14:00 - 14:20 VB testing - present status, future plans John Hawes, Virus Bulletin
14:20 - 14:40 Race to zero with online scanners Boris Lau, Sophos
download slides (PDF)
14:00 - 14:20 VB testing - present status, future plans, John Hawes, Virus Bulletin
VB's unique VB100 comparative review system has been around for 10 years, and has seen few changes in its core design since its 1998 inception. Over the last few years, VB has introduced a range of additions to the data produced in each test, including significant redesigns of the speed tests and 'zoo' collections.
Now, for the first time in 10 years, VB plans to introduce a major new addition to these tests. The new test is based around a system of weekly test sets which cover the three weeks immediately prior to product freezing as well as one week after. The test is designed to measure the ability of AV labs to keep up with the 'flood' of new malware, as well as introducing measurements of heuristic and generic detection abilities, through the element of retrospective testing. We hope it will show some interesting trends over time.
This presentation will focus on the latest addition to the testing line-up. We'll look at how and why these changes have been designed and implemented, and some of the problems involved, and will also cover further plans for expansion and improvement in the future.
14:20 - 14:40 Race to zero with online scanners, Boris Lau, Sophos
DEFCON 2008 proposes to challenge AV vendors by modifying malware samples to avoid detection by anti-virus scanners (http://www.racetozero.net/). However, we have already been observing these activities in the wild as malware authors attempt to systematically break detection with various online scanners using existing AV detection.
Observing malware authors using their tricks gives us a unique opportunity to understand their working processes. Analysing this information allows the AV industry to stay ahead in the fight against malware.
At SophosLabs we have a database of samples submitted to the labs which provide statistics that enable us to correlate samples from various sources and establish a picture of the workflow of malware authors. In this presentation I will use recent case studies based on data taken from our database to show the efforts malware authors put into evading detection.