Live from VB2006

I’m here at the booth at VB2006 skipping lunch to write some thoughts and observations from lovely Montreal, where the weather, at least today, is very much reminding me of home back at Portland, Oregon .

The conference is a three-day affair again this year, and was preceded by a day of meetings by various industry and user consortia and groups. We began by discussing new testing and certification methodologies designed to go beyond the standard approach of “scan a static collection and count how many were detected.” It’s probably not apparent to most people exactly how much thought, planning, effort and careful interpretation goes into running a scientific, valid, repeatable and meaningful test of a security product.

A big topic seemed to be how to test security products (and behavioral products to a degree) against running malware. Do you exclude rootkits or not (because they can render the measurement techniques invalid)? Do you install the security product after the machine is infected, or do you install it before, but disable the on-access scanner? How do you count legitimate third-party libraries? Harmless images and text files? How do you ensure the malware doesn’t start or stop installing some other piece of code midway through the test? We have our own answers for testing our software, but trying to get agreement among a huge array of vendors is a job I’m glad I don’t have. It probably also explains how bad reviews happen.

Actual talks began late morning yesterday, and were kicked Off by Mikko Hyponnen’s review of malware history from the early days to today. Our own Allysa Myers presented on the possibilities around bot herders using IM to perform command and control functions, and Igor Muttik on scanning of HTTP-borne threats without killing performance. There have been some excellent talks on anti-rootkit techniques, botnet monitoring, some of the subtleties of the spyware landscape and a sort of point-counterpoint discussion of the effectiveness of user education vs. technological solutions. In general, some differences seem apparent generally about the industry this year. There are fewer talks on botnets and rootkit techniques than last year, it seems, and more discussions of behavioral technologies and mobile threats. Spam is also more prominent this year, and this broadening of the technological landscape seems to be paired with a broadening of the vendor and customer organizations represented here this year. It seems so far like the conference is mimicking the malware world today.