The challenge of detecting and removing installed threats

Jason Bruce SophosLabs

The days when the competitiveness of an AV product was determined by the ability to detect a bucket full of samples will soon be behind us. New tests, driven by the requirement for AV products to deal with spyware, will measure the ability of an AV product to manage any given threat from detection to full removal.

Detecting and removing installed and active threats presents many challenges particularly where multiple files, processes and registry components are involved. The ability for these components to be updated from the Internet at any time and with varying frequency only complicates the issue further.

This paper will discuss the challenges that are faced by AV vendors in modify their products to move away from blindly detecting and deleting a given set of samples to detecting and removing samples in the context of the installed threat for which those samples are merely a subset of components.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘There is still nothing like a VB conference!’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

Malware Prevalence

Agent
Mytob
Invoice
NetSky
Suspect packers

View this month's full report

Virus Bulletin currently has 148,287 registered users.

Fighting malware and spam