Skip to main content
SpringerLink
Log in

How to Assess the Effectiveness of your Anti-virus?

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

I will present an approach whose purpose aims at supporting and making easier and more relevant the choice of an anti-virus product. Among the qualities, which one can expect from an anti-virus product, appear classically the optimal use of the resources and the reactivity of the manufacturer, particularly concerning the viral signature base update. If these requirements are significant, other methodical and technical verifications may be required in order for an individual or a company to make their choice. In the Common Criteria evaluation scheme, a protection profile is proposed to help a software manufacturer to design a product that should be evaluated by an independent security evaluation laboratory. Protection profiles are written in accordance with the Common Criteria standard. Starting from a protection profile, we list some tests that could be carried out to validate the security requirements of an anti-virus product. Both use of a protection profile and the specification of tests seem to be a valuable basis to measure the confidence to grant an anti-virus product.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aho A.V., Corasick M.J. (1975). Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6):333–340

    Article  MATH  MathSciNet  Google Scholar 

  2. Aycock, A., DeGraaf, R., Jacobson, M.: Anti-disassembly using Cryptographic Hash Functions. In: Proceedings of the 15th EICAR Conference (2005)

  3. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Advances in Cryptology – CRYPTO ‘01, vol. 2139 of Lecture Notes in Computer Science, pp. 1–18, Santa Barbara (2001)

  4. Bayer, U.: TTAnalyze: a tool for analyzing malware. Master’s Thesis, Technical University of Vienna (2005)

  5. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of USENIX 2005 Annual Technical Conference, pp. 41–46 (2005)

  6. Brubacher, D., Hunt, G.: Detours: binary interception of Win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium, pp. 135–143, Seattle (1999)

  7. CCEVS: US Government Protection Profile Anti-Virus Applications for Workstations in Basic Robustness Environments. Version 1.0. (2005) http://niap.nist.gov/cc-scheme/pp/PP_VID10053-PP.html

  8. Chavez, P., Mukkamala, S., Sung, A.H., Xu, J.: Static analyzer of vicious executables (SAVE). In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04), pp. 326–334 (2004)

  9. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th Usenix Security Symposium, pp. 169–186 (2003)

  10. ClamAV (2006) http://www.clamav.net/

  11. Cloakware (2006) http://www.cloakware.com/

  12. Cogswell, B., Russinovich, M.: Sysinternals. (2006) http://www.sysinternals.com/

  13. Cohen F. (1986). Computer viruses. Doctoral dissertation, University of Southern California, California

    Google Scholar 

  14. Common Vulnerabilities and Exposures (2006) http://www. cve.mitre.org/

  15. Cunningham, R.K., Khazan, R.I., Lewandowski, S.M., Rabek, J.C.: Detection of injected, dynamically generated, and obfuscated malicious code. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM), Washington, DC, pp. 76–82 (2003)

  16. Dagon, D., Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Georgia Institute of Technology, Technical Report (2005)

  17. Das, A., Miretskiy, Y., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium (2004)

  18. Detoisien, E., Dotan, E.: Cheval de Troie furtif sous Windows: mécanismes d’injection de code. MISC Magazine no10 (2003)

  19. European Institute for Computer Anti-Virus Research (EICAR) (2006) http://www.eicar.org/

  20. eSafe eSafe test page. (2006) http://www.esafe.com/home/ csrt/eSafe_Demo/TestPage.asp

  21. Eskin, E., Schultz, M.G., Stolfo, S.J., Zadok, E.: Data mining methods for detection of new malicious executables. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC (2001)

  22. Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis. In: Proceedings of the 14th EICAR Conference, pp. 216–227 (2005)

  23. Filiol, E.: Malware scanning schemes secure against black-box analysis. In: Proceedings of the 15th EICAR Conference (2006)

  24. Frej, P., Ogorkiewicz, M.: Analysis of Buffer Overflow Attacks. (2004) http://www.windowsecurity.com/

  25. GriYo: EPO: Entry-Point Obscuring. (2006) http://vx.netlux.org/lib/vgy01.html

  26. Hazel, P.: Perl-Compatible Regular Expressions. (2003) http://www.pcre.org/

  27. IFSKit: Installable File System Kit. (2006) http://www.microsoft.com/whdc/devtools/ifskit/

  28. International Computer Security Association Labs (2006) https://www.icsalabs.com/

  29. Josse, S.: Techniques d’obfuscation de code: chiffrer du clair avec du clair. MISC Magazine no20, pp. 32–42 (2005)

  30. Low Level Virtual Machine (2006) http://llvm.cs.uiuc.edu/

  31. SandMark (2006) http://www.cs.arizona.edu/sandmark/

  32. Security Focus Bugtraq (2006) http://www.securityfocus.com/bid/

  33. Szor P. (2005). Advanced Code Evolution Techniques and Computer Virus Generator Kits. Addison Wesley, Reading

    Google Scholar 

  34. Ultimate Packer for eXecutables (2006) http://upx.sourceforge.net/

  35. Vigil@nce: Outlook accepts messages whose format does not respect the RFC 822 (Standard for the format of ARPA Internet text messages). BUGTRAQ-5259, CVE-2002-0637. (2006a) http://vigilance.aql.fr/

  36. Vigil@nce: Incorrect analysis of MIME messages. BUGTRAQ-9650, CVE-2004-2088. (2006b) http://vigilance.aql.fr/

  37. Vigil@nce: Incorrect Unicode support. BUGTRAQ-10164. (2006c) http://vigilance.aql.fr/

  38. Vigil@nce: Incorrect analysis of LHA files. BUGTRAQ-10243, CVE-2004-0234, CVE-2004-0235. (2006e) http://vigilance.aql.fr/

  39. Vigil@nce: Incorrect analysis of ZIP files when they are protected by a password or have several levels of overlap. BUGTRAQ-11600, BUGTRAQ-11669, BUGTRAQ-11732, CVE-2004-2220, CVE-2004-2442. (2006g) http://vigilance.aql.fr/

  40. Vigil@nce: No disinfection of ZIP file. BUGTRAQ-11448, CVE-2004-0932-0937, CVE-2004-1096. (2006h) http://vigilance.aql.fr/

  41. Vigil@nce: Incorrect analysis of the data integrated into a URI. BUGTRAQ-12269, CVE-2005-0218. (2006i) http://vigilance.aql.fr/

  42. Vigil@nce: Incorrect management of the files containing ANSI escape characters (these sequences can disturb display during the consultation of the audit files by the administrator). BUGTRAQ-12793. (2006j) http://vigilance.aql.fr/

  43. Vigil@nce: Incorrect analysis of RAR files. BUGTRAQ-13416, CVE-2005-1346. (2006k) http://vigilance.aql.fr/

  44. Virus Bulletin (2006) http://www.virusbtn.com/

  45. Vmware (2006) http://www.vmware.com/

  46. West Coast Labs (2006) http://www.westcoastlabs.org/

  47. WinDDK: Windows NT Driver Devel Kit. (2006) http:// www.microsoft.com/whdc/driver/WDK/

  48. Winpooch (2006) http://winpooch.sourceforge.net/

  49. Y0da: Yoda’s packer. (2006) http://y0da.cjb.net/

  50. Z0mbie: About Permutation (RPME). (2001a) http://vx.netlux.org/lib/

  51. Z0mbie: Automated Reverse Engineering: Mistfall Engine. (2001b) Retrieved from: http://vx.netlux.org/lib/

Download references

Author information

Authors and Affiliations

  1. Laboratoire de virologie et de cryptologie, Ecole Supérieure et d’Application des Transmissions, B.P. 18, 35998, Rennes, France

    Sébastien Josse

  2. Silicomp-AQL, 1 rue de la Châtaigneraie, Cesson-Sévigné, CS 51766, France

    Sébastien Josse

Authors
  1. Sébastien Josse
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sébastien Josse.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Josse, S. How to Assess the Effectiveness of your Anti-virus?. J Comput Virol 2, 51–65 (2006). https://doi.org/10.1007/s11416-006-0016-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-006-0016-y

Keywords

Search

Navigation