ESET Conference Papers
Same Botnet, Same Guys, New Code
By Pierre-Marc Bureau
A paper describing the functionality and P2P protocol of Win32/Kelihos, its evolution and its points of similarity to Win32/Nuwar (Storm) and Win32/Waledac.
First published in Virus Bulletin 2011 Conference Proceedings*
Fake But Free and Worth Every Cent
By Robert Lipovsky, Daniel Novomesky, Juraj Malcho
Two years on from "Is there a lawyer in the lab", greyware and Possibly Unwanted Applications offer serious challenges for security vendors.
First published in Virus Bulletin 2011 Conference Proceedings*
Daze of Whine and Neuroses
By David Harley and Larry Bridwell
The Anti-Malware Testing Standards Organization (AMTSO) has shaken up the AV testing world and attracted much controversy. But has it outlived its usefulness? And what is the future of detection testing?
First published in Virus Bulletin 2011 Conference Proceedings*
Security Software & Rogue Economics: New Technology or New Marketing?
By David Harley
Presented at the 2011 EICAR conference in May 2011, this paper contrasts existing malicious and legitimate technology and marketing, considering ways in which integration of security packages might mitigate the current wave of fake applications and services.
The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
By Joan Calvet, Carlton R. Davis, José M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, and Anil Somayaji
This paper, presented at the Annual Computer Security Applications Conference (2010), and to which ESET's Pierre-Marc Bureau was a contributor, discusses alternative approaches to understanding botnet mechanisms, using "in the lab" experiments involving at-scale emulated botnets.
Test Files and Product Evaluation: the Case for and against Malware Simulation
By David Harley, Lysa Myers and Eddy Willems
This paper, presented at the 2010 AVAR conference summarizes the kind of problems that arise when simulated malware is used inappropriately in detection testing, with particular emphasis on the history and correct use of the EICAR test file.
Large-Scale Malware Experiments: Why, How, And So What?
By Joan Calvet, Jose M. Fernandez, Pierre-Marc Bureau, and Jean-Yves Marion
How and why a group of researchers replicated a botnet for experimental purposes, and what use they made of the results.
First published in Virus Bulletin 2010 Conference Proceedings*
AV Testing Exposed
By Peter Kosinár, Juraj Malcho, Richard Marko, and David Harley
Considers the good, the bad, and the ugly in comparative testing, and explores how to lie (or even inadvertently mislead) with detection statistics.
First published in Virus Bulletin 2010 Conference Proceedings*
Call of the WildList: Last Orders for WildCore-Based Testing?
By David Harley and Andrew Lee
Does WildList testing still have a place in testing and certification when dynamic and whole product testing methodologies are now preferred in most testing contexts?
First published in Virus Bulletin 2010 Conference Proceedings*
SODDImy and the Trojan Defence
By David Harley
This paper looks at the implications in the age of the botnet of the "Some Other Dude Did It" and "it must have been a Trojan" defences against conviction for possession of illegal material, especially pornography.
Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.
Antivirus Testing and AMTSO: Has Anything Changed?
By David Harley
A summary of how the Anti-Malware Testing Standards Organization has developed in the past few years and the way in which the AV and testing industries have responded to those developments.
Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.
Real Performance?
By Ján Vrabec and David Harley
This paper objectively evaluates the most common performance testing models (as opposed to detection testing) used in anti-malware testing, highlighting potential pitfalls and presenting recommendations on how to test objectively and how to spot a potential bias.
First presented at EICAR 2010 and published in the Conference Proceedings.
Perception, Security, and Worms in the Apple
By David Harley, Pierre-Marc Bureau and Andrew Lee
Apple's customer-base has rejoined the rest of the user community on the firing line. This paper will compare the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape.
First presented at EICAR 2010 and published in the Conference Proceedings.
Macs and Macros: the State of the Macintosh Nation
By David Harley
This 1997 paper reviews the shared history of viruses and the Mac, summarizes the 1997 threatscape, and considers possibilities and strategies for the future. It's been made available for historical interest because so many people asked about it at EICAR 2010.
First published in Virus Bulletin 1997 Conference Proceedings.*
Please Police Me
By Craig Johnston and David Harley
This paper looks at the ethical, political and practical issues around the use of "policeware", when law enforcement and other legitimate agencies use "cybersurveillance" techniques based on software that resembles some forms of malware in its modus operandi.
