O'Reilly logo

The Myths of Security by John Viega

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 23. One Simple Fix for the AV Industry

What if I told you that the AV industry as a whole could reduce its operating costs on malware research, while providing customers with vastly better protection? Sounds like a pipe dream, but I say it isn’t: all the AV industry has to do is organize itself to solve “the packer problem.”

First, let me say that I think most of the AV industry is headed into the hurt locker. Today, research labs get thousands of unique malware samples a day (about two to six thousand, if you look at unique executables). And while a lot of the samples can be detected automatically, a lot of them can’t. Most vendors can’t keep up, even the ones with dozens of people doing AV research. Detection rates are way down and operational costs have to go up in order to keep up, at least while we wait for AV technology to improve.

Let’s get to the packer problem, which is probably the single biggest problem in the AV space. The bad guys use packing software and encryption software to obfuscate their malware. I’ll give you a high-level overview of the problem (which is responsible for most accuracy problems in AV software), and then I’ll talk about the impact and what the AV industry should be doing about it.

Packing software basically encodes a binary, supposedly to make it smaller. The result is a binary that unpacks itself before the original binary runs. The packed binary will mostly look like gibberish.

An AV vendor that’s just looking at a static version of the software ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required