1

WHY ANTIVIRUS WILL NEVER DIE …ADVANCED DETECTION FOR DUMMIES

EDDY WILLEMS

SECURITY EVANGELIST

TWITTER: @EDDYWILLEMS

OFFERING SECURITY SOLUTIONS WORLDWIDE

▪ Founded in Bochum, Germany in 1985

▪ First AV solution in 1987

▪ Global head office & development: Bochum

▪ Security solutions for home and business

▪ Solutions available in 90+ countries

▪ ~ 500 employees worldwide

▪ Subsidiaries in Austria, Belgium, China, France,

Germany, Italy, Japan, The Netherlands, Poland, Spain,

Switzerland and the United StatesSubsidiaries

• Security Evangelist at G Data Sofware AG:

• Personally Involved in the security industry since 1989

• Worked as Cyber Security Expert for CERT-organisations and security companies like

Kaspersky Lab, Westcon(Noxs), etc...

• Director of EICAR(+Co-founder), AMTSO and LSEC (3 international security industry org.)

• Researcher/Technical Spokesperson, interviewed/cited in 1000‘s publications/media (CNN,..)

• Author of the book ‚Cybergevaar‘ (BE/NL Dutch 2013) ‚Cybergefahr‘ (DE German 2016)

INTRODUCTION

TODAY’S MALWARE THREATS

400.000 new samples a day

Over 700 million samples => 99,9% INVISIBLE => Money gain

Copyright IEEE Spectrum 2011

Who says AV is dead?

ANTIVIRUS IS DEAD?

The first one: Dr Solomon (2000) CEO, Dr Solomon’s: AV is dead! (EICAR conference)

6

ANTIVIRUS IS DEAD?

WHY WOULD YOU SAY ANTIVIRUS IS DEAD

▪ Those who have a plan behind it

▪ Those who are financially motivated

▪ Those who don’t understand the real problem

▪ Those who don’t understand the real solution

▪ Those who don’t like the word antivirus

▪ Easy to get misquoted

▪ People have secret agenda’s

▪ Boosting shares

▪ Getting a lot of visibility

▪ Emotions

8

DEFINING ANTIVIRUS

▪ In 1984 Dr, Cohen described 3 techniques:

▪ Signature matching

▪ Change of file detection

▪ Behaviour blocking

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 10

MALWARE IS MUCH MORE SOPHISTICATED THEN 30 YEARS AGO

WHY CALL IT AV? … AV PERCEPTION

▪ Because the general public don’t know anything else

▪ Positive is that lot’s of people seems to be aware

except for mobile devices!!!

▪ Assume programs are about signature detection and

matching techniques with hex, hashes and checksums

▪ There is a complete lack of understanding how anti-

malware works, even from other parts of the security

industry

▪ Lot’s of people confusing that if programs don’t provide

100% protection they provide no protection at all!

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 12

WHAT (PEOPLE THINK) SIGNATURES ARE

▪ Old technologies like fingerprint, pattern-matching =>

phased out in mid 90’s already

▪ Some still be used for legacy detection (inside DOS)

▪ Signatures are scripts (like maps or defined overviews)

or describers of malicious behaviour

▪ Multiple families of malware

▪ Heuristics

▪ Cloud api calls (reputation)

▪ Packers, cryptors, obfuscators

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 13

MODERN ANTI-MALWARE TECHNIQUES

▪ Cloud based

▪ Code signing (change detection)

▪ Context sensitivity (riskier sigs, heuristic thresholds)

▪ Behavioral analysis inside emulator or sandbox

▪ Generic detection (sigs for families)

▪ Indicators of compromise (sigs of evidence)

▪ Heuristics (sigs calculated for behaviors + AI)

▪ HIPS (behavioral blocking for apps)

▪ NIDS (sigs for malicious network traffic)

▪ Whitelisting (change of files detection)

▪ Exploit blocking and detection

▪ Deep machine learning for malware behavior (eg. Ransomware)

▪ Big data Artificial Intelligence analysis

▪ Etc …

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 14

IS AV FAILING?

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 17

Communication problems inside company

Implementation mistakes of security products

Bad monitoring of security incidents

No awareness (eg. Social engineering)

AV is only one layer in the battle

Don’t say AV is dead:

It only shows you don’t

know anything about

anti-malware detection

techniques

PROACTIVE

DETECTION, BLOCKING

AND REMOVAL

examples

HEURISTICS, BEHAVIOUR BLOCKING AND BIG DATA

G DATA BANKGUARD

Man in the Middle – Man in the browser attack

€200 million loss by malware prevented by BankGuard since 2011

Patented

Protect also online e-wallets (eg. Bitcoins, etc)

G DATA EXPLOIT PROTECTION

70% of all exploits are actively

being used in cyberattacks

90% of these exploits have

already a patch!

G DATA ANTIRANSOMWARE

G DATA ANTIRANSOMWARE

G DATA‘S CLOUD CONNECTION

Copyright IEEE Spectrum 2011

Why antivirus

will be with us

forever?

Evolution of Antivirus

G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 27

The AV PARADOX

Anti-Virus is dead they said.

Pattern matching is defeated they said.

Then they came up with IOC’s (Indicators of Compromise)

and put them into patterns.

THANK YOU!

Q/A?A secure solution for mobile threats!