Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - AV software and "sharing samples" InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AV software and "sharing samples"

Published: 2011-03-01
Last Updated: 2011-03-01 01:01:05 UTC
by Daniel Wesemann (Version: 1)
12 comment(s)

A good part of the fight against malware relies on "the good guys" sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to "extract" usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is "Send to Vendor" or "Delete".

Send to vendor? Well duh, how about sending to _more than one_ vendor? How about letting me extract the sample in an industry standard format, so that I can share it with the other AV vendors whose products I'm using to protect my corporation or university ?

Exasperated by a recent run-in with the quarantine mechanism of a particularly stubborn yellow product, I googled some, and found out that there's actually an IEEE Working Group looking into standardizing an open Malware Exchange format. Good news. Though even better news would be if the format chosen were simply an existing forensic file format, maybe with added encoding or encryption to turn the sample inert.

But, no matter which format gets selected eventually, I sure hope that (a) this happens soon and (b) that the AV vendors actually adopt the idea and make extracting and sharing samples and intel easier than they do today. Because most of their products today ... to me look a whole lot like the vendors don't care [beep] about their client's security and efficient malware defense. Not anywhere as much as they care about their own revenue.

 

 

12 comment(s)
Diary Archives