I was looking for options to detect malware before antivirus signatures find it. Here is what i read about using SCAP standards.
As written earlier, MAEC from mitre provides schema for malware characterization. OVAL from mitre has defined the language schema to represent system characteristics, machine state and provide results of assessment in standard format. OVAL also has a reference implementation which can scan the system and provide results in oval results format. This interpreter can be used to execute the test cases as defined in MACE schema to find system characteristics. Once the system had been scanned and assessed the results are available in OVAL format which can be used to identify malware even before the AV signatures are available. This would would only require some code/script to convert MAEC defined definitions to OVAL definitions or test cases. This seemed to be a cool idea and wanted to share it in my blog. Please check maec.mitre.org and oval.mitre.org for more details.
