The Death of AV Defense in Depth? Revisiting AV Software
| 0 comments ]



It has been quite some time since I updated this blog, I will try to update the blog in the next weeks, with a few details what I was up to during the last months.

Let's start with the more important stuff, I got into AV Research again =) The output of which will hit the public in the next months, be warned there will be a flood of advisories :D

Together with Sergio Alvarez I gave a talk @ Hack.lu 2007. This year we explained what the heck is up with Anti-Virus software. We revisited the way AV solutions are implemented in current Company networks and AV Engines themselves. Defense in Depth is being misinterpreted and incorrectly implemented with disatrous effects. Customers (end-users of AV Software) believe they do DiD when in reality they do not, this is an important fact to keep in mind.

Rough Break-down of the Talk :

  • DiD as implemented for Anti Virus Software is broken, companies put one AV engine after the other believing it to be DiD. The worst security incident in such an architecture is being incorrectly defined as "A virus passes the gateway unrecognized" , in reality the worst possible failure is that the underlying Operation System is compromised through the AV Engine, you have to mitigate this.
  • AV Software is broken behond recognition, they parse enormous amounts of Data in unmanaged programming languanges and such are naturaly prone to errors. This was clear from the start, but the shear amount of bugs is someting else.The reality shows they all are.
  • AV Software runs directly on critical (with high privileged rights) infrastructure, AV Software runs everywhere
  • E-mail changes what is at stake: What happens if I sent an exploit targeting AV software as an attachment in an E-mail ? (You can automatically compromise Corporate Mail Servers/Clients/Gateways, from the outside as your email travels through your firewalls untouched. You can view the presentation here, might be interesting to you, I don't think everybody is aware of the impact some findings may have: The Death of AV-Defense in Depth?



    •