Re: BlueCoat with McAfee or Kaspersky Malware Engines

[David Harley <dharley () SMALLBLUE-GREENWORLD CO UK>]

(Declaration of interest: I currently work for ESET, who make NOD32.
Nonetheless, this is a vendor-neutral rant...)

I think you're right. This is a problem across the board.

* Sheer glut has seriously reduced the value of the
one-signature-to-each-malicious -program model: it doesn't make sense to
produce a signature for every short-life binary that flares up for a few
minutes (often literally) and is never seen again, even if we had the lab
resources to do it that way. The most effective detection nowadays is either
generic (detection of whole families and sub-families), proactive
(heuristics, sandboxing, emulation etc), or hybrid. That doesn't mean there
isn't a use for known-malware detection, but it's infinitely less useful now
than it was when malware was more specialized, much rarer, and spread much
less slowly.
* Unfortunately, while the sheer numbers of detections we add daily would be
mind-boggling if we could list them for each individual malicious binary,
they represent a much smaller percentage of the totality of current malware.
In the 90s, a good heuristic scanner  could claim to detect something like
70-80% of new malware: clearly, that's no longer the case. :(
* Serverside polymorphism, where the malicious binary is replaced on the
server in a new form at regular intervals, isn't susceptible to the same
algorithmic detection approaches as the polymorphic engines of the '90s.
Binaries do change very quickly.
* The more effective a scanner's detection is, the more R&D time (really!)
badware gangs will put into tweaking their binaries till they evade the
current with the latest updates. I've noticed this trend particularly in the
past year with adware trojans like Virtumonde and fake
anti-virus/anti-spyware apps.

Which is why, while marketing departments sometimes stretch the truth,
hard-core anti-malware researchers will almost always advocate
defense-in-depth rather than kid you that "our product is all the protection
you need."

--
David Harley BA CISSP FBCS CITP
Small Blue-Green World



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
> Sent: 17 January 2009 07:53
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] BlueCoat with McAfee or Kaspersky
> Malware Engines
>
>
> On 17/01/2009, at 4:07 AM, Stanclift, Michael wrote:
>
> > We use McAfee Enterprise on our desktops and have been consistently
> > disappointed with its levels of detection. However,
> Kaspersky has an
> > engine superior to nearly everyone else on the market and
> both in my
> > use and in testing it's rated to have one of the best
> detection rates
> > in the industry.
>
> I think you will find that all AV products are having trouble
> keeping up now. We use Nod32 and have noticed an increasing
> failure rate over the past few months.  Malware is now
> changing so frequently that AV vendors are struggling to keep
> up and once the malware get installed it then protects itself
> so that the AV never finds it (root kits) or hooks itself
> into Windows so that AV can not remove the files because they
> are held open by the OS.
>
> I would suggest that changing your AV vendor will not solve
> this problem.
>
> Russell