funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No AV? Shock, horror!

From: Charles Miller <cmiller () securityevaluators com>
Date: Tue, 29 Sep 2009 18:31:52 -0500
You assume no false positives...

On Sep 29, 2009, at 5:12 PM, Dan Kaminsky wrote:


Methodology wouldn't be too bad -- there are things a manual auditor
can notice and alarm on quickly, that AV really can't just block or
even send back for further review.  So it's a matter of:

1) Gain legitimate access to a large number of systems, perhaps
through a PC repair service
2) Separate the machines into buckets -- "No AV" "Norton" "McAfee"
"Trend Micro" etc
3) For each bucket, scan with all AV scanners.  This will determine
the number of machines that are infected with known malware that at
least one other scanner was able to find.
4) For each node that passed all automatic sweeps, manually sweep.
This should yield the a minimum size of the "long tail" (minimum,
because we might not find all).

Note that we may want to qualify "infected".  Tracking cookies most
assuredly do not count.  Botnets most assuredly do.  Merely
self-replicating code, that's sort of up in the air.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: