Comments on Do AntiVirus Products Detect Bots?TypePad2008-11-20T02:17:44ZFireEyehttp://blog.fireeye.com/research/tag:typepad.com,2003:http://blog.fireeye.com/research/2008/11/does-antivirus-stop-bots/comments/atom.xml/Didier Stevens commented on 'Do AntiVirus Products Detect Bots?'tag:typepad.com,2003:6a00d835018afd53ef010536310b84970c2008-12-02T12:08:08Z2008-12-02T12:08:08ZDidier Stevenshttp://DidierStevens.comAside from using VT, I noticed another flaw in your study. You didn't test (false) negatives, only positives. If you...<p>Aside from using VT, I noticed another flaw in your study.</p>
<p>You didn't test (false) negatives, only positives. If you don't test executables that were not identified as malware by your appliances, you're excluding test results that could potentially show that AV performs better than your appliances.</p>David Harley commented on 'Do AntiVirus Products Detect Bots?'tag:typepad.com,2003:6a00d835018afd53ef01053627cf39970b2008-12-01T23:02:58Z2008-12-01T23:02:58ZDavid Harleyhttp://www.eset.com/threat-center/blog/This is a carefully constructed methodology with fatal flaws. It's based on two fallacies. (1) That a Virus Total report...<p>This is a carefully constructed methodology with fatal flaws. It's based on two fallacies. (1) That a Virus Total report is an absolute metric for detection performance on the part of anti-malware vendors. This isn't the case, and it's not what the service is for (see <a href="http://blog.hispasec.com/virustotal/22)." rel="nofollow">http://blog.hispasec.com/virustotal/22).</a> Because VT uses command-line versions of participating products, detections based on behavior analysis aren't taken into account. (2) You also seem to be assuming that over time, VT reports should get nearer to 100% vendor detection on the same sample, an assumption based on a 1990s view of anti-malware as being primarily signature-based. There is, in fact, no reason why a product that has effective heuristic or behavioral detection (which Virus Total doesn't, remember, necessarily measure) should "update" it to malware-specific detection when a sample is available. Such an update may or may not happen: whether or not it does is certainly not a fair assessment of product capability. It's actually rather similar to "Time to Update" testing, which has declined as testers have realized that it penalizes products that use proactive detection techniques. </p>Donald commented on 'Do AntiVirus Products Detect Bots?'tag:typepad.com,2003:6a00d835018afd53ef0105362c2c5f970c2008-11-30T07:47:02Z2008-11-30T07:47:02ZDonald"The typical scenario for a web-driven bot is that you accidentally brush up against a compromised website that has had...<p>"The typical scenario for a web-driven bot is that you accidentally brush up against a compromised website that has had an inserted which brings you (possibly via a chain of other sites) into contact with an exploit server which delivers you some malicious javascript (usually) that exploits your browser to take control of the machine."</p>
<p>Thanks for the interesting article.</p>
<p>I've read about similar methods of malware collection done by anti-virus or anti-spyware companies ('honey monkey' is the term I remember) but a out of date and insecure browser was always used (deliberately) to allow drive-by downloads. </p>
<p>Your customers are presumably not deliberately running insecure browsers. Where the exploits encountered 'zero-day' exploits, or had your customers just been tardy in applying patches? </p>
<p>Do you have any information on the browser used and the version?</p>Martin commented on 'Do AntiVirus Products Detect Bots?'tag:typepad.com,2003:6a00d835018afd53ef0105361e64db970b2008-11-27T12:01:09Z2008-11-27T12:01:10ZMartinWhat about rewarding efficient AV by naming them? :) Although they should all buy an access to your fresh malware...<p>What about rewarding efficient AV by naming them? :) Although they should all buy an access to your fresh malware source to begin with and end up with high detection rates.. I also wonder how zero-hour AV vendors fare (IronPort). Thanks anyway for posting this informative stuff.<br />
</p>Aa'ed Alqarta commented on 'Do AntiVirus Products Detect Bots?'tag:typepad.com,2003:6a00d835018afd53ef01053610106f970b2008-11-22T10:07:20Z2008-11-22T10:07:20ZAa'ed Alqartahttp://extremesecurity.blogspot.comIn my opinion, Anti virus products should implement some kind of a technique that would inspect network connections based on...<p>In my opinion, Anti virus products should implement some kind of a technique that would inspect network connections based on user's activity. So, for example if there is a connection originated by process (X), to a web site/mail server (Y), requesting a malicious file/sending e-mails (Z). We can analyze if this connection is originated due to the user's action or due to a malware. (clicking on a link event , typing a url on the keyboard event, or using the e-mail client event) </p>
<p>It would be strange if a computer is sending GET/PUT http requests to a remote server, where there is no logged-in user, or no launched browser (by a user). </p>
<p>Malicious bot activity detection should depend on many factors, for example: </p>
<p>User A is browsing the following websites (A, B, C), this is a normal activity. But what if a fourth strange and not originated by the user (typing it in the browser URL bar) connection which founds it's way to some Russian or Chinese web server and downloads another malicious component??? and not on some kind of "Allowed Applications" or "White List" ? This should raise a red flag. </p>
<p><a href="http://extremesecurity.blogspot.com" rel="nofollow">http://extremesecurity.blogspot.com</a></p>