Hurricane approach: 'false Positive' whens, not ifs

Mario Vuksan Bit9

Are we our own worst enemy? Over-detection of malicious samples (especially through heuristics and behavioral methodologies) is a time bomb for many vendors. In the world of rapidly accelerating signature/definition count, 'false positive' risks are growing rapidly.

With the increasing load of incoming malware, a new set of techniques for managing malicious samples has become popular, from multiple automated tools utilizing heuristics and behavioyral techniques to reliance on multiple scanners and over-emphasis on packer/protector detections. To be sure, all of these are valuable when used properly.

This session will:

• Introduce a mean 'false positive' factor for standard and heuristics detections
• Describe how 'false positive' sensitivity compares with the scanner detection rates in normal, heuristic and behavioural modes
• Illustrate typical 'false positive' scenarios
• Examine the list of files that are most likely to create false positives
• Investigate automation traps, such as relying on multi-scanning as a discovery tool
• Look at a packer detections (false vs. correct) and how to weed out false packer detections
• Correlate scanner crashes with false packer detections (and subsequent unpacking if applicable)
• Outline division between packed/unpacked content among goodware vs. malware
• Address problems with incorrect unpacking
• Illustrate packing/protecting prevalence among goodware (why should you care?)
• Investigate good applications that pack (Upack/UPX) known redistributables (e.g. MSVCRT dlls)
• Look at scanner mean time to crash averages and packing detections
• call a file database for help with: finding obvious 'false negatives' and weeding out registry entry false positives