Presented at the International Antivirus Testing Workshop 2007 by Prof. Dr. Klaus Brunnstein, University of Hamburg, Germany

8. AGN Anwendungen der Informatik in Geistes- und Naturwissenschaften

20. 3A.1 Test System: Lab Network DOS Win 95 Win NT WXP Client 3 Win NT 100 Mbit Ethernet using Microsoft Netbui Client 1 Client 2 Server

23. 3A.3 Test System: Databases Boot virus database Saved as images of bootsectors and master boot records File virus database File extentions: boo, img, mbr File extentions: COM,EXE,CMD,SYS, BAT The directory structure is created out of the virus names The files are in their original structure

25. 3A.5 Early Test System Size (1997) Boot virus database : images: 3910 viruses: 1004 File virus database : files: 84236 viruses: 13014 Macro virus database : files: 2676 viruses: 1017 Macro malware database: files: 61 malware: 89 File malware database: files: 213 malware: 163

27. 3A.7a Preprocessing of new objects (#1/4) Unzip the archives Reset all file attributes Sort all files into main categories (boot, file, macro) Restore the normal file extensions (e.g. .EX_ ==> .EXE)

28. 3A.7b Preprocessing of new objects (#2/4) Remove with Dustbin all known non-viruses Search for duplicate files (binary identical) First step: only the new files Second step: new files and old database Third step: delete all duplicate files Replication of all new files to test if they are „alive“ (partially applied in test 1997-07)

29. 3A.7c Preprocessing of new objects (#3/4) Scan new files and previous databases with F-Prot, Dr. Solomon and AVP to create report files Move the non viruses (trojan, dropper, germs) into a special directory Preprocessing reports using CARO.bat If a virus is operating-system specific, it is sorted into the corresponding subdirectory below the specific OS-Directory (Win95, WinNT, OS/2)

30. 3A.7d How CARO.BAT works (#4/4): The subdirectory name is created out of the virus name. The dots between the family names, sub family, main variant and sub variant are substituted with backslashes. All characters except a-z, 0-9, „-“ and „_“ are substituted with „_“. If a file with the same name already exists, the new file in this directory is renamed. If F-Prot identifies a virus by name, the file is moved into the corresponding subdirectory below the NYETCARO directory If Dr. Solomon identifies a virus by name, the file is moved into the corresponding subdirectory below the NYETCARO directory If AVP identifies a virus by name, the file is moved into the corresponding subdirectory below the NYETCARO directory If all three scanners identify a virus by the same name, the file is moved into the corresponding subdirectory below the CARO-Directory

33. 3A.10 Test Procedures for file/macro viruses Start Test-Version of the OS Install scanner Scan and save report to the network Reboot with Master System Delete Test-Version and restore from backup Start from beginning

34. 3A.11 Test Results, Evaluation 1) UNIX-Tools and AWK-Scripts are used to evaluate the reports; in cases of changed scanner diagnostics, scripts must be adapted. 2) Create an alphabetical list, which contains for each directory the directory name and the number of files in the directory 3) Analyse how many files are scanned and recognized for each scanner report. 4) Sort and join the reports ( directory listing - preprocessed scanner report ) 5) Evaluate the joined report 6) Quality assurance

39. Antiviren-Test 2002-12 Erkennung unter Windows 2000

40. Antiviren-Test 2002-12 Erkennung unter Windows 2000

41. Antiviren-Test 2002-12 Erkennung unter Windows 2000

52. 4.1 Contemporary Solution: „Tower of IT“ A B B WAN Protected LAN AM AM LAN U1 KryptoBox Firewall Intrustion Detection AntiMalware KryptoBox Malicious Information Zone Red: NO PROTECTION Zone Blue: Hi-Protection Zone Yellow: Partial Protection U#