KEYNOTE TALK AVerify: AN OPEN-SOURCE ANTI-VIRUS - Eicar

More documents

Recommendations

Info

Planned tests #2: resilience � Try to cause faults in the AV itself – Fuzzing: file formats, IOCTLs � Instrumenting AV scanners may be tricky – Example: avast! looks simple, just call ashQuick.exe on each file – But exception catching requires removing SSDT hooks – Checking and modifying ACLs � Files, pipes, handles, … – Attempts to disable/kill the anti-virus � hosts file, connection blocking � On-the-fly code patching � On-disk signature database corruption � Network updates corruption 2010-05-10 EICAR 2010
Planned tests #3: real-world � This is slightly harder: malware – Find a new threat after it is released – Repeatedly scan with each anti-virus to determine the reaction time of AV companies � Or use any older but common threat � Install the threat, create a snapshot – Determine how it installs and stays persistent – Attempt to disinfect with each AV – Use a LiveCD to check for successful disinfection on disk 2010-05-10 EICAR 2010
Page 1 and 2: AVerify Towards verifiable anti-vir
Page 3 and 4: A philosophical note � The bad gu
Page 5 and 6: (not my fault) 2010-05-10 EICAR 201
Page 7 and 8: Let’s search “antivirus reviews
Page 9 and 10: “Race Race To Zero” (2008) Chal
Page 11 and 12: The firewall “leak tests” � G
Page 13 and 14: � Low-level access EICAR 2009 200
Page 15 and 16: � Code injection: 2008 versions C
Page 17 and 18: The iAWACS 2009 Challenge � Goal:
Page 19 and 20: The iAWACS 2010 Challenge � Diffe
Page 21 and 22: The Guillermito case � 2001, Tega
Page 23 and 24: More difficulties of testing � Ca
Page 25 and 26: Does CC Certification make sense?
Page 27 and 28: AVerify � Inspired by the EICAR a
Page 29: Planned tests #1: HIPS features �
Page 33 and 34: An interesting attack � “KHOBE
Page 35 and 36: Scripting a virtual machine � Che
Page 37 and 38: On providing samples � Distributi
Page 39 and 40: The future of AVerify? � Lots of
Page 41: Q&A Thank you for your attention! 2

KEYNOTE TALK AVerify: AN OPEN-SOURCE ANTI-VIRUS - Eicar

Create successful ePaper yourself

Delete template?

Save as template?