Blacklisting packers

Gaith Taha, McAfee Avert Labs , USA

Avoidance or acceptance?

With the not so recent debate about whether the AV industry should start mass-detecting maliciously-used-packers or not, a lot of concerns were raised regarding the risk being introduced. Having a false positive is every vendor’s nightmare. The more you can know about the risks you are facing, the better decisions you can make.

Virus scanners issuing false-positives is seemingly becoming a widespread phenomena. Knowing of the risk and not being able to control it is bad. Not being able to measure the risk is much worse.

This paper will take you through all the elements of risk management and propose real world solutions to the problem of false positives in general, and packers’ detection in specific. It will focus on drawing scenarios that are specific to the AV industry, and will illustrate how to analyse the risk, assess it, and control it. Ultimately, the final goal is to establish a framework that is easy to adopt or maybe totally dislike!