VB article: Don’t Forget To Write

[If you got here by way of the ESET We Live Security site, here's a link to take you back to the white papers page.] This is my most recent article for Virus Bulletin:

David Harley, Don’t Forget to Write, February 2014, Virus Bulletin. Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.

It’s a review of two eBooks published (fairly) recently that aim to provide security guidance for consumers: Improve Your Security by Sorin Mustaca, and One Parent to Another by Tony Anscombe. 

It’s also available on Virus Bulletin’s own site here. Along with lots of lovely stuff that has nothing to do with me, of course. :)

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Posted in David Harley, Virus Bulletin articles | Leave a comment

AVAR paper 2013

This is a paper written by Larry Bridwell and myself for the 16th AVAR conference in Chennai, which was kindly presented by ESET’s Chief Research Officer Juraj Malcho, as neither Larry nor myself were able to attend the conference in the end.

Death of a Sales Force: Whatever Happened to Anti-Virus

It’s also available from the ESET Threat Center Resources page here.

Here’s the abstract:

Anti-Virus is, it seems, an ex-parrot. We’ve seen so many announcements of the death of anti-virus we’ve taken to carrying black ties around with us, ready for the next one. This paper probably won’t have much impact on the ludicrously funereal tone of some commentary, but will take an informed look at the reasons most often given for the imminent demise of the AV industry and in the hope of achieving a balanced view of the present role and future evolution of malware analysis.  Reports of the (near-) death of static signature detection may not be exaggerated, but anti-malware technology has moved far beyond simple signatures. We consider in depth the accuracy of some of the basic contentions that keep turning up ad infinitum in memoriam…

  1. Conclusions based on detection testing and pseudo-testing statistics
  2. Anti-virus is ok if you don’t have to pay for it
  3. Heuristic detection has gone the way of the static signature
  4. Spammed out malware is less important than targeted malware
  5. New (mobile) platforms require new defensive paradigms

Catching or blocking malware is just part of the security challenge, at home or in the workplace, and malware detection is a very different technology to what it was 20 years ago, but does that mean it’s obsolescent? We look at the three primary functions of AV:

  • protection in the form of proactive detection and blocking through a range of heuristic, reputational and generic countermeasures
  • detection of known malware
  • remediation where something is detected and has managed to gain a foothold

We contend and demonstrate that while emphasis has undergone an irreversible shift from detection by signature, to remediation of signature-detected malware, to more generic detection by technologies such as heuristics, behaviour analysis, and reputation, a complete solution addresses all those issues. AV is dead, or at best comatose: at any rate, self-replicating malware is a small part of a much larger problem, while signature detection is primarily a fallback technology that helps with remediation rather than a primary layer of protection. 

Anti-malware technology moved on long ago. Customer and media perception, though, has lagged way behind. Could it be that when other sectors of the security industry, driven by commercial agendas, engage in inaccurate and at best misinformed anti-AV commentary, that they are also putting their own interests and those of the community at large at risk? Would a world without the mainstream anti-malware industry be such a good place to live?

David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow

Posted in AVAR, conference papers, David Harley | Tagged , | Leave a comment

AVAR Conference Paper 2013

My most recent paper for AVAR was co-written with Larry Bridwell, who’ll be presenting it at AVAR 2013 in Chennai, in December. It’s called Death of a Salesforce: whatever happened to anti-virus?

Continue reading

Posted in AVIEN, conference papers, David Harley | Leave a comment

AVAR Conference Paper 2010

In 2010, I co-wrote and co-presented a paper at AVAR in Bali with Lysa Myers (now with ESET, but then with West Coast Labs) and Eddy Willems of G-Data and EICAR: Test Files and Product Evaluation: the Case for and against Malware Simulation  Continue reading

Posted in AVAR, conference papers, David Harley | Leave a comment

AVAR Conference Paper 2009 (2)

My second paper for AVAR 2009 in Kyoto was co-written with Randy Abrams: Malware, Marketing and Education: Soundbites or Sound Practice?  Continue reading

Posted in AVAR, conference papers, David Harley | Leave a comment

AVAR Conference Paper 2009 (1)

In 2009, I co-wrote two papers for the AVAR conference in Kyoto. The first was co-written with Craig Johnston: Please Police Me. Continue reading

Posted in AVAR, conference papers, David Harley | Leave a comment

AVAR Conference Paper 2008

In 2008, Randy Abrams and I wrote a paper for the AVAR conference in Delhi on People Patching: Is User Education Any Use at All? The paper is available from the ESET WeLiveSecurity site here. Continue reading

Posted in AVAR, conference papers, David Harley | Leave a comment