Professional Documents
Culture Documents
1 Current Trends
4 Dynamic Analysis
5 Lab Bias
• Pros
– Detect threats prior to execution
– Detect threats without signatures
– Can bypass some obfuscation techniques
• Cons
– Performance intensive
– Vulnerable to sophisticated obfuscation techniques
• Obfuscators which make use of obscure APIs cannot be emulated
• Obfuscators which make use of obscure instructions can fool them
• Malcode can detect the emulator and change its behavior
• Threat could require a minimum number of executions or time prior to
becoming active
• Defense in Depth
– Firewall
– Host based Intrusion Prevention
– Buffer Overflow Protection / Browser Exploit Protection
– Real-time file scanning
– Shields
– Behavior Blocking
Network Filtering
“Block threats before they impact the client”
Behavior Blocking
“Police execution activity”
Storage Filtering
“Don’t let threats persist!”
• Outbound:
– If threats cannot communicate their damage can be limited
– Application control. Only allow known, authorized applications.
• Past
– Safety was defined by seat belts
– Tests checked seat belts in isolation
• Current
– Auto safety is a system
• Anti-lock brakes (ABS) Is it fair to say one car
• Steering stabilization is safer than another
• Crumple zones based only on seat
• Airbags (driver, passenger, side) belts?
• Seat belts
Impact, but no
damage (bumper)
Impact, but no
Never executes
injuries
Executes but
Minor injuries,
cannot
victims walk away
communicate
Communicates but
Major injuries, but
is automatically
survive
removed
Communicates but
Some Fatalities is removed by
definitions
• Platform
• Method of introduction
• Method of invocation
• Internet connectivity
• Definition Rollback or freeze
Mark Kennedy
Mark_Kennedy@Symantec.com
310-449-4263
Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their
respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information
in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is
subject to change without notice. The Importance of Re-creating In-the-wild Infection Conditions for
Testing Multi-Layered Security Products
38