Back to Top

Saturday, June 14, 2008

Automated analisys

Disclaimer: the views expressed here are my own, and unless expressly stated, do not necessarily represent the views of any former or current employer.

Automated security analysis is good for dealing with a large flux of (possibly) malicious files, however information resulting from these types of sources must be clearly marked as such (as oppsed of information derived by humans). Example:

In a malware description from TrustedSource we find the following lines (emphasis added):

C:\autorun.inf This is a non malicious text file with the following content:


Clearly this is one of those simplistic infect USB drives type of malware and the autorun.inf file is a key component of. While it is not harmful in it self, it should clearly be removed (an analogy might help: lets say that a malware is composed out of an executable and a dll which it loads. The dll itself is not active unless the executable loads it, but is still should be marked and removed).

In conclusion: automatically generated information is good, but please do mark it as such. And also: in the name of science, question everything:


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.