[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080807111955.C2A892FE8AA@pmx1.sophos.com>
Date: Thu, 7 Aug 2008 12:19:01 +0100
From: tvrtko.ursulin@...hos.com
To: daw-news@...berkeley.edu (David Wagner)
Cc: linux-kernel@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on
access scanning
David Wagner wrote on 06/08/2008 23:24:01:
First of all you dropped all CC so I only found this by chance.
> Tvrtko wrote:
> >J. Bruce Fields wrote on 05/08/2008 23:55:24:
> >> On Mon, Aug 04, 2008 at 05:00:16PM -0400, Eric Paris wrote:
> >> > There is a consensus in the security industry that protecting
against
> >> > malicious files (viruses, root kits, spyware, ad-ware, ...) by the
way
> >> > of so-called on-access scanning is usable and reasonable approach.
> >>
> >> Can you point to any helpful explanations of that concensus?
> >
> >I can't, but everyone is doing it so that is at least an implied
> >consensus.
>
> I don't think there is any such consensus, so I'm not expecting a
> technical explanation. As best as I can tell, the primary explanation
> for why so many A/V vendors are doing it seems to be that it's a damn
> effective business model, and that may have as much of an effect on its
> widespread use as any technical merits or demerits.
>
> Think about it: you get users to buy your A/V, then you tell them
> they need to pay a monthly subscription fee to get the latest virus
> signatures updates. It's like crack. Once you convince IT managers
that
> "every machine needs to run A/V software", it's basically a guaranteed
> revenue stream for the A/V industry. It's lucrative stuff, so it's no
> surprise that the A/V industry is nursing this for as long as it can go.
> And on many Microsoft platforms, the level of pain has been high enough
> that IT managers are willing to accept anything that reduces the level
of
> pain even partially, so it's no surprise that A/V is so widely used
today.
> It doesn't necessarily mean that it's the right way to go for the
future,
> or that it's the right model for Linux, though.
You are entitled to your opinion and I am not in a position to get
involved into these kinds of discussions.
> >> Off-hand it's surprising. (A defense that depends on cataloging
every
> >> possible individual attack sounds difficult!)
>
> Of course. Simple signature-based file-scanning has got deep technical
> limitations. It can detect copycats and script kiddies but you'd be
> foolish to rely upon it to detect any kind of sophisticated attack.
So why you deleted my quote where I say signature based detection is not
all we do?
> Let's put some numbers on it, for real commercial A/V software.
> I was at the Usenix Security conference last week, where one group of
> researchers presented a paper that included a chart showing how quickly
> McAfee A/V was able to detect new malware samples. The researchers
> collected a large set of malware samples, and ran McAfee on it once
> a day or so to see how long it took for McAfee's signature database
> to be updated so it could detect those malware samples. As I recall,
> the basic stats looked like this: about 30% of zero-day malware samples
> were detected on the first day they were released (and 70% weren't).
> The median number of days until a new malware sample was detected was
> about 40 days. If you wanted hundreds of days, asymptotically McAfee
was
> able to detect about 70% of the samples (and 30% were never detected).
> I expect the situation to get worse in the future, not better.
Do you have a link to that paper? It is all about the testing methodology
and it would be interesting to read how the actually test in more detail.
To bad they haven't used more than one product. They chose McAfee who,
with all respect - and I am not representig my company but saying this
privately, are not known for their swiftest response times. See here:
http://blogs.pcmag.com/securitywatch/Results-2008q1.htm , they also seem
to be good but not great in proactive detection.
> And keep in mind it's easy for an attacker to write a polymorphic or
> "metamorphic" virus that is basically undetectable with straightforward
> signature-based file scanning, so in an arms race the attackers have
> most of the advantages.
Again this goes back to my quote you deleted. Why is straightforward
signature-based detection relevant? Who is doing only that today? For
example please read this:
http://www.infosectoday.com/Articles/Behavioral_Genotype.htm from where I
quote:
"""
A good example of this is the Storm worm outbreaks that started in October
2006 and continued into February 2007. See figure below. There were many
variants, including Dorf and Dref worms, but one single behavioral
genotype identity detected nearly 5000 different unique variants. Using
traditional signature-based techniques, it would have required reactive
detection, which would have taken a lot of man power and been much less
effective at stopping the first waves of the threat.
"""
Tvrtko
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists