Educause Security Discussion mailing list archives
Re: BlueCoat with McAfee or Kaspersky Malware Engines
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Sat, 17 Jan 2009 08:58:51 -0600
This is an *excellent* example of why it's good to have vendor-related list members. It provides insight to the issue from the vendor side of the coin, doesn't denigrate other vendor products, and doesn't try to promote his own company's product. Thank you, David! - ken David Harley wrote:
(Declaration of interest: I currently work for ESET, who make NOD32. Nonetheless, this is a vendor-neutral rant...) I think you're right. This is a problem across the board. * Sheer glut has seriously reduced the value of the one-signature-to-each-malicious -program model: it doesn't make sense to produce a signature for every short-life binary that flares up for a few minutes (often literally) and is never seen again, even if we had the lab resources to do it that way. The most effective detection nowadays is either generic (detection of whole families and sub-families), proactive (heuristics, sandboxing, emulation etc), or hybrid. That doesn't mean there isn't a use for known-malware detection, but it's infinitely less useful now than it was when malware was more specialized, much rarer, and spread much less slowly. * Unfortunately, while the sheer numbers of detections we add daily would be mind-boggling if we could list them for each individual malicious binary, they represent a much smaller percentage of the totality of current malware. In the 90s, a good heuristic scanner could claim to detect something like 70-80% of new malware: clearly, that's no longer the case. :( * Serverside polymorphism, where the malicious binary is replaced on the server in a new form at regular intervals, isn't susceptible to the same algorithmic detection approaches as the polymorphic engines of the '90s. Binaries do change very quickly. * The more effective a scanner's detection is, the more R&D time (really!) badware gangs will put into tweaking their binaries till they evade the current with the latest updates. I've noticed this trend particularly in the past year with adware trojans like Virtumonde and fake anti-virus/anti-spyware apps. Which is why, while marketing departments sometimes stretch the truth, hard-core anti-malware researchers will almost always advocate defense-in-depth rather than kid you that "our product is all the protection you need." -- David Harley BA CISSP FBCS CITP Small Blue-Green World-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: 17 January 2009 07:53 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] BlueCoat with McAfee or Kaspersky Malware Engines On 17/01/2009, at 4:07 AM, Stanclift, Michael wrote:We use McAfee Enterprise on our desktops and have been consistently disappointed with its levels of detection. However,Kaspersky has anengine superior to nearly everyone else on the market andboth in myuse and in testing it's rated to have one of the bestdetection ratesin the industry.I think you will find that all AV products are having trouble keeping up now. We use Nod32 and have noticed an increasing failure rate over the past few months. Malware is now changing so frequently that AV vendors are struggling to keep up and once the malware get installed it then protects itself so that the AV never finds it (root kits) or hooks itself into Windows so that AV can not remove the files because they are held open by the OS. I would suggest that changing your AV vendor will not solve this problem. Russell
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- BlueCoat with McAfee or Kaspersky Malware Engines Mark Rogowski (Jan 15)
- <Possible follow-ups>
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Sabo, Eric (Jan 15)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Mark Rogowski (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Stanclift, Michael (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Sabo, Eric (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Mark Rogowski (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Valdis Kletnieks (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Russell Fulton (Jan 16)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines David Harley (Jan 17)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines Ken Connelly (Jan 17)
- Re: BlueCoat with McAfee or Kaspersky Malware Engines David Harley (Jan 19)