Beyond Anti-Virusby Dan Keller

1987- Fred Cohen- Computer Scientist

“there is no algorithm that can perfectly detect all possible computer viruses”

What is Anti-Virus (AV) Software?

• Anti-virus software is used to prevent, detect, and remove malicious software

• Some examples of malicious software detected by modern AV:• BHO’s (Browser Helper Objects)

• Browser hijackers

• Ransomware

• Keyloggers

• Backdoors

• Rootkits

• Trojan Horses

• Worms

• Adware

• Spyware

StatisticsAV-TEST- The Independent IT-Security Institute

1994 - 28,613 unique malware samples in their database

1999 - 98,428

2005 - 333,425

2007 - 5,490,960 new unique malware samples only for that year!

2015 – approx. 144,000,000 new malware variants

Lastline Labs Study (May ‘13- May ’14) Hundreds of thousands of malware samples VS. 47 AV vendors

• Results…• Day 0 – only 51% of AV scanners detected new malware samples

• 2 weeks – Detection rates bumped up to 61%

• 1 Year – 10% of AV scanners still did not detect some malware

• The 1- percentile of malware least likely to be detected was undetected by the majority of AV scanners for months, and in some cases…never detected

___________________________________________________________

**Its estimated that AV only catches around 45% of cyber attacks (Semantec VP- Brian Dye). He said antivirus “is dead” (May 2014).

Now that you’re depressed…where do we go from here?

• Anti-Virus methods of detection

• Signature-based detection: When identifying viruses and other malware, the antivirus engine compares the contents of a file to its database of known malware signatures.

• Heuristic-based detection: This is generally used together with signature-based detection. It detects malware based on characteristics typically used in known malware code

• Behavioural-based detection: Instead of characteristics hardcoded in the malware code itself, it is based on the behavioral fingerprint of the malware at run-time. This technique is able to detect malware only after they have starting doing their malicious actions.

…Cont’d

• Sandbox detection: It’s a behavioral-based detection technique and instead of detecting the behavioral fingerprint at run time, it executes the programs in a virtual environment, logging what actions the program performs. Depending on the actions logged, the antivirus engine can determine if the program is malicious. If not, the program is executed in the real environment. This technique has shown to be very effective, but given its heaviness and slowness, it is rarely used in end-user antivirus solutions.

…Cont’d

• Data mining techniques: The latest approach applied in malware detection. Data mining and machine learning algorithms are used to try to classify the behavior of a file as either malicious or benign, given a series of file features, that are extracted from the file itself

Other approaches

• Unified Threat Management- Firewalls, gateway AV, content filtering, load balancing, data leak prevention all rolled up into one system

• Push your info to the cloud and let them deal with it

• Go back to paper

• Go off grid and live in the mountains

Drawbacks

• Lots of False positives creating ‘the boy who cried wolf.’• Also the false positives can end up deleting or paralyzing existing

files that are clean

• Some more advances systems (Sandboxing) can slow down performance

• Tough to get out of contracts with existing vendors

Conclusion• Anti-virus is not dead. Its just a standard from which we

build upon.

• Anti-virus software is now being bundled up with other security software to form a more comprehensive system. And it’s essentially getting outsourced to other companies to help monitor your system is real-time.