Hitting the ‘Up-To-Date’
VB2009 – Steven Ginn
Bull’s eye
• Signature based anti-malware requires updates to stay ahead
• More and more updates are released every day
• Need to provide technology for users to identify their “up-to-date” status
OverviewDefining and tracking “Up-to-Date”
• Recognizes malware based on an identity
• Content is pattern matched against signatures
• New Malware = New Signatures needed
Signature Based ProtectionBackground
• The point where a product has the latest and greatest definitions
The ‘Up-to-Date’ Bull’s eyeWhat is it?
• Staying current maximizes protection• Important to know when to update
The ‘Up-To-Date’ Bull’s EyeWhy should we care?
• Malware is more and more pervasive• Constantly being created• Anti-malware vendors react with new
updates to keep up• User’s need to constantly update to
keep up
Hitting a moving target?
• Monitors Anti-malware products and online material
• Records any update available• Used to Find the bull’s eye
Identifying TrendsOESIS Monitor
• Number of updates per day has increased
• Number of vendors and Signature formats has increased
• Update frequency by day of the week varies
Trends and Observations
Total Updates per year
Number of Vendors identified
Updates by Day of Week
Average Number of Updates by dayFor the average vendor
Average Updates per day by yearFor selected vendors
Average Updates per day by yearFor selected vendors
• Data for 2009 was scaled• New Vendors introduced midyear• New Definition Formats introduced
mid-year
Caveats to DataThe “fine-print”
• Anti-malware vendors have tools to tell user’s whether or not they are up to date
• Each make sense under different scenarios
Finding the Bull’s EyeCommunication tools
• Every Update is stamped with an expiration
• Projected to last until next target delivery
• Allows client software to make educated guess about where the up-to-date mark will be next
Blacklist date“Use by tomorrow”
Pros• Easy to answer “Am I
Up to date?”
Cons• Bad for critical
outbreaks• May expire
prematurely• Best Educated Guess
Blacklist date
• Just go get the latest always• No need to care if up to date or not• Best when you assume that you
aren’t already up to date
Brute-Force UpdateThrowing Blind
Pros• Never miss, if frequent
enough
Cons• Resource intensive• May interrupt user’s
workflow
Brute-Force Update
• Open a line between user and a central server
• When update available, push it to end user
Push MechanismAlways connected?
Pros• Minimizes outside
communication• Simpler to stay up to
date
Cons• Not good in
heterogeneous environments
• Requires constant contact
Push Mechanism
• Monitors Update releases by vendors• Provides reference point of latest
definitions
Third Party enforcementOESIS Monitor
Pros• Supports
heterogeneous deployments
• Reacts quickly• Reference point
updates are often smaller than signature updates
• Best of Brute-force and push mechanisms
Cons• May not catch
everything
Third Party enforcement
• Signatures live in the cloud• Content is assessed by reputation
and scanned when necessary on external sites
Cloud-ScanningGet rid of the definitions
Pros• Improved detection• Faster identification• Fewer systems to
update
Cons• Must always be
connected• Security concerns with
sending data out
Cloud-Scanning
• Signature based detection isn’t scaling
• What good is providing signatures if user’s can’t keep up with them?
• Try to improve alternatives to become proactive, not reactive
What next?Continue the uphill battle, or go around?
Questions?