Wednesday, January 21, 2009

anti-virus usage fail

how do you top a virustotal usage fail? you attempt to commit virustotal usage fail but use samples that aren't even malware in the first place...

that's what john strand did in a video embedded in daniel miessler's post "Metasploit 3.2 Makes AV Look Silly | DiD is the Only Answer"...

the premise may sound ok - you can create executables using metasploit that won't be detected by the (perhaps severely) cut-down versions of anti-virus products that is used by virustotal... supposedly this points to a problem with anti-virus technology in general, but ask yourself this - is it really a problem that you can create executables that virustotal can't detect? and if so, why?

is the output from metasploit malware? if it is then hdmoore is a bad man and should be stopped (and it's not like we can't find him)... i don't see a lot of people calling him a bad man, though, or suggesting he needs to be stopped - that says to me that metasploit and it's output are not malware or at least occupy that gray area between malware and benign software... as such, if these things aren't malware then why are we expecting anti-malware programs to detect them? the av world knows that if it ain't bad then you shouldn't be catching it and if metasploit output is bad then why aren't we doing more about it?...

if it's not malware then stop expecting anti-malware apps to do anything about it... if it is malware then go after the root cause (isn't that bejtlich is always talking about being the more effective strategy dealing with the malware problem?)...

ultimately, the video and the post it's in make a good point - that you shouldn't be relying on av as your sole form of protection - but the argument would be better served by using a legitimate av failure as an example instead... better still would be to take an approach that doesn't seek to tear down a largely successful anti-malware control in the first place - you can promote defense in depth without erroneously trying to make av look like it's useless... tearing av down does not actually promote defense in depth, it promotes the search for the next great anti-malware hope that we can replace av with - and that's not going to help anybody because all preventative measures (even whatever people replace av with) fail...

0 comments: