Focus on Virus
Back to list
RE: Extracting signature snippets from AV databases
May 09 2006 04:40PM
Bill Stout (bill stout greenborder com)
Re: Extracting signature snippets from AV databases
May 09 2006 05:11PM
Robert Sandilands (rsandilands authentium com)
There has been some reports of malware breaking out of virtualization
environments and infecting the host.
Virus detection algorithms are not a question of presenting a few bytes
and something is detected. There may be some primitive products on the
market like that, but most depend on a significant amount of context.
What you want to achieve will probably we very scan engine specific and
may not be possible.
The main problem with using virtualization and/or host intrusion
detection/prevention is the false positive issue. I have seen some good
attempts at managing that, but none of the ones I have seen is quite
production ready yet.
Bill Stout wrote:
> Yes, we use EICAR for email testing occasionally. What I'd like to do
> is scroll a list of detected signatures as they occur.
> The reason why I want to place snippets on text files is to fully
> exercise detection engines. For one, it would be interesting to see how
> products do/do not flag a warning on specific signatures. For example,
> Ad-Aware Pro and McAfee are verbose, Symantec and others are not.
> There is a large push towards using virtualization technologies for
> anti-virus protection. Intel, AMD, Microsoft, Symantec, and others are
> pushing virtualization technologies. Sandboxes and virtual machines are
> very harsh ways to isolate the OS from the Internet. However
> virtualization at the application layer allows some integration with the
> base OS without exposing the OS to modification by Internet content, and
> enables confidentiality by controlling areas and objects which the
> browser can read. Protection through virtualization does not require
> detection, and doesn't care about signatures or patches, since all
> processes and temporary files in a virtual environment is cleared out
> with a mouse click. Problem is, when a product doesn't detect, it
> doesn't identify specifically what it protected you from. Detection
> products immunize a computer from a list of specific threats, protection
> products shield a computer from general threats. Like latex...gloves.
> I can purposely run malware or attempt to install spyware in a
> virtualized application environment (IE or Outlook) without infecting
> the underlying PC. Although I could open dozens of browser pages known
> to contain malware, I can't do that safely in a networked or customer
> environment. It's better to open dozens of web pages with harmless
> snippets which temporarily place cached files (and possibly processes)
> than true malware pages.
> Bill Stout
> -----Original Message-----
> From: Jason Muskat [mailto:Jason (at) TechDude (dot) Ca [email concealed]]
> Sent: Monday, May 08, 2006 7:47 PM
> To: Bill Stout; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Re: Extracting signature snippets from AV databases
> I'm not sure why you would want to do all of that. If you want to do
> standard testing take a look at the EICAR virus test file
Robert Sandilands: Software Engineer
Authentium: Home of Command Software
[ reply ]
Copyright 2010, SecurityFocus