the author and his company, Denim Group. It then discusses common mistakes organizations make in implementing source code reviews. The rest of the document addresses technology concerns, such as what languages and architectures are supported by review tools, as well as people and process concerns like who will run the tools, when scans will be run, how results will be interpreted and prioritized, and how findings will be addressed. It emphasizes that source code review programs require both technical and human elements to be effective at improving software security.
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
Detection Challenges
Machine Learning Approaches
Modeling Machine Learning classifiers
Attacks on Machine Learning Defenses
Real Protect
Deep Learning in Sandbox
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
This document discusses machine learning approaches for defending against zero-day threats. It begins with an overview of the challenges of signature-based detection as malware variants increase. It then covers extracting static and behavioral features from files to build feature vectors for machine learning models. Unsupervised and classification-based clustering are examined for grouping similar objects. The document outlines attacks against machine learning defenses, such as obfuscating files to evade detection or poisoning training data. Defenses include preventing access to training data and making models resilient to poisoning. The document introduces Real Protect, a product from Intel Security that uses machine learning including deep learning in sandboxes to detect malware.
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
This document discusses Continuous Vulnerability Assessment and Remediation, which is Control 4 from the CIS Top 20 Critical Security Controls. It emphasizes the importance of continuously scanning systems for vulnerabilities, prioritizing remediation of the most critical issues, and ensuring vulnerabilities are addressed in a timely manner through patching or other methods. The document provides an overview of the key aspects of Control 4 and offers suggestions for tools that can be used to implement continuous scanning and vulnerability management.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Similar to Embeddable Antivirus engine with high granularity (20)
Malware in Mobile Platform from Panoramic Industrial ViewAntiy Labs
This document discusses malware threats on mobile platforms and provides 3 key points:
1. It describes new malware threats that disguise as news or other apps to install on mobile phones and steal private information like messages and contacts without the user's knowledge.
2. It analyzes the history of malware confrontation from the late 1980s to the present, noting the emergence of systematical confrontation using botnets in the 2000s and the current state of an underground industrial system.
3. It outlines solutions for analyzing and detecting mobile malware through techniques like disassembling code, behavior monitoring, and automatic comprehensive analysis to understand malware behavior and provide security.
Development, Confusion and Exploration of Honeypot TechnologyAntiy Labs
This document discusses the development, status, challenges, and future outlook of honeypot technology. It describes how honeypots have evolved from early experimental systems in the 1990s to integrated production tools today. The document outlines the main categories of honeypots and discusses ongoing technical challenges around simulating targets, analyzing large amounts of data, and security threats. It presents several research initiatives and the Wind-catcher plan to further cultivation and analysis of malware samples using distributed honeypot networks.
Data Storage and Security Strategies of Network IdentityAntiy Labs
This document discusses data storage and security strategies for network identity. It introduces the author and defines key terms. It outlines attacks on encrypted ciphertext, current solutions, criteria for suitable security products, and extra topics. Background topics covered include the impact of Moore's law on computation speed and available resources for attacks like cloud computing and botnets. Potential attacks analyzed include rainbow tables, password matching, and some incorrect methods. The document proposes the Antiy Password Mixer as an open-source solution and discusses design of slow hashes, biometric recognition, and other strategies.
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
This document discusses security challenges faced by antivirus engines, products, and systems. It notes that antivirus systems are vulnerable to malware just like other software. The document outlines threats including rootkits that can hijack antivirus software processes, format vulnerabilities that can crash engines, and privilege escalation issues. It discusses improving input validation, privilege control, testing, and secure code development to address these challenges. The goal is for antivirus software to remain vigilant against emerging threats through continued research and responsiveness.
The Evolution Theory of Malware and Our ThoughtAntiy Labs
This document discusses the evolution of malware and antivirus software from an evolutionary perspective. It describes how malware has evolved over time using techniques inspired by biological concepts like parasitism, reproduction, mimicry, dormancy and mutation to avoid detection. It also discusses how antivirus software has countered these techniques through its own evolution, applying concepts like predation, environmental changes and enhanced immunity. Examples of historic malware like Yankee Doodle and responses like Welchian are provided. The document considers debates around Darwinian vs Lamarckian evolution in the context of malware and questions if malware could evolve in a Lamarckian way through acquired characteristics.
This document discusses a virus detection system (VDS). It summarizes the main virus trends in 2004, with over 50% being Trojans and backdoors. It outlines the qualities needed for an intrusion detection system (IDS), including meticulous protocol analysis and a lightweight rule set. The document describes the mechanisms of a VDS, including using a unified data structure and dataset to classify events. It addresses challenges of scaling the rule set and optimizing detection algorithms as the number of rules increases.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
Assessment and Planning in Educational technology.pptxKavitha Krishnan
In an education system, it is understood that assessment is only for the students, but on the other hand, the Assessment of teachers is also an important aspect of the education system that ensures teachers are providing high-quality instruction to students. The assessment process can be used to provide feedback and support for professional development, to inform decisions about teacher retention or promotion, or to evaluate teacher effectiveness for accountability purposes.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
4. AV Principles
• AV is not simply a technological battlefront. The
overall AV system takes in many logical and
legal factors. There are also project planning
factors which have some basic principles in
common.