First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.*
Malware, Marketing and Education: Soundbites or Sound Practice?
By David Harley and Randy Abrams
This paper considers the practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole.
First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.*
Malice Through the Looking Glass: Behaviour Analysis for the Next Decade
By Jeff Debrosse and David Harley
This paper considers steps towards a holistic approach to behaviour analysis, using both social and computer science to examine the behaviours by both criminals and victims that underpin malware dissemination.
First published in Virus Bulletin 2009 Conference Proceedings.*
Whatever Happened to the Unlikely Lads? A Hoaxing Metamorphosis
By David Harley and Randy Abrams
This paper traces the evolution of email-borne chain letters, from crude virus hoaxes to guilt-tripping semi-hoaxes, and examines both their (generally underestimated) impact on enterprises and individuals, and possible mitigations.
First published in Virus Bulletin 2009 Conference Proceedings.*
Is there a lawyer in the lab?
By Juraj Malcho
This paper by the Head of ESET's Virus Laboratory explores the complex legal problems generated by applications that can't be called out-and-out malware, but are nevertheless potentially unsafe or unwanted.
First published in Virus Bulletin 2009 Conference Proceedings.*
The Game of the Name: Malware Naming, Shape Shifters and Sympathetic Magic
By David Harley
This paper follows up on "A Dose By Any Other Name", explaining why sample glut and proactive detection have sounded the death knell of the "one detection per variant" model.
Presented at the 3rd Cybercrime Forensics Education & Training (CFET 2009) Conference in September 2009.
Execution Context in Anti-Malware Testing
By David Harley
This paper explains why comparative test results based on static testing may seriously underestimate and misrepresent the detection capability of some products using proactive, behavioural techniques such as active heuristics and emulation.
First published in EICAR 2009 Conference Proceedings.
Understanding and Teaching Bots and Botnets
By Randy Abrams
Second in a series illustrating innovative ways of teaching the concepts behind a major security issue, the paper illustrates how botmasters capture computers and "recruit" them into virtual networks to use them for criminal purposes.
First published in Virus Bulletin 2008 Conference Proceedings.*
People Patching: Is User Education Of Any Use At All?
By Randy Abrams and David Harley
Presents the arguments for and against education as an antimalware tool, and how to add end users as an extra layer of protection in a defense-in-depth strategy.
AVAR Conference 2008
Who Will Test The Testers?
By David Harley and Andrew Lee
Making anti-malware testers and certifying authorities more accountable for the quality of their testing methods and the accuracy of the conclusions they draw, based on that testing.
First published in 2008 Virus Bulletin Conference Proceedings.*
A Dose By Any Other Name
By David Harley and Pierre-Marc Bureau
Tries to answer questions like; why is there so much confusion about naming malware? Is 'Do you detect virus X?' the wrong question in today's threat landscape?
First published in Virus Bulletin 2008 Conference Proceedings.*
Understanding and Teaching Heuristics
By Randy Abrams
Understanding and teaching the basic concepts behind heuristic analysis and how it is used in the anti-malware industry.
AVAR Conference 2007
Teach Your Children Well - ICT Security and the Younger Generation
By David Harley with Eddy Willems, and Judith Harley
Research based on surveys in Belgium and the UK on teenage understanding of internet security issues.
First published in 2005 Virus Bulletin Conference Proceedings.*
Testing, testing: Anti-Malware Evaluation for the Enterprise
By David Harley and Andrew Lee
Looks at appropriate and inappropriate ways of testing anti-malware products.
AVAR Conference 2007
Phish Phodder: Is User Education Helping or Hindering
By David Harley and Andrew Lee
Evaluates research on susceptibility to phishing attacks, and looks at web-based educational resources such as phishing quizzes. Do phished institutions and security vendors promote a culture of dependence that discourages computer users from helping themselves?
First published in 2007 Virus Bulletin Conference Proceedings.*
From Fun to Profit
By Andrew Lee and Pierre-Marc Bureau
Presents an overview of the evolution of malicious software, focusing on the objectives of this type of program to provide evidence for their predictions as to how it will evolve in the years to come.
Infosec Paris 2007
Microsoft anti-virus — extortion, expedience or the extinction of the AV industry?
