You assume no false positives... On Sep 29, 2009, at 5:12 PM, Dan Kaminsky wrote: > > Methodology wouldn't be too bad -- there are things a manual auditor > can notice and alarm on quickly, that AV really can't just block or > even send back for further review. So it's a matter of: > > 1) Gain legitimate access to a large number of systems, perhaps > through a PC repair service > 2) Separate the machines into buckets -- "No AV" "Norton" "McAfee" > "Trend Micro" etc > 3) For each bucket, scan with all AV scanners. This will determine > the number of machines that are infected with known malware that at > least one other scanner was able to find. > 4) For each node that passed all automatic sweeps, manually sweep. > This should yield the a minimum size of the "long tail" (minimum, > because we might not find all). > > Note that we may want to qualify "infected". Tracking cookies most > assuredly do not count. Botnets most assuredly do. Merely > self-replicating code, that's sort of up in the air. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
