A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #5603  by EP_X0FF
 Wed Mar 23, 2011 10:49 am
LeastPrivilege wrote:anti-virus companies
Which one? There are only few AV companies. Others are legalized Fake AV.
 #5632  by LeastPrivilege
 Thu Mar 24, 2011 7:54 pm
Hello EP_X0FF,

Authentic AV companies like Avira, AVG, McAfee, Norton, Kaspersky, etc.

It's hard to defeat server-side polymorphism.
 #5661  by EP_X0FF
 Sat Mar 26, 2011 7:26 am
Well I think they already doing their best. Perhaps moving from classical signatures to reputation/automatic behavior analysis based model.
Better of course prevent than cure, and this must be done with help of native OS components/features.
 #5724  by LeastPrivilege
 Tue Mar 29, 2011 2:48 pm
Better of course prevent than cure, and this must be done with help of native OS components/features.
Yes, I agree. And thank you.
 #5725  by fatdcuk
 Tue Mar 29, 2011 3:16 pm
LeastPrivilege wrote:What are some things that the anti-virus companies could do to improve detection?
Improving protection is mission critical but already touched apon in this topic.

Time to soapbox about detection...

I have come to the conclusion that most of the commercial companies have more people working in their sales department then they do in active research.
Pluck a figure out the air but 100:1 ratio would not surprise me one jot but that is business..they are more interested in taking your $'s then protecting you.

They for the most all act retrospectively and process submissions after the fact >> They are always playing catch up and they are always getting bypassed today.

Lets face it the bulk of malware is trackable(sources), its not rocket science to compile watchlists which cover a high percentage of current malware installs or to add new sources to existing watchlist.Get yourself a competent team of hopeless addicts to monitor these sources 24/7 and then you have very healthy new malware detection rates!

Yes there is a lot of malware created daily but realistically with a healthy sized research team it is possible to increase detection of malware served that day(protect your users) to a much higher level as opposed to the current model that really sucks.

The amount of times i find new badly detected samples daily and follow their pickup rate by VT databases over the next week it becomes apparent why my clients have a market entry point.

No one cares much for detection rates...only taking your money $'s :(

[/soapbox]

In short how can AV increase detection rates ...employ more malware hunters and turn them into researchers :idea:

Will they do this....no chance ;)
 #5769  by LeastPrivilege
 Thu Mar 31, 2011 3:09 pm
Hello fatdcuk,

Great post! Good points about the corporate side of "detection".

I think that "malware hunters" aside, proper configuration of O/S and browsers and more C&C server take downs is our only hope.