Optimizing DAT Performance: Smaller Is Better

I want to share some of the good work McAfee Labs did in the past year in optimizing and enhancing the V2 DATs (malware definition files, also known as AVV DATs) used in McAfee VirusScan Enterprise and other McAfee enterprise products. In 2014, we reduced DAT size by more than 45% to about 70MB, down from a high of about 132MB.

These enhancements have led to a big performance win: The reduction in DAT size automatically translates into faster system scan times and smaller DAT updates. Even more impressive is that these massive size reductions have been achieved while delivering consistently high protection effectiveness results in tests last year by AV-Test, AV-Comparatives, and NSS Labs.

V2 DAT Size 2014
Shrinking strategy
McAfee Labs evaluated its DAT signature categories and focused first on hash-based detections that had been added by our automation systems. Over time, human-authored generic signatures evolved to overlap most hash-based signature content, allowing for their safe removal without losing any detection capability.

The second strategy was to target signatures not seen in the field—mainly single-use malware deployed in common spam campaigns. The risk of seeing these old files in the field is very low. If these signatures were not seen via our McAfee Global Threat Intelligence (GTI) cloud telemetry, we moved them into the McAfee GTI cloud where they still provide protection but without the performance impact of constantly downloading unneeded data.

Antimalware engine releases such as the 5600 and 5700 engines used in McAfee VirusScan Enterprise and other McAfee enterprise products also allow us to port commonly used code in the DAT files to native engine code. Although in the past there were limitations to authoring generic detections on unsupported packers or file formats, new engines enable better decomposition of these formats, allowing researchers to create better generic signatures.

Continuing performance focus
The DAT optimization project was incredibly complex, requiring significant testing and validation to ensure DAT quality, safety, and consistently high protection effectiveness. Scan times are now back to pre-2011 levels without any product or technology uplifts.

As we continue to innovate, the ability to process V3 DATs—the successor to V2 DATs—will be integrated into all McAfee endpoint products. Today, V3 DATs are used by McAfee Endpoint Protection for SMB, McAfee Internet Security, and McAfee Antivirus Plus. V3 DATs further reduce DAT size. Currently, they are smaller than 30MB, providing even better system scan time performance while still delivering outstanding protection results!

V2 V3 DAT Size 2014

To learn more about the V2 DAT and the new V3 DAT, see KB82396: “FAQs for V3 DAT files.”


The post Optimizing DAT Performance: Smaller Is Better appeared first on McAfee.

Browsing in privacy mode? Super Cookies can track you anyway

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can bypass these privacy modes unless users take special care.

Ironically, the chink that allows websites to uniquely track people's incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.

Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.

Read 4 remaining paragraphs | Comments

Going postal: Reporter sues government for spying from USPS network

Sharyl Attkisson, the former CBS investigative reporter who published her claims of government intimidation, electronic surveillance, and cyber-attacks in a book last fall, has begun the process of taking the government to court over the hacking of her personal and work computers, as well as her home network.

In the process, Attkisson’s attorneys have begun to reveal the details of forensic investigations by computer security experts. In legal filings against the government, the attorneys disclosed which government agency’s network was the source of at least some of the hacks: the US Postal Service.

In an administrative claim filed on January 5­ under the provisions of the Federal Tort Claims Act and a complaint filed with the District of Columbia Superior Court, Attkisson’s attorneys gave an initial summary of their accusations against the US Justice Department, which they claim directed the surveillance of Attkisson as part of an ongoing Obama administration campaign against journalists and government employees acting as their confidential sources. Attkisson and her family have named outgoing US Attorney General Eric Holder, Postmaster General Patrick Donahoe, and “unknown named agents” of the Department of Justice and US Postal Service as defendants in the suit, seeking damages that could total approximately $35 million.

Read 4 remaining paragraphs | Comments

Bitcoin exchange Bitstamp claims hack siphoned up to $5.2 million

UK-based Bitstamp, the second largest bitcoin exchange for US dollars, suspended operations on Monday, following evidence that online thieves had stolen up to 19,000 BTC—approximately $5.2 million—from its operational store of bitcoins.

The company alerted its users of the possible attack on Monday and warned against transferring any bitcoins to the service’s old bitcoin deposit addresses. Early the following morning, Bitstamp revealed that the attack affected fewer than 19,000 bitcoins. The actual attack appeared to have occurred on Sunday, January 4, when attackers compromised the company’s operational funds, also known as the “hot wallet."

“Thank you all for your patience, we are working diligently to restore service,” Nejc Kodrič, the co-founder and CEO of Bitstamp, tweeted on Monday, adding, “To restate: the bulk of our bitcoin are in cold storage, and remain completely safe.”

Read 7 remaining paragraphs | Comments