Last-minute paper: Working together to defeat attacks against AV automation

Hong Jia Microsoft
Dennis Batchelder Microsoft

  download slides (PDF)

On 7 March, something in our automated systems went horribly wrong, and we issued three incorrect detections:

  • A Brother MFC-9460CDN printer installer, incorrectly detected as TrojanDropper:Win32/Startpage.B
  • An EPSON portal service, incorrectly detected as Rogue:Win32/Fakerean
  • A utility tool (file scout), incorrectly detected as Trojan:Win32/Bewymids.A

Hundreds of thousands of our customers were affected. Within eight hours, we corrected the FPs, released fixes, and launched a post-mortem to understand why our automated system failed.

Simple answer: our automated systems had been attacked. One day before, our systems were poisoned with hundreds of crafted clean files containing fragments of our (and other AV vendor) detection patterns. Our automated systems were tricked into detecting clean files, and our customers suffered.

We kept digging, and we found evidence of several other attacks against our and other AV vendors' automation. We'd like to share with the AV industry both what we've learned, as well as our recommendations on working together to limit the damage from these attacks.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.