Re: Extracting signature snippets from AV databases

Hi Bill,

There has been some reports of malware breaking out of virtualization 
environments and infecting the host.

Virus detection algorithms are not a question of presenting a few bytes 
and something is detected. There may be some primitive products on the 
market like that, but most depend on a significant amount of context. 
What you want to achieve will probably we very scan engine specific and 
may not be possible.

The main problem with using virtualization and/or host intrusion 
detection/prevention is the false positive issue. I have seen some good 
attempts at managing that, but none of the ones I have seen is quite 
production ready yet.

Robert Sandilands

Bill Stout wrote:
> Yes, we use EICAR for email testing occasionally.  What I'd like to do
> is scroll a list of detected signatures as they occur.
>
> The reason why I want to place snippets on text files is to fully
> exercise detection engines.  For one, it would be interesting to see how
> products do/do not flag a warning on specific signatures.  For example,
> Ad-Aware Pro and McAfee are verbose, Symantec and others are not.
>
> There is a large push towards using virtualization technologies for
> anti-virus protection.  Intel, AMD, Microsoft, Symantec, and others are
> pushing virtualization technologies.  Sandboxes and virtual machines are
> very harsh ways to isolate the OS from the Internet.  However
> virtualization at the application layer allows some integration with the
> base OS without exposing the OS to modification by Internet content, and
> enables confidentiality by controlling areas and objects which the
> browser can read.  Protection through virtualization does not require
> detection, and doesn't care about signatures or patches, since all
> processes and temporary files in a virtual environment is cleared out
> with a mouse click.  Problem is, when a product doesn't detect, it
> doesn't identify specifically what it protected you from.  Detection
> products immunize a computer from a list of specific threats, protection
> products shield a computer from general threats.  Like latex...gloves.
>
> I can purposely run malware or attempt to install spyware in a
> virtualized application environment (IE or Outlook) without infecting
> the underlying PC.  Although I could open dozens of browser pages known
> to contain malware, I can't do that safely in a networked or customer
> environment.  It's better to open dozens of web pages with harmless
> snippets which temporarily place cached files (and possibly processes)
> than true malware pages.  
>
> Bill Stout
>
> -----Original Message-----
> From: Jason Muskat [mailto:Jason@TechDude.Ca] 
> Sent: Monday, May 08, 2006 7:47 PM
> To: Bill Stout; focus-virus@securityfocus.com
> Subject: Re: Extracting signature snippets from AV databases
>
> Hello,
>
> I'm not sure why you would want to do all of that. If you want to do
> standard testing take a look at the EICAR virus test file
> (http://www.eicar.org/anti_virus_test_file.htm).
>
>
> Regards,
>
>   


--
---------------------------------------------------------------------
Robert Sandilands: Software Engineer
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com