funsec mailing list archives
Re: No AV? Shock, horror!
From: Dan Kaminsky <dan () doxpara com>
Date: Wed, 30 Sep 2009 01:35:00 +0200
I was under the impression AV tended to err on the side of false negatives -- see the repeated clawback on heuristics. I'm not sure false positives would make a significant statistical difference given that preference. Could be convinced otherwise though. On Wed, Sep 30, 2009 at 1:31 AM, Charles Miller <cmiller () securityevaluators com> wrote:
You assume no false positives... On Sep 29, 2009, at 5:12 PM, Dan Kaminsky wrote:Methodology wouldn't be too bad -- there are things a manual auditor can notice and alarm on quickly, that AV really can't just block or even send back for further review. So it's a matter of: 1) Gain legitimate access to a large number of systems, perhaps through a PC repair service 2) Separate the machines into buckets -- "No AV" "Norton" "McAfee" "Trend Micro" etc 3) For each bucket, scan with all AV scanners. This will determine the number of machines that are infected with known malware that at least one other scanner was able to find. 4) For each node that passed all automatic sweeps, manually sweep. This should yield the a minimum size of the "long tail" (minimum, because we might not find all). Note that we may want to qualify "infected". Tracking cookies most assuredly do not count. Botnets most assuredly do. Merely self-replicating code, that's sort of up in the air. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: No AV? Shock, horror!, (continued)
- Re: No AV? Shock, horror! Charles Miller (Sep 28)
- Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
- Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
- Re: No AV? Shock, horror! Rich Kulawiec (Sep 28)
- Re: No AV? Shock, horror! Paul Ferguson (Sep 28)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
- Re: No AV? Shock, horror! Paul Ferguson (Sep 29)
- Re: No AV? Shock, horror! Rich Kulawiec (Sep 29)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
- Re: No AV? Shock, horror! Charles Miller (Sep 29)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
- Re: No AV? Shock, horror! Michael Collins (Sep 29)
- Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)