Last-minute paper: Working together to defeat attacks against AV automation

Hong Jia Microsoft
Dennis Batchelder Microsoft

On 7 March, something in our automated systems went horribly wrong, and we issued three incorrect detections:

  • A Brother MFC-9460CDN printer installer, incorrectly detected as TrojanDropper:Win32/Startpage.B
  • An EPSON portal service, incorrectly detected as Rogue:Win32/Fakerean
  • A utility tool (file scout), incorrectly detected as Trojan:Win32/Bewymids.A

Hundreds of thousands of our customers were affected. Within eight hours, we corrected the FPs, released fixes, and launched a post-mortem to understand why our automated system failed.

Simple answer: our automated systems had been attacked. One day before, our systems were poisoned with hundreds of crafted clean files containing fragments of our (and other AV vendor) detection patterns. Our automated systems were tricked into detecting clean files, and our customers suffered.

We kept digging, and we found evidence of several other attacks against our and other AV vendors' automation. We'd like to share with the AV industry both what we've learned, as well as our recommendations on working together to limit the damage from these attacks.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference or register online.  digg this! digg this

Quick Links

Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments


VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,342 registered users.