Jason Bruce SophosLabs
The days when the competitiveness of an AV product was determined by the ability to detect a bucket full of samples will soon be behind us. New tests, driven by the requirement for AV products to deal with spyware, will measure the ability of an AV product to manage any given threat from detection to full removal.
Detecting and removing installed and active threats presents many challenges particularly where multiple files, processes and registry components are involved. The ability for these components to be updated from the Internet at any time and with varying frequency only complicates the issue further.
This paper will discuss the challenges that are faced by AV vendors in modify their products to move away from blindly detecting and deleting a given set of samples to detecting and removing samples in the context of the installed threat for which those samples are merely a subset of components.