By Randy Abrams
Looks at the changes in the corporate culture at Microsoft and the company's re-entry into the anti-malware market. Will it reduce diversity of choice, and will it leave users in any better shape than MSAV did in the 1990s?
First published in Virus Bulletin Conference 2006 proceedings.*
* Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge, by permission of Virus Bulletin.
Articles by or featuring ESET Researchers
AMTSO: the Test of Time?
By David Harley, January 2011
An article for Network Security - now available purchase from Elsevier - that looks at the present state of the Anti-Malware Testing Standards Organization. Can AMTSO really continue to build on its achievements so far?
Socialisation, social engineering, and securing the enterprise
By David Harley, November 2011
An article for (SC)2's Security Zone column in Computer Weekly, on how businesses should empower all IT users to play an active part in protecting corporate data.
Hearing a PIN drop
By David Harley, September 2011
An article for Virus Bulletin offering preliminary results from research into selection strategies for numeric passcodes such as ATM and smartphone PINs.
Originally published in Virus Bulletin, September 2011.*
Security Zone: Antivirus testing standards at a crossroads
By David Harley, May 2011
An article for Computer Weekly (May 2011) that suggests that the latest paper approved and released by AMTSO may be its most important document in years.
TDSS part 1: The x64 Dollar Question
By Aleksandr Matrosov, Eugene Rodionov & David Harley, April 2011
Considers and contrasts the distribution and installation of the TDL3 and TDL4 bootkits.
TDSS part 2: Ifs and Bots
By Aleksandr Matrosov, Eugene Rodionov & David Harley, April 2011
Looks in more depth at the internals of the TDSS malware.
TDSS part 3: Bootkit on the other foot
By Aleksandr Matrosov, Eugene Rodionov & David Harley, April 2011
The last part of the series describes the TDSS loading process.
Perfect Ten: Truth and Prognostication
By David Harley, January 2011
David Harley meditates on security soothsaying and takes a peek into his own crystal ball.
Is Facebook Good for your Health?
By David Harley, December 2010
Is the UK's National Health Service betraying its own principles by allowing Facebook to track visitors to its NHS Choices site?
Once More 'Round the AMTSO Wheel of Pain
By David Harley, November 2010
How the Anti-Malware Testing Standards Organization's new subscription model will enable the community at large to participate in its activities.
Rooting about in TDSS
By Aleksandr Matrosov & Eugene Rodionov, October 2010
This article for Virus Bulletin describes a utility for dumping the TDSS rootkit's file system.
Originally published in Virus Bulletin, October 2010.*
SC Magazine interview: David Harley, senior research fellow at ESET
By Dan Raywood of SC Magazine, October 2010
An interview with ESET's David Harley, former manager of the Threat Assessment Centre in the United Kingdom's National Health Service, in which he talks about security and the NHS.
Security Zone: Faking IT support
By David Harley, October 2010
An article for (ISC)2's regular column in Computer Weekly on the similarities between rogue AV and fake support scams.
Chim Chymine: a Lucky Sweep?
By David Harley, September 2011
Analysis of bottom feeder malware that climbed onto the Stuxnet 0-day bandwagon.
Originally published in Virus Bulletin, September 2010.*
Stuxnet Sux or Stuxnet Success Story?
By David Harley, September 2010
Article for Security Week on the vulnerabilities and incident dispersion behind Stuxnet, perhaps 2010's most interesting malware.
Shortcuts to Insecurity: .LNK Exploits
By David Harley, August 2010
An article for Security Week on the .LNK vulnerability classified as CVE-2010-2568 and exploited by Win32/Stuxnet, among other malicious programs.
Fake AV, Fake Support
By David Harley, July 2010
An article for Security Week, about scammers cold-calling potential victims to offer to clean non-existent malware and install pirated antivirus software.
PWN2KILL, EICAR and AV: Scientific and Pragmatic Research
By David Harley, June 2010
An article for Virus Bulletin on the implications of the PWN2KILL challenge at iAWACS 2010: is this the new face of AV testing?
Originally published in Virus Bulletin, June 2010.*
Anti-Malware Testing - Industry Insight
By David Harley, June 2010
ESET's Sr. Research Fellow and member of AMTSO's Board of Directors considers whether AMTSO is engaging with the public as well as it might.
