Gatekeeper II: new approaches to generic virus prevention

Richard Ford Florida Institute of Technology
Matt Wagner Microsoft Corporation
Jason Michalske Florida Institute of Technology

Technical stream: Thursday 30 Sept 2004, 10.30-11.10.

The need for reliable detection of rapidly spreading worms has never been higher; viruses like SQL/Slammer have proven that an epidemic can occur far faster than we can react using existing technology. Thus, there has been significant interest in developing fast and reliable techniques for detecting previously unseen malicious code.

In this paper, we extend the work carried out under the Gatekeeper project, a behavioural virus detection engine with undo capability. New techniques to provide for higher virus detection rates with lower false positive rates are described for the first time, and a demonstration of the new Gatekeeper tool is given, showing detection rates that are extremely high with low processor overhead and minimal false positives. Directed attacks against Gatekeeper are considered, and novel defences described.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The corporate speakers were very skilled and represented small to large businesses.’

Poll

Will taking client-side security 'into the cloud' provide better security for the end user?

Leave a comment
View 1 comment

Malware Prevalence

Agent
Zbot
Suspect packers
Dropper-misc
Delf

View this month's full report

Virus Bulletin currently has 142,696 registered users.

Fighting malware and spam