Vulnerabilities / Threats
4/18/2013
01:01 AM
Connect Directly
RSS
E-Mail
50%
50%

Time To Dump Antivirus As Endpoint Protection?

Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them

The shortcomings of antivirus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.

When Google analyzed, for example, the performance of four antivirus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected. While the Internet giant did not name the providers of the software nor discuss the testing environment, the results are in line with other studies as well.

"AV, which is part of the cost of defense, is not causing a commensurate increase in cost for attackers," says Brian Foster, chief technology officers of Damballa and a former executive with antivirus firm McAfee. "The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden--at least for the next 24 hours."

Just the same, information security managers looking to free up budget for other--possibly more efficient--measures will have a hard time justifying replacing antivirus with other technologies, security experts say. No one interviewed for this article recommended that companies completely ditch antivirus or anti-malware software in favor of another solution. Compliance mandates, for example, can require that companies in certain industries must maintain antivirus software.

Instead, additional technologies should be called up to bolster the endpoint's ability to prevent malware from running on a system.

[Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network. See When Antivirus Fails, All Is Not Lost.]

"So what we really need to do is get rid of the stuff that is not working, and put on new innovative techniques that stop the future threats," says Anup Ghosh, CEO and founder of Invincea, which uses secure containers to prevent malware from doing damage to a user's system.

Companies that want to reduce their reliance on antivirus software to secure their users' systems have four possible options.

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware. However, besides being a step back towards the fragile "crunchy on the outside, chewy on the inside" model of enterprise security that has been jettisoned in recent years, antivirus protection has been shown to have positive effects on security.

In its latest Security Intelligence Report, Microsoft found that computers that had no anti-malware protection were 5.5 times more likely, on average, to be infected with malicious code. Anti-malware protection played a greater role in more modern versions of Windows: Unprotected Windows XP systems were 3.5 times more likely, unprotected Windows 7 Service Pack 1 systems 9.5 times more likely, and unprotected Windows 8 systems 14 times more likely to be infected than the same system with anti-malware software.

"Although there is no such thing as a perfect security product, the findings ... clearly show that using real-time security software from a reputable vendor and keeping it up to date are two of the most important steps individuals and organizations can take to reduce the risk they face from malware and potentially unwanted software," the report states.

2. Beef up the blacklist
Companies can also use companion programs that give antivirus scanners a helping hand. Antivirus software typically takes the blacklist approach to security: Detect malicious software that attempts to run on the system and stop it. Many alternatives to the standard antivirus software augment this system.

Malwarebytes, for example, works alongside antivirus and helps users detect and--if found, clean--malware. Sourcefire's Immunet uses a crowdsourcing approach, combining results from its own systems and that of other antivirus programs.

3. Use a whitelist
Some security firms have approached the problem by creating lists of known-good files and only allowing those files to run. Known as whitelisting, the security technology has helped detect threats, but has been criticized as hard to manage in an enterprise unless the information technology group prohibits users from installing their own software on systems.

In addition, because whitelisting software is the ultimate arbiter of what can be trusted, a breach of the security system can give total access to an attacker. The theft of a digital certificate from security firm Bit9 in July 2012, left the firm's clients open to attack, as any malware signed with the certificate was considered a benign file.

Yet, the technology seems to be improving. Stegosystems, a startup that has patented technology for detecting unauthorized code running on a protected system, uses steganographic certificates to validate code at runtime, blocking not only non-authorized code, but also preventing exploits from launching.

"While the code is actually running, it is checking every single function on the stack to verify that it has its appropriate credential and that the code itself is intact--that there is no rootkit, buffer overflow, return programming and so forth," says Tom Probert, chief technology officer and founder of the firm.

4. Focus on isolation
Finally, companies can place all potentially malicious code from untrusted sources inside virtual machines, monitoring them for signs of malicious activity. Security firm Bromium, for example, uses dozens of microVMs to keep untrusted code isolated from the important data on the system. Rival Invincea uses secure containers to similarly separate potentially malicious software from important data.

"We feel that people should look at a better depth of protection such as that protects the kernel," Rahul Kashyap, Bromium's chief security architect. "When you are adding in new layer of isolation in your environment, it is important that the new layer is something that you can trust."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
da cappin
50%
50%
da cappin,
User Rank: Apprentice
5/16/2013 | 4:31:50 PM
re: Time To Dump Antivirus As Endpoint Protection?
Antivirus is a poor infosec control that should have been commonly replaced by alternate control(s) long ago, such as compartmenting. A low-risk-tolerance web-browsing compartment could be further controlled by something like whitetrash.sf.net. Discussion of isolation and containers just sounds like "cardboard" layers of boundary scoping that don't actually prevent or protect -- they simply require an adversary with more persistence.

We know for fact that adding a layer of controls like EMET or ChromeFrame will do a lot more than upgrading/fully-patching IE and installing X AV from vendor Y. Additionally, Enterprise management agents (e.g. ePO, AirWatch, et al) open up the surface attack area with new concepts of trust that adversaries can utilize for exploitation/pivoting.
macker490
50%
50%
macker490,
User Rank: Ninja
4/19/2013 | 12:20:42 PM
re: Time To Dump Antivirus As Endpoint Protection?
point #5
Learn to use ( e.g. PGP ) Electronic Signatures to authenticate transmittals

Transmittals include e/mail, EFTs, Credit Cards, online shopping/banking/tax reports, and most particularly software .-Š if you are using a computer for commercial purposes the old garage computer concept of "run anything you find" -- has to go,.... back to the garage computer. not the commercial one.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.