TDL3: The Rootkit of All Evil?
By Aleksandr Matrosov and Eugene Rodionov, June 2010
Subtitled "Account of an Investigation into a Cybercrime Group", this is a comprehensive consideration, by researchers with ESET's partners in Russia, of the distribution and the internals of the TDL3 Rootkit, and the involvement of the Dogma Millions group.
Apple, Security, and the Power of Perception
By David Harley, April 2010
A short presentation on Apple security for InfoSecurity Europe, based on a paper subsequently presented in more detail at EICAR 2010 and available here.
AMTSOlutely Fabulous
By David Harley, April 2010
A Spotlight article about what AMTSO has achieved so far and what might lie ahead. Featured in January 2010's Virus Bulletin and hosted on the AMTSO web site.
Originally published in Virus Bulletin, June 2010.*
The Weakest Computer Security Link
By Juraj Malcho, March 2010
Article in CTO Edge that explains how social engineering is used to trick computer users into downloading malware.
Crimeware and Current Hot Threats
By David Harley, March 2010
Article for Infosecurity Magazine that reviews both the tried-and-true and the latest methods that online criminals are using to steal information, and your money.
Facebook, Chain Letters are so Last Decade
By David Harley, March 2010
An article in Global Security Mag that discusses the evolution of yesterday's virus hoaxes and other chain letters to social networking sites like Facebook and Twitter.
Fact, Fiction and the Internet
By David Harley, January 2010
Discusses the increasing dangers of incautious use of social networking in an age where the regulation and use of data by financial and other institutions has not kept pace with a changing online world.
Never Mind Having Fun: Are We Safe Yet?
By David Harley, August 2009
Review of "Is it safe? Protecting your computer, your business, and yourself online" by Michael Miller (Que).
Originally published in Virus Bulletin, March 2009.*
CARO mio, AMTSO mon amour
By David Harley, June 2009
Commissioned article on the CARO (Computer Antivirus Researchers Organization) and AMTSO (Anti-Malware Testing Standards Organization) workshops in Budapest in May.
Originally published in Virus Bulletin, June 2009.*
The Myth of Fingerprints
By David Harley, March 2009
Published in Infosecurity magazine, Volume 6, Issue 2. Why the traditional naming conventions for malware no longer make sense. For purchase from Elsevier.
Making sense of anti-malware comparative testing
By David Harley, March 2009
In "Information Security Technical Report". For purchase from Elsevier. Addresses the problems around anti-malware testing and evaluation, and describes the industry's initiatives for mitigation.
Making sense of anti-malware comparative testing
By David Harley, March 2009
A pre-print version of the above article in "Information Security Technical Report" is available on David's personal web site, with the permission of the publisher.
Malware testing
By David Harley, November 2008
Considers the early impact of AMTSO, the Anti-Malware Testing Standards Organization, on the testing industry.
Yet Another Rustock Analysis...
By Lukasz Kwiatek and Stanislaw Litawa, August 2008
A detailed analysis of the Rustock.C rootkit and some of its self-defensive measures.
Originally published in Virus Bulletin, August 2008.*
Macs and malware: What are the dangers?
By David Harley, July 2008
Reviews some of the reasons why Macintosh computers in corporate environments need protection.
The trouble with testing anti-malware
By David Harley, January 2008
An overview of the problems that make most anti-malware tests so unreliable.
Fixing the virus problem?
By Andrew Lee, July 2006
Takes a realistic look at how far Vista can be expected to mitigate the user's exposure to malicious code.
Phish Fingering
By David Harley, July 2006
Review of "Phishing Exposed", Lance James's book for Syngress.
Originally published in Virus Bulletin, July 2006.*
War of the Words and I spy
By David Harley, September 2006
Reviews of Robert Slade's "Dictionary of Information Security" and "Combating Spyware in the Enterprise", by Baskin et al., both published by Syngress.
Originally published in Virus Bulletin, September 2006.*
Re-Floating the Titanic: Dealing with Social Engineering Attacks
By David Harley, 1998 [sic]
A paper originally presented at the 1998 EICAR conference, but which is currently being cited by a number of other resources due to its still topical taxonomical content and observations on good password practice.
* Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge, by permission of Virus Bulletin.
