I actually find the technical details behind how the antivirus engine works far more fascinating than the flaws in said engine. As Tavis said, most antivirus companies don't publish details about their engines, so, flawed or not, learning how Sophos does it is interesting.
Me too. I am actually reasearching heuristic engines and I can assure you that there isn't a research field so mysterious and jealously protected as antivirus technologies.
Inside: "Ormandy works by day as a security engineer at Google but said he was representing only himself at the conference and that his research had been done on his own time, without the company’s knowledge or support." (my emphasis)
I sense...Bullshit Title Tacked on by Asshole Managing Editor.
When Ormandy, working for himself, reported flaws in Microsoft's software last year, Mike Reavey (Director of Microsoft Security Response Center) did the same thing and scoffed at "Google" multiple times in its communication:
"argued that it would be unlikely that malware writers would tailor their code to exploit flaws in Sophos given that it controls only 10% of the enterprise market"
It seems to be a ridiculous argument to make. This would still not rule out targeted attacks.
Damage control: "Don't worry, we're only 10%! Look at someone else, they have more market so it's more dangerous for them to have problems like these!"
I've used it in the past as an argument for why there are less exploits for Macs, which is different. That is, security is an inherent property, whereas the presence of exploits is a function of that security and interest.
“If you examine a system’s security and it’s weakened, that system is flawed,” says Ormandy.
With things like encryption schemes, definitely. But is this true for detecting malicious behavior? If you show your criteria for finding it, doesn't that tell malware writers how to avoid detection?
If I'm wrong - if openly saying "there are our criteria for identifying bad behavior" won't help people avoid it - then shouldn't Google release its criteria for identifying spam sites? I don't see Ormandy advocating for that.
http://lock.cmpxchg8b.com/Sophail.pdf
I actually find the technical details behind how the antivirus engine works far more fascinating than the flaws in said engine. As Tavis said, most antivirus companies don't publish details about their engines, so, flawed or not, learning how Sophos does it is interesting.