Last-minute paper: Working together to defeat attacks against AV automation

Hong Jia Microsoft
Dennis Batchelder Microsoft

  download slides (PDF)

On 7 March, something in our automated systems went horribly wrong, and we issued three incorrect detections:

  • A Brother MFC-9460CDN printer installer, incorrectly detected as TrojanDropper:Win32/Startpage.B
  • An EPSON portal service, incorrectly detected as Rogue:Win32/Fakerean
  • A utility tool (file scout), incorrectly detected as Trojan:Win32/Bewymids.A

Hundreds of thousands of our customers were affected. Within eight hours, we corrected the FPs, released fixes, and launched a post-mortem to understand why our automated system failed.

Simple answer: our automated systems had been attacked. One day before, our systems were poisoned with hundreds of crafted clean files containing fragments of our (and other AV vendor) detection patterns. Our automated systems were tricked into detecting clean files, and our customers suffered.

We kept digging, and we found evidence of several other attacks against our and other AV vendors' automation. We'd like to share with the AV industry both what we've learned, as well as our recommendations on working together to limit the damage from these attacks.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference or register online.

VB Conferences

VB2016 (Denver)

VB2015 (Prague)

VB2014 (Seattle)

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘This was my first time attending and I hope I can attend future VB events.’

Jobs Recruit Sidebar