ESET White Papers
Trends for 2012: Malware Goes Mobile
By ESET Latin America, January 2012
ESET Latin America's Malware Analysis Lab looks at the implications of changes in the threat landscape, focusing in particular on anticipated developments in mobile threats.
Ten Ways to Dodge CyberBullets: Reloaded
By David Harley, December 2011
An updated version of the paper "Ten Ways to Dodge CyberBullets", addressing the question "what are the top 10 things that people can do to protect themselves against malicious activity?"
Problematic, Unloved and Argumentative: What is a potentially unwanted application (PUA)?
By Aryeh Goretsky, November 2011
What is a potentially unwanted application (PUA)? This paper gives some examples of "potentially unwanted" and "potentially unsafe" applications, explaining how they differ from out-and-out malware.
Win32/Carberp: When You're in a Black Hole, Stop Digging
By Aleksandr Matrosov, Eugene Rodionov, Dmitry Volkov and David Harley, December 2011
This paper consolidates information published by ESET and Group-IB researchers on Russian malware that attacks Russian RBS (Remote Banking Systems) transactions: now updated to version 1.1 to include additional material.
Options for backing up your computer
By Aryeh Goretsky, August 2011
If you know you need to back up your data but you're not sure how to do it, here's a practical guide on how to get started.
Hodprot: Hot to Bot
By Eugene Rodionov, Aleksandr Matrosov, and Dmitry Volkov, August 2011
A comprehensive analysis of Win32/Hodprot, one of the families of malware most used in banking fraud in Russia and its neighbours.
The Evolution of TDL: Conquering x64 (revision 1.1)
By Eugene Rodionov and Aleksandr Matrosov, June 2011
A comprehensive analysis of the TDSS/Olmarik/Alureon family, which has learned some radical new tricks. Updated to include information on a new plugin making radical changes to Olmarik's botnet.
Hanging on the Telephone
By David Harley, Urban Schrott and Jan Zeleznak, February 2011
As if fake anti-virus products weren’t bad enough, nowadays we have unsolicited phone-calls from fake AV helpdesks. ESET researchers tell you more about support scams.
Stuxnet Under the Microscope
By Alexandr Matrosov, Eugene Rodionov, David Harley and Juraj Malcho, January 2011
Version 1.31 of a comprehensive analysis of the Stuxnet phenomenon, updated to add pointers to additional resources. This is probably the last update of the document, but further relevant resources will be added to a list here.
Trends for 2011 - Botnets and Dynamic Malware
By ESET Latin America, November 2010
Researchers from ESET's Laboratories in Latin America summarize the main trends anticipated for 2011 in malicious programs and antivirus security.
Twenty Years Before the Mouse
By Aryeh Goretsky, June 2010
Written in the form of a personal retrospective, this paper compares the earliest days of PC computer viruses with today’s threats, as well as provides a glimpse into the origins of the computer anti-virus industry.
A Tried and True Weapon: Social Engineering
By Cristian Borghello, translated by Chris Mandarano, added April 2010
A discussion of some of the ways in which attackers use psychological manipulation to trick their victims.
Choosing Your Password
By David Harley, added April 2010
Some ways of avoiding easily guessable passwords.
Ten Ways to Dodge CyberBullets
By David Harley, February 2010
Around New Year it seems that everyone wants a top 10: the top 10 most stupid remarks made by celebrities, the 10 worstdressed French poodles, the 10 most embarrassing political speeches and so on. We revisited some of the ideas that our Research team at ESET North America came up with at the end of 2008 for a "top 10 things that people can do to protect themselves against malicious activity."
Conficker by the numbers
By Sebastián Bortnik, February 2010
This is a translation for ESET LLC of a document previously available in Spanish by ESET Latin America (see http://eset-la.com/centro-amenazas/2241-conficker-numeros).
The Internet Book of the Dead
By David Harley, January 2010
This paper is a bit different from other papers you'll find on the ESET white papers page. Following is a mock interview between Dan Damon, of BBC radio and David Harley discussing the complications of a digital world when someone passes away.
2010: Cybercrime Coming of Age
January 2010
The Research teams in ESET Latin America and ESET North America put their heads together in December 2009 to discuss the likely shape of things to come in the next 12 months in security and cybercrime.
