AppliedUsers
12Jul/100

Does this file taste funny to you?

Reminds me of a joke -

Q:  Why don't cannibals eat clowns?

A:  They taste funny.

Of course, this entry is not about cannibals, clowns or peculiar appetites - it's about what to do when you find a suspicious file on a machine, especially if that machine has been acting strangely and you think something untoward might be afoot.  Locally installed antivirus not giving you any hints?  Well, if you have isolated a suspicious file or two here is what to do - visit http://www.virustotal.com and upload your funky files - let their service scan those files with 40 some-odd AV engines.  This will give you two things:

1) usually an answer as to what that file may be

2) the creeps, because you will soon realize just how poor AV detection rates are!

While VirusTotal is not going to clean anything up for you, it will let you know whether or not you need to pull your wonky host off the network and start cleaning, or as is the considered best practice these days - re-imaging.

23Feb/102

Anti-Virus to become obselete?

Who doesn't run anti-virus these days (ok all you Mac users put your hands down) - the use of anti-virus, or anti-malware applications is practically a given, to the point where it seems that no matter how poorly it may perform, we keep using it.  AVG itself declares that only 3% of today's viruses are of your typical old school variant, moreover, time and time again real world AV protection seems to be nowhere near the vendors' claimed detection rates.  We are all running some kind of AV product, yet it never fails, some user gets infected anyway and off we go with our little toolkits of clean-up utilities, wasting countless hours trying to pry that insidious, pervasive malware from every nook and cranny only to do it all again at some later date.  All this despite have invested good money in "protection".

What am I getting at?  It's pretty clear, signature-based anti-malware does not work - to be fair, I should say, it works, but only sometimes.  We have to ask ourselves though - is sometimes good enough?  I'm sure the sales reps will say that some protection is better than none, but then again is a false sense of protection better than none?  Malware writers have been ahead of anti-malware vendors for years, it is a constant game of catch-up where the good guys are always trailing behind.

An analogy of signature-based anti-malware:  "anti-cat 2010"

Anti-Cat 2010 is the latest in stray feline infiltration technology that will prevent stray cats from roaming free on your property.  Now we have to define what a stray cat is so that they can be accurately detected and effectively shoo'd.  We also have to be careful not to shoo other animals or friendly felines, so the definition needs to be exact, to the point where really we need a sample stray to model our first signature out of.  Therefore we catch a stray and create a signature that matches it exactly- number of hairs, meow frequency, weight, height, eye colour, dna sequence and so on.  Now that cat will surely be detected, unless it loses some hair, or weight, or gets a cold.  Nor will it's offspring be detected.  Nor will any of the other cats be detected.  So starts the cat and mouse game of collecting strays to sample and adding those definitions to Anti-Cat; problem is there is no end to the number and variation of strays one will encounter.

Turns out it might be somewhat easier to do this job inclusively rather than exclusively, that is, build a list of acceptable animals, albeit equally detailed, that you will allow on your property.  In essence a critter whitelist, any animal that happens upon your golden acre that does not match the list gets shoo'd.

This is synonymous with application whitelisting, which is a burgeoning technology already proven superior to the current standard of malware blacklisting.  One of the things that makes this technology feasible is the speed of today's computers, this technology would not have been possible a few years back, the performance hit would have been too great.

Some of the current big AV vendors are looking long and hard at this technology because they know that the current technology has had it's day and it's time to move on.  While they try to shuffle the deck, there are already a number of players in the market who have lead the charge and currently offer very capable enterprise class products.

   

Page optimized by WP Minify WordPress Plugin