SANS isn’t the biggest fan of the AV industry, and has from time to time been misleading in its assessment of what AV actually does, so it’s a relief that the latest issue of its OUCH! security awareness newsletter, which focuses on Understanding Anti-Virus Software, shows a little more understanding of anti-malware technology.
Well, since guest editor Lenny Zeltser is SANS’ lead instructor on malware, it would be pretty depressing if it didn’t. And in fact, while the description of signature detection doesn’t acknowledge that AV signatures are a lot more than static patterns, it is at least followed by a high level summation of behaviour analysis.
It does kind of suggest that the only alternatives available are seriously limited, strict static signatures, or high volumes of false positives, however. I can’t deny that the security industry has its problems with FPs from time to time, but I don’t think the picture is quite that bleak.
Still, the tips section at the end contains some advice worth repeating.
Connection with testing? Links to a couple of sites that SANS apparently considers “trusted sources”: one is a link to an article by Neil Rubenking (who is a member of the AMTSO advisory board) on what he considers to be The Best Security Suites for 2011, and the other is a link to some advice from Consumer Reports, which is not represented in AMTSO.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow