Wednesday, April 18, 2007

The Original Anti-Virus Test Paper is Here!

The anti-malware saga started in Let's Play a Fun Game Here ... A Scary Game and then continued in Answer to My Antivirus Mystery Question and a "Fun" Story and then was further discussed in More on Anti-virus and Anti-malware; what was then criticized in the myth of meaningful informal anti-malware tests finally comes to an end. I was allowed to publish the actual paper: get the paper [PDF] here this.

Just to top this discussion off, here is a quote from the VirusTotal guys themselves (this): "Generally speaking, even though it may seem obvious, we must state that all anti-malware products have detection problems due to the tremendous proliferation and diversification of malware nowadays." Amen to that!

1 comment:

Anonymous said...

Anton,

It seems as though the paper is abbreviated. It lacks many of the details around the conclusions made, and we certainly don't see what makes up the 'binaries' that were tested - what they do. Also, we don't know how these 'binaries' do against supplemental technologies (such as intrusion prevention). In reading Dancho Danchev's blog, it appears he submitted many samples of bot and shell generator tools created by the hacking community; some of these are still in "BETA".

Generally speaking, I believe we all agree that signature based AV is past its useful time, however, expecting the same vendors to use their AV tools to capture the latest generation of hacking tools might be misplaced.

It appears, to me, that most vendors see the end of the signature based technology, thus the incorporation of intrusion prevention technologies across the board. My thought, then, is that the paper doesn't tell us much other than "Hey, there are new ways of making malicious code that doesn't advertise itself, and is meant to compromise, rather than destroy a system". That in itself says a lot about the motives involved, and how avoidance of AV technologies is a key feature. Just as AV has passed its useful life, so too it seems malcode will not rely on mutating strings to avoid detection.

Dr Anton Chuvakin