Re: No AV? Shock, horror!

[Charles Miller <cmiller () securityevaluators com>]

Ah Dan.  There is an error in your logic.  If AV couldn't detect the  
"bot" on a machine, then it is not a bot.  How else would you prove it  
was a bot!  ;)

Charlie

On Sep 28, 2009, at 2:08 PM, Dan Kaminsky wrote:

> This only measures AV detected infections. If I take 10,000 machines
> that did have AV, and 10,000 machines that did not, and compare, say,
> botnet infection rates manually -- is there a difference?
>
> I'm looking for: 'A node running AV is n% less likely to be running
> malicious software than a node not running AV.'.
>
> On Sep 28, 2009, at 2:34 PM, <Toralv_Dirro () McAfee com> wrote:
>
> > All logs from a central AV-management console listing what has been
> > detected by the OnAccess scanner on the workstations would qualify
> > as that source of data (after sorting out the things that actually
> > infect a machine from the things AV is expected to detect nowadays
> > in addition). Without AV most entries in that log would have
> > resulted in an infected machine...
> >
> >
> > cheers,
> > Toralv
> >
> >
> > > -----Original Message-----
> > > From: funsec-bounces () linuxbox org
> > > [mailto:funsec-bounces () linuxbox org] On Behalf Of Dan Kaminsky
> > > Sent: Monday, September 28, 2009 7:56 PM
> > > To: Blanchard_Michael () emc com
> > > Cc: funsec () linuxbox org; rMslade () shaw ca
> > > Subject: Re: [funsec] No AV? Shock, horror!
> > >
> > > Non-rhetorical question:
> > >
> > > Is there a source of data showing 10,000 machines with AV are
> > > less likely to be infected than 10,000 machines without?
> > >
> > >
> > > On Mon, Sep 28, 2009 at 7:38 PM,  <Blanchard_Michael () emc com> wrote:
> > > > There are plenty of AV products for *nix platforms.  It's
> > > not that there is a *huge* amount of viruses for those
> > > platforms, it's that those platforms are often accessed by
> > > Windows platforms and the merchant should want to provide a
> > > clean file to a customer...
> > > > Mike B
> > > >
> > > >
> > > > Michael P. Blanchard
> > > > Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of
> > > > Information Security & Risk Management EMC ² Corporation
> > > 4400 Computer
> > > > Dr.
> > > > Westboro, MA 01580
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: funsec-bounces () linuxbox org
> > > [mailto:funsec-bounces () linuxbox org]
> > > > On Behalf Of Drsolly
> > > > Sent: Friday, September 25, 2009 5:13 PM
> > > > To: Rob, grandpa of Ryan, Trevor, Devon & Hannah
> > > > Cc: funsec () linuxbox org
> > > > Subject: Re: [funsec] No AV? Shock, horror!
> > > >
> > > > Maybe some merchants don't use Windows?
> > > >
> > > > On Fri, 25 Sep 2009, Rob, grandpa of Ryan, Trevor, Devon &
> > > Hannah wrote:
> > > > > PCI survey finds some merchants don't use antivirus software
> > > > >
> > > > > http://www.networkworld.com/news/2009/092309-pci-survey-finds- 
> > > > > some-
> > > > > merchants.html?hpg1=bn
> > > > >
> > > > > (But absolutely no surprise whatsoever ...)
> > > > >
> > > > > ======================  (quote inserted randomly by
> > > Pegasus Mailer)
> > > > > rslade () vcn bc ca     slade () victoria tc ca
> > > > > rslade () computercrime org
> > > > >            Living well is the best revenge.
> > > > >                     George Herbert, 16th century English
> > > clergyman
> > > > > http://victoria.tc.ca/techrev/rms.htm
> > > > > http://blog.isc2.org/isc2_blog/slade/index.html
> > > > > http://twitter.com/rslade
> > > > > http://blogs.securiteam.com/index.php/archives/author/p1/
> > > > > http://twitter.com/NoticeBored
> > > > > _______________________________________________
> > > > > Fun and Misc security discussion for OT posts.
> > > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > > Note: funsec is a public and open mailing list.
> > > >
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.
> > > >
> > > >
> > > > _______________________________________________
> > > > Fun and Misc security discussion for OT posts.
> > > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > > Note: funsec is a public and open mailing list.
> > >
> > > _______________________________________________
> > > Fun and Misc security discussion for OT posts.
> > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > Note: funsec is a public and open mailing list.
> >
> > Firmensitz:     Muenchen
> > Amtsgericht:     AG Muenchen
> > Handelsregister:   HRB 144340
> > Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice
> > Bankverbindung:   ABN-Amro Bank N.V. Konto 671 211 9006
> > UST-ID:   DE168122444
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.