Ah Dan. There is an error in your logic. If AV couldn't detect the "bot" on a machine, then it is not a bot. How else would you prove it was a bot! ;)
Charlie On Sep 28, 2009, at 2:08 PM, Dan Kaminsky wrote: > This only measures AV detected infections. If I take 10,000 machines > that did have AV, and 10,000 machines that did not, and compare, say, > botnet infection rates manually -- is there a difference? > > I'm looking for: 'A node running AV is n% less likely to be running > malicious software than a node not running AV.'. > > On Sep 28, 2009, at 2:34 PM, <[email protected]> wrote: > >> >> All logs from a central AV-management console listing what has been >> detected by the OnAccess scanner on the workstations would qualify >> as that source of data (after sorting out the things that actually >> infect a machine from the things AV is expected to detect nowadays >> in addition). Without AV most entries in that log would have >> resulted in an infected machine... >> >> >> cheers, >> Toralv >> >> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Dan Kaminsky >>> Sent: Monday, September 28, 2009 7:56 PM >>> To: [email protected] >>> Cc: [email protected]; [email protected] >>> Subject: Re: [funsec] No AV? Shock, horror! >>> >>> Non-rhetorical question: >>> >>> Is there a source of data showing 10,000 machines with AV are >>> less likely to be infected than 10,000 machines without? >>> >>> >>> On Mon, Sep 28, 2009 at 7:38 PM, <[email protected]> wrote: >>>> There are plenty of AV products for *nix platforms. It's >>> not that there is a *huge* amount of viruses for those >>> platforms, it's that those platforms are often accessed by >>> Windows platforms and the merchant should want to provide a >>> clean file to a customer... >>>> >>>> Mike B >>>> >>>> >>>> Michael P. Blanchard >>>> Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of >>>> Information Security & Risk Management EMC ² Corporation >>> 4400 Computer >>>> Dr. >>>> Westboro, MA 01580 >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>> [mailto:[email protected]] >>>> On Behalf Of Drsolly >>>> Sent: Friday, September 25, 2009 5:13 PM >>>> To: Rob, grandpa of Ryan, Trevor, Devon & Hannah >>>> Cc: [email protected] >>>> Subject: Re: [funsec] No AV? Shock, horror! >>>> >>>> Maybe some merchants don't use Windows? >>>> >>>> On Fri, 25 Sep 2009, Rob, grandpa of Ryan, Trevor, Devon & >>> Hannah wrote: >>>> >>>>> PCI survey finds some merchants don't use antivirus software >>>>> >>>>> http://www.networkworld.com/news/2009/092309-pci-survey-finds- >>>>> some- >>>>> merchants.html?hpg1=bn >>>>> >>>>> (But absolutely no surprise whatsoever ...) >>>>> >>>>> ====================== (quote inserted randomly by >>> Pegasus Mailer) >>>>> [email protected] [email protected] >>>>> [email protected] >>>>> Living well is the best revenge. >>>>> George Herbert, 16th century English >>> clergyman >>>>> http://victoria.tc.ca/techrev/rms.htm >>>>> http://blog.isc2.org/isc2_blog/slade/index.html >>>>> http://twitter.com/rslade >>>>> http://blogs.securiteam.com/index.php/archives/author/p1/ >>>>> http://twitter.com/NoticeBored >>>>> _______________________________________________ >>>>> Fun and Misc security discussion for OT posts. >>>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>>> Note: funsec is a public and open mailing list. >>>>> >>>> >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>>> >>>> _______________________________________________ >>>> Fun and Misc security discussion for OT posts. >>>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>>> Note: funsec is a public and open mailing list. >>>> >>> >>> _______________________________________________ >>> Fun and Misc security discussion for OT posts. >>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>> Note: funsec is a public and open mailing list. >>> >> >> Firmensitz: Muenchen >> Amtsgericht: AG Muenchen >> Handelsregister: HRB 144340 >> Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice >> Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006 >> UST-ID: DE168122444 > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
