2. Agenda
Introduction to Multi-scanning
The evolving threat landscape
Why multi-scanning?
Metascan
Additional Uses of Metascan
Getting started with Metascan
4. The Evolving Threat Landscape
Cyber warfare
… Virus/Worm Era Spyware and Adware E-Crime …
1998 2002 2006 2010 2012
Motivation Opportunity Methods
15 minutes of fame Improved connectivity Quiet Attacks
Borderline legal Increase in users, web Primary vectors
ways of making traffic & searches. web & mobile
money More time on Phishing attacks
Make money fast Facebook, Twitter and Attacks focused
by exploiting YouTube on specific sites
Stuxnet , DuQu Easier to find personal Targeted Attacks
and Flame details -> used to
infiltrate organizations Cyber warfare
6. The Problem
Insufficient Detection by any one Anti-Malware Product
Over 130,000 new
malicious
The rapid growth in the amount of malware continues to programs appear
accelerate
every day
No AV vendor can keep up with the number of new malware
variants
“Cyber attacks on
America’s critical
infrastructure
increased 17-fold
between 2009 and
2011.”
http://www.csmonitor.com/Commentary/Opini
on/2012/0808/Help-wanted-Geek-squads-for-
US-cybersecurity
8. Why Use Multiple Anti-Malware Engines?
Increase malware zero hour detection rates
Decrease malware detection time after an outbreak
Increase resiliency to anti-malware engines’
vulnerabilities
9. The Solution
Every engine misses something
No anti-malware product is perfect but together they have a greater rate
of detection due to their unique features
100%
Engine 1
Detection Rate:
Engine 2
Detection Rate:
10. Improve Detection Using Multiple Anti-Malware Engines
This graph shows the time between
malware outbreak and detection by six
anti-malware engines for 75 outbreaks
over three months.
No vendor detects every outbreak.
Only by combining six engines in a multi-
scanning solution are outbreaks detected
quickly.
By adding additional engines, zero hour
detection rates increase further.
Zero hour
* Source: av-test.org detection
5 min to 5 days
No detection at 5 days
11. Multiple Engines Increase Resiliency to Anti-Malware Engine
Vulnerabilities
Anti-malware product vulnerabilities from the National Vulnerability Database
70
60
Number of Vulnerabilities in Antivirus products [CVEs]
50
40
30
20
10
0
2005 2006 2007 2008 2009 2010 2011 2012
Year
13. What is Metascan?
Multi-scanning engine
A server application with a local and network programming
interface that allows customers to incorporate multiple anti-
malware engine scanning technologies into their security
architecture
Supports 0 to 30 anti-malware engines [and growing!]
Simultaneously scans files with all engines
Scan directories, files, archives, buffers, and boot sector
Automatic online definition updates or manual offline updates
14. What is Metascan?
Multi-scanning engine
Flexible and scalable API driven solution
Many programming Interfaces –
C++
Java
PHP
C#/ASP.NET
RESTful (Web API)/HTTP
CLI[command line interface]
Analyzes files locally on a single server or remotely
accesses files from Windows, Macintosh, or Linux
systems
15. Metascan
Who uses Metascan?
Analysts who research threats in binaries
CERTs (Computer Emergency Response/Readiness Teams)
Government agencies
Federal and State Law enforcement agencies
Computer forensic analysts
IT security managers who seek to control data flow
Files from public facing sharing/upload sites
Data moving across internal security domains
Detect infected attachments
Independent software vendors seeking to identify threats in their
binaries
False positives
Accidental infections
16. Metascan
Standard packages
Metascan is available in
preconfigured packages that
include 0-16 embedded
engines
Best performance from
fully embedded engines
Easy to use – engines
update automatically or as
a single offline package
17. Metascan
Custom packages
Create your own custom packages
Add engines to any standard package –
For example; create Metascan 20 by adding
McAfee, Symantec, Kaspersky and Sophos to the Metascan 16
standard package
Pick and choose from our custom engine list to create
your own custom package (currently up to 30 engines)
18. Additional Uses of Metascan
Metascan Online (www.metascan-online.com)
• Online implementation of Metascan with 40+ engines
• Upload and Scan files
• Lookup by file hash
• Web Interface and REST API
Metadefender
• Metascan client that examines the content on physical media such
as USB flash drives, CDs and DVDs.
• Available as standalone software or as a physical kiosk
19. Getting Started with Metascan
For more information on Metascan and Metadefender go
to: http://www.opswat.com/metascan
For a free 30 day trial of Metascan and Metadefender go
to: http://portal.opswat.com
If you would like more information about purchasing
Metascan or Metadefender please contact OPSWAT
Sales at: sales@opswat.com
If you have feedback or questions about Metascan or
Metadefender contact OPSWAT Product Management
at: pm@opswat.com
Notas do Editor
1 min
<why multiscanning>Growth of MalwareMore engines are better than 1OutbreaksVulnerabilities in engines <technology overview of Metascan>What is Metascanwhy use MetascanCurrent feature set <different implementations of Metascan>Out of box solution: MDTADemo of metascanonline.com (local box with wireless access point)Endpoint client (MD4SA)Demo of MD4SA <Managing Metascan>Introduction to the management station
AV-Test.org registers over 55,000 new malicious programs every day.
Green is zero hour detectionYellow is 2 min to 5 daysRed is more than 5 days
Taken from the National Vulnerability DatabaseNumber of CVS found with a search of ‘antivirus’ – results were from various AV products
What is Metascan online? It is just slightly customized version of Metascan. Of course, it is not all of Metascan and lets dig into further to know more about MetascanOnMetascan is multiscanning solution with different layers and various API which overcome the challenge of using multiple antivirous. Flexible integration options from low level integration to out-of-box solution such as slightly modified version of Metascan.