In the past few years, I’ve written or co-written a number of conference papers for the yearly AVAR (Association of Anti Virus Asia Researchers) conference. And I’ve only just realized that I haven’t put any of them up here.
Email virus detection and blocking is not by itself good incident management (catchy title, huh?) was written for and presented at the 2003 AVAR conference in Sydney. This was before I joined ESET – I was then managing the Threat Assessment Centre for the NHS Information Authority. Fortunately, email scanning by mainstream security products copes much better nowadays with spoofed email addresses and related issues, but it was a big, big problem at that time.
Here’s the abstract.
Virus-specific and generic detection and filtering technology promptly identifies and blocks potential threats, but are based on obsolete assumptions and models of incident handling.
Automated services reports are mostly restricted to pre-formatted summaries of detections per virus, impacting adversely on incident-handling and follow-up, compliance with legal and policy requirements, and impairing risk assessment and management based on detailed analysis and best practice.
Poor integration of virus management and email abuse management leaves some blended and pseudo-viral threats inadequately covered.
Attachment management is usually based on assumptions of a simplistic blocking model that diminishes impact of unknown threats at the expense of a high proportion of false positives.
The poorly addressed issue of spoofing viruses generates mailstorms, confusion, scapegoating, support overload, and legal action, as misdirected and Enigmatic infection notifications are broadcast promiscuously by poorly designed services.
This paper proposes short-term fixes and better models for alleviation of these problems.
I can’t lay hands on the paper at the moment, but the presentation is available on the AVAR web page for that conference.
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow