Victims of friendly fire

Corrado Ronchi EISST
Shukhrat Zakhidov EISST

  download slides (PDF)

In the ongoing war against malware, in order to substantially lower the hacking ROI, one increasingly important line of defence includes techniques for application hardening. These comprise code obfuscation, dynamic and polymorphic memory encryption, and process protection against dynamic patching and DLL injection. In this presentation we will review the constant battle to limit violent rejections from AV products against our hardened e-banking applications. Practical examples taken from Swiss e-banking scenarios will evidence how the growingly aggressive protection techniques used by AV applications cannot always prevent the spread of malware, yet hinder the employment of strong protection techniques for application hardening. Results from several case studies strongly suggest the need for a new collaborative paradigm for protecting the client application context. This calls for the development of a structured and coordinated friend or foe application identification (FFAPI) procedure, whereby AV products and applications can mutually interrogate each other to discriminate legitimate tasks from potentially hostile processes. We propose to set up a cross-industry FFAPI task force seeking contributions from both AV vendors and the enlarged e-business community, with the goal of establishing an effective protocol for avoiding the resource-draining conflicts between AV products and hardened applications.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.