Proactive defense against malicious documents: formalization, implementation and case studies
- First Online:
The current detection model used by modern antivirus software is based on the same basic principle. Any antivirus has to analyze the threat in order to protect the user afterwards. This implies to have first a few systems to be infected, then to perform a manual or partially automated analysis of the malware to finally update the malware databases. Quite no prevention model is considered to mitigate this inherent limitation of AV software. This issue becomes critical when considering office documents (Microsoft Office, Libre Office, PDF files\(\ldots \)) which become more and more vectors of targeted attacks and hence represent a major threat. The huge variability of documents makes the current detection model quite useless. To protect against the specific risks presented by these documents, we propose a new model of antiviral protection acting proactively and offering a strong prevention model. The document is transformed into an inactive file format to protect the user from any known or unknown threat. This module of proactive threat management has been implemented into the DAVFI project (French and International AntiVirus Demonstrator), funded by the French Strategic Digital Fund. Real and concrete cases of malicious office documents have been submitted to the analysis of this module as well as its transformation principles, demonstrating its effectiveness and accuracy.