Re: BlueCoat with McAfee or Kaspersky Malware Engines

[David Harley <dharley () SMALLBLUE-GREENWORLD CO UK>]

Thank -you-, Ken! :)

--
David Harley BA CISSP FBCS CITP
Small Blue-Green World



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
> Sent: 17 January 2009 14:59
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] BlueCoat with McAfee or Kaspersky
> Malware Engines
>
> This is an *excellent* example of why it's good to have
> vendor-related list members.  It provides insight to the
> issue from the vendor side of the coin, doesn't denigrate
> other vendor products, and doesn't try to promote his own
> company's product.  Thank you, David!
>
> - ken
>
> David Harley wrote:
> > (Declaration of interest: I currently work for ESET, who make NOD32.
> > Nonetheless, this is a vendor-neutral rant...)
> >
> > I think you're right. This is a problem across the board.
> >
> > * Sheer glut has seriously reduced the value of the
> > one-signature-to-each-malicious -program model: it doesn't
> make sense
> > to produce a signature for every short-life binary that
> flares up for
> > a few minutes (often literally) and is never seen again, even if we
> > had the lab resources to do it that way. The most effective
> detection
> > nowadays is either generic (detection of whole families and
> > sub-families), proactive (heuristics, sandboxing, emulation
> etc), or
> > hybrid. That doesn't mean there isn't a use for known-malware
> > detection, but it's infinitely less useful now than it was when
> > malware was more specialized, much rarer, and spread much
> less slowly.
> > * Unfortunately, while the sheer numbers of detections we add daily
> > would be mind-boggling if we could list them for each individual
> > malicious binary, they represent a much smaller percentage
> of the totality of current malware.
> > In the 90s, a good heuristic scanner  could claim to detect
> something
> > like 70-80% of new malware: clearly, that's no longer the case. :(
> > * Serverside polymorphism, where the malicious binary is
> replaced on
> > the server in a new form at regular intervals, isn't susceptible to
> > the same algorithmic detection approaches as the
> polymorphic engines of the '90s.
> > Binaries do change very quickly.
> > * The more effective a scanner's detection is, the more R&D time
> > (really!) badware gangs will put into tweaking their binaries till
> > they evade the current with the latest updates. I've noticed this
> > trend particularly in the past year with adware trojans like
> > Virtumonde and fake anti-virus/anti-spyware apps.
> >
> > Which is why, while marketing departments sometimes stretch
> the truth,
> > hard-core anti-malware researchers will almost always advocate
> > defense-in-depth rather than kid you that "our product is all the
> > protection you need."
> >
> > --
> > David Harley BA CISSP FBCS CITP
> > Small Blue-Green World
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
> > > Sent: 17 January 2009 07:53
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] BlueCoat with McAfee or Kaspersky Malware
> > > Engines
> > >
> > >
> > > On 17/01/2009, at 4:07 AM, Stanclift, Michael wrote:
> > >
> > >
> > > > We use McAfee Enterprise on our desktops and have been
> consistently
> > > > disappointed with its levels of detection. However,
> > > Kaspersky has an
> > >
> > > > engine superior to nearly everyone else on the market and
> > > both in my
> > >
> > > > use and in testing it's rated to have one of the best
> > > detection rates
> > >
> > > > in the industry.
> > > I think you will find that all AV products are having
> trouble keeping
> > > up now. We use Nod32 and have noticed an increasing
> failure rate over
> > > the past few months.  Malware is now changing so
> frequently that AV
> > > vendors are struggling to keep up and once the malware get
> installed
> > > it then protects itself so that the AV never finds it
> (root kits) or
> > > hooks itself into Windows so that AV can not remove the
> files because
> > > they are held open by the OS.
> > >
> > > I would suggest that changing your AV vendor will not solve this
> > > problem.
> > >
> > > Russell
>
> --
> - Ken
> =================================================================
> Ken Connelly             Associate Director, Security and Systems
> ITS Network Services                  University of Northern Iowa
> email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373