5 Theory of change Realize the need for change Define what we want to achieve Understand what we currently do Assess what we do against our goals Assess the risks of making changes Document and communicate Implement the changes Measure the results Define process for making future changes
6 Realize the need for change Our detection criteria was not inline with our mission to protect our customers without interfering with their Windows experience We were warning our customers of programs that posed no threat alone but: May indicate a security issue May have been used my malware on this or some other machine The PUS research process was not clear.
7 Define what we want to achieve Detect only those programs that pose a security risk or interfere with the customer s Windows experience Make the PUS research process more accessible to all of the researchers
8 Understand what we currently do Documenting what you do, if you have not already For us, we already had documents outlining the behaviours that we detected and what their severity was We had to understand: How the researchers used the current documentation How they did their research
9 Assess what we do against our goals Compare the list of PUS behaviours that we detected against our goal of protection without interference We had to decide if the behaviour was a threat to the customer or only there to inform the customer of a program s presence We identified a few more behaviours that we added to our list of criteria
10 Assess the risks of making changes We had to answer questions that asked if these changes pose a: Risk to Microsoft Risk to our customers Some of these questions were answered by talking to the legal department and they helped us to understand the risk of our changes
11 Document and communicate We documented everything We prepared a PUS course, a series of documents and had trainings Communicate internally and externally Ensure one specialized PUS researcher in each of our labs to answer local questions and communicate problems and changes Externally, we have updated our objective criteria page:
12 Implement the changes Comparing all of our past detections against our revised criteria Rename or remove detection as appropriate It was done in stages because it was too big a job to do all at once
13 Measure the results Internal goals: Measuring the number of researchers that add PUS detections Researcher satisfaction Measure the consistency of PUS conclusions External: Measuring what our customers think of our new approach is more difficult
14 Define process for making future changes You may not get it right the first time It will be easier to make future changes if you have a formal process in place We have used our process to refine some of our criteria and it was much more streamlined with a formal process in place
15 What did we change in PUS Behaviour changes Category changes Remediation changes
16 PUS severity levels - explanation PUS detections have associated severity levels and default remediation actions with them Can be applied by category, family, or by variant Can be assigned by the researcher when they add detection These severity levels determine how the user is notified and can be used to control what the default actions for remediation are Severities can be Low, Medium, High or Severe Default actions can be to Notify the user, Quarantine or Delete
17 PUS behaviour changes To achieve our mission of protection without interference : Removed all behaviours that were at severity levels Moderate or Low, except those related to Adware Reclassified remaining behaviours into categories that were more verbose
18 Redistributed PUS categories PUS categories contained only Moderate and Low behaviours: Tool Program RemoteAccess
19 Redistributed PUS examples Behaviours no longer detected: Tool:Win32/Miniftp Configurable FTP server Program:Win32/TinyProxy Stand alone configurable proxy RemoteAccess:Win32/RealVNC Commercially written remote access tool Detection signatures removed
20 Redistributed PUS examples Behaviours detected as different category: Program:Win32/FakeAdpro Displays false malware reports. Moved to Rogue category. RemoteAccess:Win32/SubSeven Hacker-written backdoor. Moved to Backdoor category. Program:Win32/RegCure System optimization tool that makes misleading claims about system files. Moved to Misleading category. Detection signatures moved
21 Active PUS categories Adware BrowserModifier Misleading (new) MonitoringTool SoftwareBundler
22 PUS remediation changes Previously: Behaviours determined severity level Now: Categories determine severity level As a result: Only Adware and SoftwareBundler prompt the customer
23 PUS remediation changes - example Old method: Exhibits behaviour 1 with severity Low that falls under category Program Exhibits behaviour 2 with severity Moderate that falls under category BrowserModifier Would be classified as a BrowserModifier with severity Moderate
24 PUS remediation changes - example New method: Not exhibiting any detectable behaviours detected Would be classified as a Clean
25 PUS remediation changes - example Old method: Exhibits behaviour 3 with severity High and falls under category BrowserModifier Exhibits behaviour 4 with severity Low and falls under category Program Exhibits behaviour 5 with severity Low and falls under category BrowserModifier Would be classified as a BrowserModifier with severity High
26 PUS remediation changes - example New method: Exhibits behaviour 3 with that falls under category BrowserModifier Would be classified as a BrowserModifier with severity High Easier
27 Points to remember about change Making changes: Define what you want to achieve before you start Understand what you do now Documentation is essential Changes made: MMPC removed Low and Moderate PUS behaviours except for Adware category Realigned signatures for Tool, Program and RemoteAccess
CDM Software Asset Management (SWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT
TABLE OF CONTENTS INTRODUCTION... 1 WHAT HAPPENS IF MY CHILD IS HAVING TROUBLE LEARNING IN SCHOOL?... 2 STEPS TO GETTING SERVICES... 3 ANSWERS TO FREQUENTLY ASKED QUESTIONS... 9 REQUEST FOR ASSISTANCE...
Records Management: Seven Best Practices for Staying Ahead of the Curve 2014 Table of Contents Introduction... 3 Obtain Executive Support... 3 Define A Records Management Approach... 4 Create A Clear Policy
Small Business Anti-Virus Protection OCT - DEC 2014 Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to compare the effectiveness of anti-malware
Application Comparison NOVEMBER 2012 Dennis Technology Labs www.dennistechnologylabs.com This comparative test looks closely at the features and abilities of security software that seeks to control which
Information Security Awareness Survey 2008 Prepared by SAI Global Security Awareness: Measuring Attitudes, Knowledge and Behaviour Results of The SAI Global Benchmarking Survey 2008 Current Security Awareness
Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses Chris Ries Security Research Analyst VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 email@example.com
Enterprise Anti-Virus Protection APRIL - JUNE 2014 Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to compare the effectiveness of anti-malware
Tracking Anti-Malware Protection 2015 A TIME-TO-PROTECT ANTI-MALWARE COMPARISON TEST Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to measure
AVG Internet Security 2015 User Manual Document revision 2015.33 (16.6.2015) C opyright AVG Technologies C Z, s.r.o. All rights reserved. All other trademarks are the property of their respective owners.
Enterprise Anti-Virus APRIL - JUNE 2013 Dennis Technology Labs www.dennistechnologylabs.com This report aims to compare the effectiveness of anti-malware products provided by well-known security companies.
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
WHEN YOU CONSULT A STATISTICIAN... WHAT TO EXPECT SECTION ON STATISTICAL CONSULTING AMERICAN STATISTICAL ASSOCIATION 2003 When you consult a statistician, you enlist the help of a professional who is particularly
AVG Email Server Edition User Manual Document revision 2015.11 (23.3.2015) C opyright AVG Technologies C Z, s.r.o. All rights reserved. All other trademarks are the property of their respective owners.
How an Orphan Works (OW) Bill would effect a copyright holder from the perspective of a small family business. In 2008, I participated with artists- rights groups to help communicate the needs of copyright
Security Policy: Best Practices White Paper Document ID: 13601 Introduction Preparation Create Usage Policy Statements Conduct a Risk Analysis Establish a Security Team Structure Prevention Approving Security
Rob Davis Everyone wants a good process. Our businesses would be more profitable if we had them. But do we know what a good process is? Would we recognized one if we saw it? And how do we ensure we can
Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7
A Brick Wall, a Locked Door, and a Bandit: A Physical Security Metaphor For Firewall Warnings Fahimeh Raja University of British Columbia Vancouver, Canada V6T 1Z4 firstname.lastname@example.org Kai-Le Clement Wang
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
Windows 8 Malware Protection Test Report A test commissioned by Kaspersky Lab and performed by AV-Test GmbH Date of the report: January 11 th, 2013, last update: January 11 th, 2013 Executive Summary In
Sponsored by McAfee Protecting Virtual Endpoints with McAfee Server Security Suite Essentials December 2013 A SANS Analyst Whitepaper Written by Dave Shackleford Capability Sets for Virtualization Security