Musings from the mind of Marcus….

I posted recently about a presentation I was about to give at the DoDIIS Conference. I am pleased to say that it went well. I really like these types of conferences best – smaller venue, smaller rooms – ’cause it lends itself better to really good Q&A. I think presentations are truly about Q&A. I think it the ultimate test of whether or not you have connected with an audience.

The presentation itself was about malware trends. Two areas in general:

• Financial Trends in Malware
• Stealth in Malware

We then had some really good discussions about rootkits and proactive detection in anti-malware technology. I always like discussing proactive detection which usually comes from the “AV is dead” line of discussion. This area of discussion is a great opportunity to discuss the different types of “signature” or driver detections. Most exponents of the whole “AV is dead” line of thinking simply do not truly understand the main types of detections – specific, generic and heuristic. Most tend to think that AV detection is solely specific signature (or driver) detection. This usually gives rise to the whole “AV is dead” line of thinking. A friend of mine at McAfee, Greg Day, does a great job of explaining the differences in a paper he presented at VB2005.