Comments on: Modern Antivirus Sucks

By: Michael

Michael — Sat, 25 Nov 2006 16:13:03 +0000

Max-

You are very right, the correlation feature certainly does need to come after they tune and optimize the detection engine. I wasn\’t saying those features are needed now. Rather, they are an innovation that should be added only after they have a successful detection engine that isn\’t as easily evaded.

And for your second question, if we have 10% of our user base infected, that\’s a pretty big outbreak. My response is the same regardless of the total workstations but it depends on the type of bug that did the compromise. If its a network scanning worm I\’d have the IT folks burn CDs with all the necessary remediating tools then physically unplug the compromised hosts for repair.

If the compromise impacted security software like disabling AV scanners or it installed a backdoor/bot, I\’d recommend a complete rebuild. Its a lot of work but sometimes necessary when you have a deep compromise.

In cases like these, its always good to have draconian egress filters on your firewalls. Many times that will block and alert you to the program trying to phone home.

By: Max

Max — Fri, 24 Nov 2006 08:13:25 +0000

Jan said in his article – you can evade AV detection, so when you can’t detect virus or trojan what will you correleate? If you have even 10% station already infected with some virus/trojan and total number of workstations is 10000 how you will recover?
Max.

By: sonicbum

sonicbum — Tue, 14 Nov 2006 04:33:26 +0000

same issue with us. had a actual virus slip through in email and uploaded to the same site and found quite varying results. We we’re quite shocked now that something like virustotal.com empowered us to see what ‘other scanners thought’. Other then getting Microsoft Forefront Antigen http://www.microsoft.com/antigen/default.mspx which has multiple scan engine abilities… not sure what the enterprise is able to do.