Re: No AV? Shock, horror!

[Dan Kaminsky <dan () doxpara com>]

I was under the impression AV tended to err on the side of false
negatives -- see the repeated clawback on heuristics.  I'm not sure
false positives would make a significant statistical difference given
that preference.  Could be convinced otherwise though.

On Wed, Sep 30, 2009 at 1:31 AM, Charles Miller
<cmiller () securityevaluators com> wrote:
> You assume no false positives...
>
> On Sep 29, 2009, at 5:12 PM, Dan Kaminsky wrote:
> > Methodology wouldn't be too bad -- there are things a manual auditor
> > can notice and alarm on quickly, that AV really can't just block or
> > even send back for further review.  So it's a matter of:
> >
> > 1) Gain legitimate access to a large number of systems, perhaps
> > through a PC repair service
> > 2) Separate the machines into buckets -- "No AV" "Norton" "McAfee"
> > "Trend Micro" etc
> > 3) For each bucket, scan with all AV scanners.  This will determine
> > the number of machines that are infected with known malware that at
> > least one other scanner was able to find.
> > 4) For each node that passed all automatic sweeps, manually sweep.
> > This should yield the a minimum size of the "long tail" (minimum,
> > because we might not find all).
> >
> > Note that we may want to qualify "infected".  Tracking cookies most
> > assuredly do not count.  Botnets most assuredly do.  Merely
> > self-replicating code, that's sort of up in the air.
> >
> > _______________________________________________
> > Fun and Misc security discussion for OT posts.
> > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.