• These common principles can be objectively
summarized from the AV practice, and then
applied to guide the design of an AV engine and
tools.
• In 1995 we summarized the basic common
principles in 44 items, informally named AV
dialectics.
Antiy Labs www.antiy.net
5. Some Important Items
• A computer virus is a kind of • The clean up of a virus is the
reverse of its infection
program in the final analysis
• User’s rights to the AV software:
• The features of a computer virus Right to decide: Users can
are the only identifiers to classify customize the functionality of the
the virus AV software instead of using the
default configuration
• The crucial criterion in judging a
Right to know: Users should know
program to be a virus should be its what the AV software has done in
features or some characteristics of the system
the content Right to backup: Users should be
• The only reason that feature code provided with means to backup
infected files
should be purged is if it is
• Software should detect viruses
objectively or subjectively harmful inside packages and clean viruses
• Whether a certain program should without deleting the package if
be classified as a virus or not authorized
should be based on clear criteria • Precaution principle: Virus
monitoring should prevent the
infected files from running and
taking control of the system
Antiy Labs www.antiy.net
6. AV Dialectics
• With the development of both the application
environment and virus techniques, many of our
above stated points began to contradict each
other
• The fundamental reason for these contradictions
is the complication of information systems
Antiy Labs www.antiy.net
7. Challenge 1:Puzzling
Criterion
• Item: The crucial criterion of a computer virus
should be the feature code or some
characteristics of the content
• Exception: CMD backdoor left by Code Red
• Question: Traditional AV technologies deal
with “Yes or No” problems, where the only
criterion is the content of the program. But
under some circumstances, the boundary
between harmful and harmless becomes
vague.
Antiy Labs www.antiy.net
8. Challenge 2:Paradox of
Range
• Item: Whether a certain program should be
detected or not should be based on clear criteria
• Exception: psexec tool used in Worm.Dvldr .
• Question: The emergence of unwanted files is
another puzzle in detection criterion. How far
should AV software reach? What is the criterion?
So far, many AV products include adware
detection, is this reasonable or legal?
Antiy Labs www.antiy.net
9. Challenge 3:Package
Enigma
• Item: Detect viruses inside packages and clean
viruses without deleting the package if
authorized
• Exception:DIY worms (such as password
worms), and worms using or saving in zip
formats (such as some variation of netsky)
• Question: The basic assumption of traditional AV
software is that a package file is normal file that
may contain a virus. DIY worms are self-
extracting packages. Some worms make many
zipped backup copies on the disk which cannot
be removed by AV software.
Antiy Labs www.antiy.net
10. Challenge 4: Junk Files
• Item: The only reason that feature code should
be purged is if it is objectively or subjectively
harmful
• Exception: Crisis caused by unofficial evaluation
• Problem: If one company detects some trivial
files, other companies will follow suit in order to
win higher marks in competitive evaluation. Is
this worthwhile behavior? How can it be
balanced with efficient and high-throughput virus
detection?
Antiy Labs www.antiy.net
11. Challenge 5:
Responsibility problem
• Item: The clean up of a virus is the reverse of its
infection
• Case: Leftover backdoors leading to a worm
returning
• Question: Is AV software responsible for
recovering all the system modifications made by
the virus? And how to deal with leaks? Is this
work endless?
Antiy Labs www.antiy.net
12. Challenge 6:The time of
action
• Item: Virus monitoring should prevent infected
files from running and taking control of the
system
• Case: Arguments on file evaluation
• Question: Since it is difficult to detect unknown
PE viruses, Trojans or backdoors, should the
heuristic report based on behavior be acted on
immediately?
Antiy Labs www.antiy.net
13. Challenge 7:Active
Protection
• Item: User’s rights to the AV software
• Case: scanning worms changed the image
of victims
• Question: At first, viruses aimed simply to infect
users’ systems. Now, more often than not, they
try to make infected systems further infect other
systems. In such a case, can a virus be removed
without the user’s permission? What means are
acceptable? Is this a technological question or
legal question?
Antiy Labs www.antiy.net
14. Putting forward and solving
the problems
• None of these problems are too difficult to be
solved technologically
• Some of them concern style and morals,
however “Puzzling Criterion”, “Package
Enigma”, and the “Responsibility Problem” are
reactions to the traditional system and
framework of the AV engine.
• We need more adaptive and reasonable engine
frameworks instead of expediency in
programming
Antiy Labs www.antiy.net
16. The three elements of an
AV Engine
AV Engine
Database Config
Antiy Labs www.antiy.net
17. The three elements of an
AV Engine
The three elements of an AV engine are the engine, database,
and configuration. The engine relies on the database to detect,
and the definitions in the configuration to work.
Before, we put much emphasis on the engine. Now, we need to
pay more attention to the configuration to see what gains it has
to offer us.
We also need to reevaluate the database – the maintenance of
which is traditionally mechanical – to see whether the potential
for creativity still exists.
Antiy Labs www.antiy.net
18. The Traditional Database
Type 1 Type 2 Type 3 Type 4
Number √ √ √ √
Mod num √ √ √ √
Virus name √ √ √ √
First word of √ √
Feature code
Offset1+Sign 1 √ √
Offset2+Sign 2 √ √
File type flag √
Process arg √ √ √
Processing √ √
module name
Antiy Labs www.antiy.net
19. The Traditional Database
• In working with a database, 95% of viruses are
detected via records of type 3 and type 4
(featuring code detection). Detecting the
remaining 5% of special viruses is done with
records of type 1 and type 2 (independent
module detection).
• Over 80% of viruses are processed via
argument, and the remaining 20% via
processing module。
Antiy Labs www.antiy.net
20. Basic characteristics of the
traditional Database
• Object Control: what to detect
• Behavior Control: how to process
• Effectiveness Control: intensity of detection
Antiy Labs www.antiy.net
21. Traditional Configuration
Means
• Flow control (Program)
• Debug Switch (Developer)
• INI control (User)
Antiy Labs www.antiy.net
22. Object Control
• Memory=Yes; check the memory
• Sectors=Yes; check the boot sector
• Files=Yes; check file system
• Packed=Yes; check packages
• Archives=Yes; check archives
• MailBases=Yes; check emails
• MailPlain=Yes; check encoded files
• FileMask=2; check the extended names
• UserMask= ?; user defined extension
• Exclude=No; Don’t check customized extensions
• ExcludeMask= ; Don’t check definition of extensions
Antiy Labs www.antiy.net
23. Behavior Control
• InfectedAction=0; remove viruses
• InfectedCopy=No; back up viruses
• InfectedFolder=Infected; back up folders
• SuspiciousCopy=No; back up suspicious files
• SuspiciousFolder=Suspicious; back up folders
• Report=Yes; generate logs
• ReportFileName=Report.txt; name of log file
Antiy Labs www.antiy.net
24. Effectiveness Control
• Warnings=Yes; Show warnings
• CodeAnalyzer=Yes; Open the code analyzer
• RedundantScan=Yes; Redundant scanning
Antiy Labs www.antiy.net
25. That’s enough?
• In the traditional AV environment, this kind of
granularity is enough for control, however
problems occur when it comes to more
complicated environments.
Antiy Labs www.antiy.net
26. Application Case 1
• Consider what different features the engine will have when
working as AV software for a single computer VS working as
one module in a mail server?
• I-Worm.Nimda.e is a infective worm. When processed locally, it
should be regarded as a PE infected file, but for a mail server, it
should simply be discarded.
• Win95.CIH is a infective virus. When detected, whether it is local
or on mail server, it should be processed as an infected virus
and the original file should be recovered.
• The essential difference is that Win95.CIH doesn’t mail itself but
rather is an executable program mailed by the user, while
Nimda behaves contrarily.
• This situation requires different processes for different kinds of
viruses in various environments, it is beyond the capacity of
traditional engine control.
Antiy Labs www.antiy.net
27. Application Case 2
• Network virus detection
equipment contains several • Email detection
responding modules
• What policy should these
• Duplicate email
responding modules work detection
with? • Feedback email
• Some mail worms create
addressees randomly, what detection
will happen if sending • Reset connection
creates a feedback loop?
• Some mail worms use bots
to create addressees. What
will happen if the worm starts
sending duplicates?
Antiy Labs www.antiy.net
29. Application Case 3
• Integration with • Different processing for
networking equipment is scanning worms and mail
an effective response. worms.
• See: OPSEC, TOPSEC • It is simple to scan worm
infection IP nodes. But if
we do the same to email
worms, they may send
the same email over and
over again causing DoS
• We should check whether
there is a proxy server on
the network
Antiy Labs www.antiy.net
30. That’s not enough!
• New demand goes beyond the capacity of the
traditional engine
• How can we solve this problem?
Antiy Labs www.antiy.net
32. Putting Forward the
Question
• The trending movement of network security
products implies that virus filtering mechanisms
will extend to equipment at different levels
• The above discussion shows the need for the
AV engine to adapt to more complicated
environments
• Embedded equipment or AV engines in other
environments are designed for high granularity
Antiy Labs www.antiy.net
33. Application of Embedded
Engine
Application Form Details
AV module in Firewall Construct linear speed virus filtering module for package filtering
firewall with a network engine.
