Time To Dump Antivirus As Endpoint Protection?Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them
The shortcomings of antivirus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.
When Google analyzed, for example, the performance of four antivirus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected. While the Internet giant did not name the providers of the software nor discuss the testing environment, the results are in line with other studies as well.
"AV, which is part of the cost of defense, is not causing a commensurate increase in cost for attackers," says Brian Foster, chief technology officers of Damballa and a former executive with antivirus firm McAfee. "The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden--at least for the next 24 hours."
Just the same, information security managers looking to free up budget for other--possibly more efficient--measures will have a hard time justifying replacing antivirus with other technologies, security experts say. No one interviewed for this article recommended that companies completely ditch antivirus or anti-malware software in favor of another solution. Compliance mandates, for example, can require that companies in certain industries must maintain antivirus software.
Instead, additional technologies should be called up to bolster the endpoint's ability to prevent malware from running on a system.
[Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network. See When Antivirus Fails, All Is Not Lost.]
"So what we really need to do is get rid of the stuff that is not working, and put on new innovative techniques that stop the future threats," says Anup Ghosh, CEO and founder of Invincea, which uses secure containers to prevent malware from doing damage to a user's system.
Companies that want to reduce their reliance on antivirus software to secure their users' systems have four possible options.
1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware. However, besides being a step back towards the fragile "crunchy on the outside, chewy on the inside" model of enterprise security that has been jettisoned in recent years, antivirus protection has been shown to have positive effects on security.
In its latest Security Intelligence Report, Microsoft found that computers that had no anti-malware protection were 5.5 times more likely, on average, to be infected with malicious code. Anti-malware protection played a greater role in more modern versions of Windows: Unprotected Windows XP systems were 3.5 times more likely, unprotected Windows 7 Service Pack 1 systems 9.5 times more likely, and unprotected Windows 8 systems 14 times more likely to be infected than the same system with anti-malware software.
"Although there is no such thing as a perfect security product, the findings ... clearly show that using real-time security software from a reputable vendor and keeping it up to date are two of the most important steps individuals and organizations can take to reduce the risk they face from malware and potentially unwanted software," the report states.
2. Beef up the blacklist
Companies can also use companion programs that give antivirus scanners a helping hand. Antivirus software typically takes the blacklist approach to security: Detect malicious software that attempts to run on the system and stop it. Many alternatives to the standard antivirus software augment this system.
Malwarebytes, for example, works alongside antivirus and helps users detect and--if found, clean--malware. Sourcefire's Immunet uses a crowdsourcing approach, combining results from its own systems and that of other antivirus programs.
3. Use a whitelist
Some security firms have approached the problem by creating lists of known-good files and only allowing those files to run. Known as whitelisting, the security technology has helped detect threats, but has been criticized as hard to manage in an enterprise unless the information technology group prohibits users from installing their own software on systems.
In addition, because whitelisting software is the ultimate arbiter of what can be trusted, a breach of the security system can give total access to an attacker. The theft of a digital certificate from security firm Bit9 in July 2012, left the firm's clients open to attack, as any malware signed with the certificate was considered a benign file.
Yet, the technology seems to be improving. Stegosystems, a startup that has patented technology for detecting unauthorized code running on a protected system, uses steganographic certificates to validate code at runtime, blocking not only non-authorized code, but also preventing exploits from launching.
"While the code is actually running, it is checking every single function on the stack to verify that it has its appropriate credential and that the code itself is intact--that there is no rootkit, buffer overflow, return programming and so forth," says Tom Probert, chief technology officer and founder of the firm.
4. Focus on isolation
Finally, companies can place all potentially malicious code from untrusted sources inside virtual machines, monitoring them for signs of malicious activity. Security firm Bromium, for example, uses dozens of microVMs to keep untrusted code isolated from the important data on the system. Rival Invincea uses secure containers to similarly separate potentially malicious software from important data.
"We feel that people should look at a better depth of protection such as that protects the kernel," Rahul Kashyap, Bromium's chief security architect. "When you are adding in new layer of isolation in your environment, it is important that the new layer is something that you can trust."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio