時 間：01月09日 星期三 13:20 ~ 15:10
地 點：電資大樓 第4會議室 (一樓) / MIRC 4th meeting room.(1F)
演講者：Prof. Fu-Hao Hsu, NCU CS (中央大學資工系 許富皓教授)
講 題：Antivirus Software Shield against Antivirus Terminators
Fu-Hau Hsu received his Ph.D. degree in Computer Science from Stony Brook University, New York, USA in Dec. 2004. He is an associate professor in the Department of Computer Science and Information Engineering at National Central University, Taiwan, R.O.C. His research interests include system security, mobile device security, web security, information hiding, operating system, and networking.
In the near several decades, the arms race between malware writers and antivirus programmers has become more and more severe. The simplest way for a computer user to secure his computer is to install antivirus software on his computer. As antivirus software becomes more sophisticated and powerful, evading the detection of antivirus software becomes an important part of malware. As a result, malware writers have developed various approaches to increase the survivability and concealment of their malware. One of these technologies is to terminate antivirus software right after the execution of the malware. In this talk, we propose a mechanism, called ANtivirus Software Shield (ANSS), to prevent antivirus software from being terminated without the consciousness of the antivirus software users. ANSS uses SSDT (System Service Descriptor Table) hooking to intercept specific Windows APIs and analyzes them to filter out hazardous API calls that will terminate antivirus software. When using several pieces of malware that can terminate various brands of antivirus applications to make our experiments, the results show that ANSS can protect antivirus software from being terminated by them with at most 0.42% CPU performance overhead and 1.77% memory write performance overhead.