Construct file stream virus filter for app proxies, transparent
proxies or a stream filtering firewall with a file engine.
AV module in router Add virus filtering ability to routing equipment with high speed
package level scanning
AV module in switch Add virus filtering ability to switching equipment with high speed
packet scanning.
Virus detecting plug-ins Extend the network engine to provide the IDS with network virus
in IDS detection ability
AV module in GAP Extend GAP equipment with virus filtering ability
device
Virus protection in mail Embed virus detection ability into mail servers
system
Independent AV software User need only to program against an API to develop their own AV
software
Antiy Labs www.antiy.net
34. Basic Requirement 1:
Memory Engine
Object
Report
Peripheral I/O module
Processing
Memory
Result
Object
AV Engine
Antiy Labs www.antiy.net
35. Memory Engine Interface
Demo
/*scanning parameter structure */
typedef struct _AVLF_SDK_SCAN_PARA
{
char * pBuffer; /* pointer to buffer */
unsigned long ulSize; /*size of the buffer */
const char * pDescription; /* description information */
int bUnpack; /* whether to unpack*/
int bKill; /* whether to kill the virus */
int bKilled; /* whether virus was killed successfully*/
} AVLF_SDK_SCAN_PARA,*PAVLF_SDK_SCAN_PARA;
/* set the receiver */
AVLEACHSDK_API int AVLF_SDK_SetReciver(IReportReciver *pReciver);
/*scanning:return 0 if no virus detected,return 1 if virus found,detailed information is received by
the receiver class*/
AVLEACHSDK_API int AVLF_SDK_Scan(PAVLF_SDK_SCAN_PARA pParamter);
Antiy Labs www.antiy.net
36. Basic Requirement 2——
Recursive Engine
• Modern AV engines have evolved from
branched engines led by module-based format
recognition to recursive engines
• In a recursive engine, scanned objects could
have multiple flags, which can be detected by
corresponding modules
• McAfee’s bug in detecting SFX
• archbomb.zip
Antiy Labs www.antiy.net
38. How to detect archbomb.zip
sign1
Offset: 4h
Length: 7h
Sign 2
Offset:300h
Length:F0h
A Zip which is also a binary stream could be
detected by binary engine instead of what would
be done in the traditional branched engine –
being passed to archive extracting module by the
Antiy Labs www.antiy.net
format recognition module.
39. Example——
Recursive Engine
1. Analyzers are
parallel in
structure, none are
prerequisites.
IConfig IComponent
Factory
2. Results from the
analyzers can
provide different
IEngine
priority ratings,
SDK
AnalyseData with viruses listed
Analyser1
as the highest and
IComponent files needing
Manager Analyser2 further processing
Component
as the lowest
N AnalyserN
3. In principle,
Component2
Component1
analyzers work
serially, with
higher priority
results being
Antiy Labs www.antiy.net forwarded.
40. Basic Requirement 3——
portable engine
• Working environment could be the x86
architecture, or other architectures like PPC
• Modules written in x86 assembly language are a
barrier to porting to other architectures.
Antiy Labs www.antiy.net
41. Basic Requirement 4——
Highly Controllable Engine
• What are the essential requirements for high
granularity?
• Virus processing in different environments
cannot only rely on detecting the infection
feature but also the “specialty” of the virus.
• The granularity of control needs to reach the
individual virus, the database needs to provide
more information.
• Virus processing will be done with information
from the database about the virus specialty.
Antiy Labs www.antiy.net
42. Control Level
• Flow control (Program)
• Debug Switch (Developer)
• INI control (User) • Flow control (Program)
• Virus attribute
• Debug Switch (Developer)
• Stencil (Condition)
• INI control (User)
Antiy Labs www.antiy.net
44. Basic Requirement 5——
Precise Processing Engine
• Perfect reverse engineering is the end goal.
• The High Granularity Engine ends the era in
which the AV company does not need to analyze
the virus.
Antiy Labs www.antiy.net
45. How to Process
• Clean com tail • On the left is the cleaning
• Clean com head parameter set which is
• Clean exe tail
widely accepted by many
• Clean ne tail
• Clean pe tail
companies.
• Remove file • We need the same
• Copy data block detailed processing script
• Move data block for non-infective viruses
• Insert data block
• Is this work endless?
• Modify data block
• Delete data block
• Fill in data block
• Truncate data tail
• Truncate data head
Antiy Labs www.antiy.net
47. Our Understanding and
Dream
• AV principles are not invariable. Instead, they
are evolving dynamic principles. They require
not only summarizing but also supplementing
and replacing.
• We believe in our understanding and we persist
in our dream.
• Thank you!
Antiy Labs www.antiy.net