Staying Safe on the Internet
By David Harley, September 2009
On the Information Superhighway, the traffic signals are always at amber. Here are some suggestions for reducing the risk from collisions and carjacks. Part One of a series of short papers.
Keeping Secrets: Good Password Practice
By David Harley and Randy Abrams, August 2009
Everyone knows that passwords are important, but what is a good password and how do you keep it safe?
Social Security Numbers: Identification is Not Authentication
By David Harley, August 2009
Americans are often expected to share their SSNs inappropriately: what are the security implications, and how serious are they?
Playing Dirty
By Cristian Borghello, August 2009
Describes in detail how criminals make money out of stealing online gaming credentials and assets.
Cybersecurity Review: Background, threatscape, best-practices and resources
By Jeff Debrosse
Cybersecurity is about protecting information and its related resources. This paper examines the different threats we face from cybercrime (the threatscape), real-world statistics to explain the scope and reach of cybercrime, and consumer and business best-practices — to protect both critical and non-critical information.
Free but Fake: Rogue Anti-malware
By Cristian Borghello, March 2009
Understanding and avoiding fake anti-malware programs that offer "protection" from malware that doesn't really exist.
Common Hoaxes and Chain Letters
By David Harley, May 2008
An ongoing series of papers that describe some of the commonly-found lies and half-truths that continue to circulate on the Internet, and discuss some ways of identifying them.
Net of the Living Dead: Bots, Botnets and Zombies
By David Harley and Andrew Lee, February 2008
Describes the botnet phenomenon in detail: its origins and history, current trends, and what you need to do about it.
The Spam-ish Inquisition
By David Harley and Andrew Lee, November 2007
A detailed overview of spam, scams and related nuisances, and some of the ways of dealing with them.
ESET Smart Security 4
By ESET Research Department, February 2009
A detailed overview of ESET's flagship security package by the team that brings you the ESET series of product-independent threat analyses.
A Pretty Kettle of Phish
By David Harley and Andrew Lee, July 2007
Understand and avoid the attentions of phishers and other Internet scammers.
Heuristic Analysis - Detecting Unknown Viruses
By David Harley and Andrew Lee, March 2007
A detailed analysis of the differences between traditional threat-specific detection and proactive detection by generic detection and behavior analysis.
The root of all evil? - Rootkits revealed
By David Harley and Andrew Lee, September 2006
This paper describes and de-mythologizes the rootkit problem, a serious but manageable threat.
The Passing Storm
By Pierre-Marc Bureau, David Harley, Andrew Lee, and Cristian Borghello, February 2009
The Storm botnet may have blown itself out, but its legacy remains. This paper places Storm in the context of botnets in general, examining its technical, social, and security implications.
Other White Papers
Endpoint Security: Proactive Solutions for Networkwide Platforms
By Andrew J. Hanson, Brian E. Burke and Gerry Pintal
IDC # 216642
Beyond Signature-Based Antivirus: New Threat Vectors Drive Need for Proactive Antimalware Protection
By Brian E. Burke
adapted from Worldwide Antivirus 2006-2010 Forecast Update and 2005 Vendor Analysis. IDC #204715
Malware Detection Techniques
By Frost & Sullivan
ESET Presentations
APT: Real Threat or Just Hype?
By David Harley, November 2011
Recording of the keynote panel at the Infosecurity 2011 Fall Virtual Conference, at which David presented on "APTitude Adjustment" as well as participating in the subsequent discussion.
Daze of whine and neuroses (but testing is FINE)
By David Harley and Larry Bridwell, October 2011
Slides are now available from the Virus Bulletin 2011 presentations page as a PDF. This slide deck accompanies the Virus Bulletin paper that asks whether the Anti-Malware Testing Standards Organization (AMTSO) has outlived its usefulness, and what the future of detection testing might be.
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
By Aleksandr Matrosov and Eugene Rodionov, October 2011
This presentation continues the authors' consideration of modern bootkit techniques for evading kernel mode code signing policy as applied to currently In-the-Wild malware.
Defeating x64: Modern Trends of Kernel-Mode Rootkits
By Aleksandr Matrosov and Eugene Rodionov, September 2011
A presentation for the Ekoparty 2011 conference in Buenos Aires, looking in detail at the ways in which rootkit and bootkit authors try to evade kernel-mode code signing policy in 64-bit Windows versions.
Security Software and Rogue Economics: The Presentation
By David Harley, May 2011
The presentation and speaker notes to accompany the paper presented at the EICAR 2011 conference. It contrasts existing malicious and legitimate technology and marketing, considering ways in which integration of security packages might mitigate the current wave of fake applications and services.
Defeating x64: The Evolution of the TDL Rootkit
By Aleksandr Matrosov and Eugene Rodionov, May 2011
A presentation for Confidence 2011, held in May 2011 in Krakow, on the analysis and implications of the latest generation of the TDL rootkit (TDL4).
Cybercrime in Russia: Trends and issues
By Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov, May 2011
An analysis of cybercrime threats, incidents, and issues in Russia presented at the CARO Workshop in Prague in May 2011.
Infrastructure Attacks: The Next Generation?
By David Harley, April 2011
The slide deck for a presentation delivered at Infosecurity Europe 2011, examining the Stuxnet phenomenon and what it holds for the future. Updated to include speaker notes.
Perception, Security and Worms in the Apple
By David Harley, Pierre-Marc Bureau, Andrew Lee, May 2010
The slide deck that accompanies the paper on Mac security presented by the authors at EICAR in May 2010.
Real Performance?
By Ján Vrabec and David Harley, May 2010
The slide deck that accompanies the paper on performance testing presented by the authors at EICAR in May 2010.
The Curious Art of Anti-Malware Testing
By David Harley, December 2009
A presentation on some of the problems with anti-malware testing and summarizing the mission and principles of the Anti-Malware Testing Standards Organization (AMTSO).
Presented to the Special Interest Group in Software Testing of the BCS Chartered Institute for IT (formerly the British Computer Society).
Malware, Marketing and Education: Soundbites or Sound Practice?
By David Harley and Randy Abrams, December 2009
This presentation accompanies the paper of the same name, which considers the practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole.
First presented at AVAR 2009 in Kyoto.
Is there a lawyer in the lab?
By Juraj Malcho, September 2009
This presentation by the Head of ESET's Virus Laboratory explores the complex legal problems generated by applications that can't be called out-and-out malware, but are nevertheless potentially unsafe or unwanted.
Presented at the VB2009 conference in September 2009: the conference paper itself is available in "ESET Conference Papers" above, by kind permission of Virus Bulletin.
Independent Tests
Comparative Tests
By Virus Bulletin, August - December 2011
Comparative Tests
By Virus Bulletin, February - June 2011
Comparative Tests
By Virus Bulletin, August - December 2010
Comparative Tests
By Virus Bulletin, February - June 2010
Retrospective/Proactive Test
By AV-Comparatives, November 2010
On-Demand Detection Test
By AV-Comparatives, August 2010
Retrospective/Proactive Test
By AV-Comparatives, May 2010
On-Demand Detection Test
By AV-Comparatives, February 2010
Product Review and Certification Report (Windows XP)
By AV-Test, 2010/Q3
Product Review and Certification Report (Windows 7)
By AV-Test, 2010/Q2
ESET Smart Security Business Edition Comparative Testing
By West Coast Labs, September 2008
Some recent figures from AV-Test are available on the Virus Bulletin web site: other AV-Test reports are available from http://av-test.org/.
A summary of past test results for all av vendors can be found here — this requires (free) registration with the site. Full details of individual tests, as reported in Virus Bulletin magazine, are available only to subscribers.
Past AV-Comparative test reports are archived at av-comparatives.org, along with information on report updates, testing methodology and FAQs.
Anti-Malware Testing and Evaluation
How do you tell good tests from not-so-good tests? ESET is very actively represented in the Anti-Malware Testing Standards Organization (AMTSO) which is dedicated to raising the standard of anti-malware testing across the board. One of the ways in which this is being done is by making available documentation that will help aspiring testers and their audiences to understand detection testing issues better.
Untangling the Wheat from the Chaff in Comparative Anti-Virus Reviews
By David Harley
This independent white paper provides a guide to spotting some common errors in the implementation of the anti-malware comparative tests, and was one of the documents referenced in the AMTSO "Fundamental Principles of Testing" document.
The original English version of "Best Practices for Dynamic Testing" is available on the AMTSO site. It is also available in Spanish by courtesy of ESET Latin America.
