Hurricane approach: 'false Positive' whens, not ifs
Mario Vuksan Bit9
Are we our own worst enemy? Over-detection of malicious samples
(especially through heuristics and behavioral methodologies) is a time bomb
for many vendors. In the world of rapidly accelerating
signature/definition count, 'false positive' risks are growing rapidly.
With the increasing load of incoming malware, a new set of techniques for
managing malicious samples has become popular, from multiple automated
tools utilizing heuristics and behavioyral techniques to reliance on multiple
scanners and over-emphasis on packer/protector detections. To be sure, all
of these are valuable when used properly.
This session will:
-
Introduce a mean 'false positive' factor for standard and heuristics
detections
- Describe how 'false positive' sensitivity compares with the scanner
detection rates in normal, heuristic and behavioural modes
- Illustrate typical 'false positive' scenarios
- Examine the list of files that are most likely to create false positives
- Investigate automation traps, such as relying on multi-scanning as a
discovery tool
- Look at a packer detections (false vs. correct) and how to weed out
false packer detections
- Correlate scanner crashes with false packer detections (and subsequent
unpacking if applicable)
- Outline division between packed/unpacked content among goodware vs.
malware
- Address problems with incorrect unpacking
- Illustrate packing/protecting prevalence among goodware (why should you
care?)
- Investigate good applications that pack (Upack/UPX) known
redistributables (e.g. MSVCRT dlls)
- Look at scanner mean time to crash averages and packing detections
- call a file database for help with: finding obvious 'false negatives' and weeding out registry entry false positives
