News

Wednesday, April 02, 2008

Anti-Malware Performance and Evolution

WIN_SECURITY UPDATE_
A Penton Media Property
April 2, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475958-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Microsoft

Deploying Windows Server 2008 With System Center

It used to be that server administrators would install Windows Server
manually using the CD or DVD and then spend several hours configuring
the server. With the release of System Center Configuration Manager 2007
and the new Microsoft Deployment Toolkit, server administrators can now
use the same tools that desktop administrators have been using for years
to automate deployments. This paper will help you get started in
unifying your server and client deployment tools.

http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475959-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--Anti-Malware Performance and Evolution
by Mark Joseph Edwards, News Editor
As more malware is detected, anti-malware signature databases grow. The
size of such databases and how up-to-date they are affect detection
rates (and overall system performance). As the stress to meet
performance demand increases, the need for anti-malware product
evolution becomes more apparent.

To give you an idea of the sheer volume of malicious programs, Andreas
Marx of AV-Test.org recently wrote that his organization received nearly
5.5 million unique malware samples in 2007 (at the URL below). That's
quite a lot. Marx also wrote that his organization's in-house testing
platform (which handles 45 different anti-malware solutions) downloaded
a total of 148,869 unique updates in 2007 for a total of 1.6TB of data.
I did some quick math and found that that's an average of 9 updates per
day for each of the 45 products.

www.av-test.org/down/papers/2008-02_vb_comment.pdf
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475960-0-0-0-1-2-207)

So how does increased malware volume affect detection rates? AV-Test.org
recently released a report that compares the performance of 30
anti-malware solutions in multiple tests. The tests included on-demand
signature-based tests, adware and spyware detection, false-positive
rates, retrospective and proactive detection, rootkit detection, new
outbreak response times, and malware cleanup. Retrospective and
proactive detection tests the capabilities of a tool that hasn't been
updated for one week combined with any built-in heuristic and
behavior-based defenses the tool might have.

The on-demand tests used 1.1 million Trojans, backdoors, bots, worms,
and viruses collected in January and February. The adware and spyware
tests used 80,000 samples that are no longer active. To determine false
positive rates, 100,000 known clean files were run through each scanner.
Thirty-five hundred samples were used for the retrospective tests, and
20 active samples were used to conduct proactive tests. In addition, the
rootkit detection tests used 12 active rootkits, and cleanup was tested
against 20 active malware samples. The cleanup test checked whether a
solution could remove the malware and repair any damage, such as changes
to the registry or modifications to the system's "hosts" file. To gauge
response times to new outbreaks, the tests monitored update turnaround
time for 55 outbreaks in 2007 and 3 outbreaks in 2008.

Avira, Sophos, and Trend Micro all ranked at the top overall, with each
having a strong point as compared with the competition. For example,
Trend Micro's rootkit detection is superior, Sophos's proactive
detection is superior, and Avira has the best overall scan speed and
response time for issuing updates after a new outbreak (clocked at less
than 2 hours on average).

If you look at the results from a narrower perspective that takes into
consideration only detection rates for malware along with those for
adware/spyware, then Webwasher and G Data are the clear winners. The
companies each achieved 99.9 percent detection rates in both categories.
Right behind them was TrustPort, with a 99.6 percent detection rate for
malware and 99.8 percent detection for adware/spyware, followed by Avira
with 99.3 and 99.1 percent detection rates. You can view the full
results at Virus Bulletin's site at the URL below:

www.virusbtn.com/news/2008/03_13a.xml
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475961-0-0-0-1-2-207)

It seems obvious that the evolution of anti-malware defense needs to
move toward better behavior-based detection. Otherwise, we'll all wind
up with gigantic signature databases, which of course would translate to
performance problems in terms of raw system resource requirements as
well as bandwidth use. Stronger gateway products could be another
solution because they could offload a megaton of burden from desktops;
however, those solutions don't address malware that doesn't transit
through a gateway, as is the case with desktop-to-desktop or
desktop-to-server transfers.

Marx outlined some of his ideas for better behavioral testing in a
recent presentation given at the AVAR 2007 Conference in Seoul, South
Korea. The presentation is detailed in a paper available (in PDF format)
at the AV-Test.org site, at the URL below--if you're interested in how
anti-malware technology might evolve.

www.av-test.org/down/papers/2007-11_avar_2007_dynamic.zip
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475962-0-0-0-1-2-207)

If you're curious about other anti-malware performance-related reports,
check the data available from VirusTotal (at the first URL below),
AV-comparatives.org (second URL below), and Okie Island Trading Company
(third URL below).

www.virustotal.com/estadisticas.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475963-0-0-0-1-2-207)

www.av-comparatives.org/ (http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475964-0-0-0-1-2-207)
winnow.oitc.com/malewarestats.php
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475965-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
CA

Data Protection and Disaster Recovery Tips

Discover a wealth of information about how to protect and secure your
data in the event of a disaster. You may not be able to predict the
exact details of a disaster, but you can be prepared with a solid
response for when one strikes. Disaster can strike anywhere - not just
where severe weather can hit - so make sure you're ready when it does.

http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475966-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--IFRAME Injection Attacks Affect More Major Sites
The Web sites of several more major companies have fallen victim to
IFRAME injection attacks, placing customers at risk and revealing a huge
lack of adequate application security.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475967-0-0-0-1-2-207

--Likewise Releases Active Directory Authentication Tool for Linux and
UNIX
Likewise Software unleashed a treat for the networking community last
week when it released Likewise Open, Spring 2008 Edition. The software
lets Linux and UNIX systems authenticate to an Active Directory server.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475968-0-0-0-1-2-207

--USENIX Opens Proceedings to All
USENIX, an association that is well-known for its highly technical
conferences, has opened all conference proceedings to the public.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475969-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

www.windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475970-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: MacBook Air Cracked at CanSecWest
by Mark Joseph Edwards
At the time of this blog writing, one person had succeeded in
CanSecWest's PWN2OWN contest. The MacBook Air system running Mac OS X
was cracked by Charlie Miller. Read the blog to find out how he
succeeded, plus catch up on a few other recent happenings.
windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475971-0-0-0-1-2-207)

--FAQ: Beware Reloading Windows on a System That Uses EFS!
by John Savill
Q: I'm running Windows 2000 and three NTFS drives. I recently had to
reload my system drive, and now I can't access files on my second drive,
which is encrypted with Encrypting File System (EFS). I have nothing
left from the old drive, including no certificates. Is there a way to
make the domain administrator the recovery agent to decrypt the files?

Find the answer at
windowsitpro.com/article/articleid/98496
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475972-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in
Security Pro VIP's Reader to Reader column. Email your contributions to
r2r@securityprovip.com (mailto:r2r@securityprovip.com). If we print your
submission, you'll get $100. We edit submissions for style, grammar, and
length.


PRODUCTS

--Endpoint Security Product Gains NAC
by Renee Munshi
Sophos announced Sophos Endpoint Security and Control 8.0, which
incorporates Network Access Control (NAC) technology from the company's
2007 Endforce acquisition into the endpoint security product. Sophos
Endpoint Security and Control 8.0 delivers antivirus, antispyware, host
intrusion prevention, application control, and firewall functions now
also ensures that client computers are running authorized, up-to-date
software and adhering to company policies. Sophos Endpoint Security and
Control 8.0 will be a no-charge upgrade for current Sophos Endpoint
Security and Control customers. For more information, go to
www.sophos.com/ (http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475973-0-0-0-1-2-207)


RESOURCES AND EVENTS

Want to keep abreast of the latest SQL Server business intelligence (BI)
news, views, tips, and techniques? Subscribe to Essential BI UPDATE, a
new twice-monthly BI email newsletter from SQL Server Magazine. You'll
get how-to information, industry trends, commentary by experts, valuable
insight into BI Reporting Services, and more. Subscribe today--it's
free!

www.sqlmag.com/email/dsp_SubscribeConfirmation.cfm
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475974-0-0-0-1-2-207)

Small companies rarely stay that way--they grow. Regardless of the stage
of growth, there is always a need to access, report on, and analyze data
from different sources. This white paper discusses the components of
business intelligence and enterprise performance management solutions
that a growing business should consider and leverage.

windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=3266d75c-94e4-42e6-b9ce-0cf9db98f285&code=032608er
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475975-0-0-0-1-2-207)

Organizations seeking to gain competitive advantage in the marketplace
can potentially be derailed when faced with the daunting task of
managing and integrating a large collection of competing application
development technologies. This white paper discusses how certain
development tools can simplify your development tasks and enable your
organization to reduce application development time to market.

windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=69b43300-80c7-451a-a334-d317497524ba&code=032608er
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475976-0-0-0-1-2-207)


FEATURED WHITE PAPER

Five Essential Considerations for Exchange 2007 Implementations
For most organizations, taking full advantage of Exchange 2007's
features will require a substantial investment. Unlike previous
upgrades, Exchange 2007 requires the replacement of existing servers
with new 64-bit hardware and software. Read this white paper to
understand the considerations involved and get tips you can use to
leverage your Exchange 2007 upgrade.
windowsitpro.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=5da6e1d6-cae8-44fe-893a-700ea3e743e4&code=032608er
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475977-0-0-0-1-2-207)


ANNOUNCEMENTS

Check out all the info-packed publications offered by Windows IT Pro!
If you're receiving the HTML version of this email newsletter, click
"Our Publications" in the menu bar; otherwise, click the link below:
store.pentontech.com/index.cfm?s=1&cid=18000306&promotionid=18003253&code=
(http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475978-0-0-0-1-2-207)

CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475979-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475980-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475981-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475982-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=4828

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475983-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-4828-803-202-62923-475984-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive