Sorry to be a nitpicker, but...
If you update your sigs hourly, then you have less than an hour to do all
the testing.
Strictly speaking, this implication is false (assuming the common
interpretation of "update your sigs hourly"). Think of pipelining: You
start by making an update and dropping it onto your QA conveyor belt.
After an hour, you create another one, and drop it on the same belt, which
has moved a little in the meantime. Repeat this 24*30=720 times. By then,
the -first- update will have reached the end of the testing and will be
ready to be sent out. Since then, you'll be able to release one update per
hour (assuming that they pass QA). Hourly updates along with month-long QA
period, woohoo!
Unfortunately, the above scenario is only fictional, the actual times
between receiving a sample and releasing an update that detects it are
(and need to be) considerably shorter. Stay tuned for more...
A month would probably be enough. A day would probably not be enough.
Making a wild guess based on imprecise observation of very small subset of
the actual threats, a piece of malware that is more than a few days old
has reached the end of its lifetime -- it infected all the machines it
could get to and allowed its author to do whatever he wanted with them.
Then, it's time to replace it with something fresh and not known. It'll
very likely remain on computers of those who are not using any kind of
active (read: working and up-to-date) anti-malware protection, but those
who won't be affected by your update at all).
If you want to be a janitor, who only cleans up stuff that has been long
forgotten, you can take your time. If you want to help at least some
fraction of those who are yet to be infected, you need to be faster than
the turnabout cycle of the malware-writers. As usual, the shorter the
time, the bigger this fraction can be. [*] Oh, and that "few days" guess
is an overestimation :-)
That's one of the big reasons why it isn't possible to write a
signature-based antivirus these days. You're caught in the nutcracker of
1) need to update frequently and 2) need to test adequately.
Almost all antiviruses are signature-based. Unless you're going to base
your decisions on a (not necessarily fair) coin-toss, the antivirus is
going to consist of a bunch of rules of the form:
"If this, that and somethingelse, report IT IS somename VIRUS"
"If at least three of these five are true, report IT IS CLEAN"
Each of these rules -is- a signature per se. Their premises can range from
the very simple ones ("contains these seven bytes: 0x73, 0x55, 0x4d, 0x73,
0x44, 0x6f, 0x73 somewhere inside the file"), through statically analysed
("it starts by 100 instructions, neither of which accesses memory
indirectly") or behavioral ones ("it tries to open a file
'%windir%\system32\lassa.exe', regardless of the particular method"), etc.
This covers all the "heuristic", "behavioral", "proactive" methods.
Depending on how your signatures work, you have more or less control over
what will and what won't be detected by them. If your signatures were just
MD5-hashes of the whole file, you'd have exceptionally small chance of
detecting an unintended file [**]. The problem has just been reduced to
the human factor who decides whether the file should or should not be
detected in the first place when creating the signature.
Again, most of the signatures used by current AVs do not work this way --
precisely because such signatures are way too narrow and way too easy to
evade (not that the others are not). Thus, one signature usually covers
many different files and this is where the role of cleanset-testing
becomes vital. Unfortunately, there is a very thin line between "good" and
"bad" software nowadays and it gets thinner every day (sometimes its width
seems to be negative :-) ).
Uh oh, this rant ended up longer than I hoped :-) Thanks for the attention
(or lack thereof).
Peter
[*] And yes, I'm well aware of Slammer and other quick guys ;-)
[**] And if you really found a "real-life" file with the same MD5, you
would at least be able to write a nice paper about it :-)
--
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
