Vulnerabilities / Threats
4/18/2013
01:01 AM
50%
50%

Time To Dump Antivirus As Endpoint Protection?

Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them

The shortcomings of antivirus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.

When Google analyzed, for example, the performance of four antivirus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected. While the Internet giant did not name the providers of the software nor discuss the testing environment, the results are in line with other studies as well.

"AV, which is part of the cost of defense, is not causing a commensurate increase in cost for attackers," says Brian Foster, chief technology officers of Damballa and a former executive with antivirus firm McAfee. "The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden--at least for the next 24 hours."

Just the same, information security managers looking to free up budget for other--possibly more efficient--measures will have a hard time justifying replacing antivirus with other technologies, security experts say. No one interviewed for this article recommended that companies completely ditch antivirus or anti-malware software in favor of another solution. Compliance mandates, for example, can require that companies in certain industries must maintain antivirus software.

Instead, additional technologies should be called up to bolster the endpoint's ability to prevent malware from running on a system.

[Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network. See When Antivirus Fails, All Is Not Lost.]

"So what we really need to do is get rid of the stuff that is not working, and put on new innovative techniques that stop the future threats," says Anup Ghosh, CEO and founder of Invincea, which uses secure containers to prevent malware from doing damage to a user's system.

Companies that want to reduce their reliance on antivirus software to secure their users' systems have four possible options.

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware. However, besides being a step back towards the fragile "crunchy on the outside, chewy on the inside" model of enterprise security that has been jettisoned in recent years, antivirus protection has been shown to have positive effects on security.

In its latest Security Intelligence Report, Microsoft found that computers that had no anti-malware protection were 5.5 times more likely, on average, to be infected with malicious code. Anti-malware protection played a greater role in more modern versions of Windows: Unprotected Windows XP systems were 3.5 times more likely, unprotected Windows 7 Service Pack 1 systems 9.5 times more likely, and unprotected Windows 8 systems 14 times more likely to be infected than the same system with anti-malware software.

"Although there is no such thing as a perfect security product, the findings ... clearly show that using real-time security software from a reputable vendor and keeping it up to date are two of the most important steps individuals and organizations can take to reduce the risk they face from malware and potentially unwanted software," the report states.

2. Beef up the blacklist
Companies can also use companion programs that give antivirus scanners a helping hand. Antivirus software typically takes the blacklist approach to security: Detect malicious software that attempts to run on the system and stop it. Many alternatives to the standard antivirus software augment this system.

Malwarebytes, for example, works alongside antivirus and helps users detect and--if found, clean--malware. Sourcefire's Immunet uses a crowdsourcing approach, combining results from its own systems and that of other antivirus programs.

3. Use a whitelist
Some security firms have approached the problem by creating lists of known-good files and only allowing those files to run. Known as whitelisting, the security technology has helped detect threats, but has been criticized as hard to manage in an enterprise unless the information technology group prohibits users from installing their own software on systems.

In addition, because whitelisting software is the ultimate arbiter of what can be trusted, a breach of the security system can give total access to an attacker. The theft of a digital certificate from security firm Bit9 in July 2012, left the firm's clients open to attack, as any malware signed with the certificate was considered a benign file.

Yet, the technology seems to be improving. Stegosystems, a startup that has patented technology for detecting unauthorized code running on a protected system, uses steganographic certificates to validate code at runtime, blocking not only non-authorized code, but also preventing exploits from launching.

"While the code is actually running, it is checking every single function on the stack to verify that it has its appropriate credential and that the code itself is intact--that there is no rootkit, buffer overflow, return programming and so forth," says Tom Probert, chief technology officer and founder of the firm.

4. Focus on isolation
Finally, companies can place all potentially malicious code from untrusted sources inside virtual machines, monitoring them for signs of malicious activity. Security firm Bromium, for example, uses dozens of microVMs to keep untrusted code isolated from the important data on the system. Rival Invincea uses secure containers to similarly separate potentially malicious software from important data.

"We feel that people should look at a better depth of protection such as that protects the kernel," Rahul Kashyap, Bromium's chief security architect. "When you are adding in new layer of isolation in your environment, it is important that the new layer is something that you can trust."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
da cappin
50%
50%
da cappin,
User Rank: Apprentice
5/16/2013 | 4:31:50 PM
re: Time To Dump Antivirus As Endpoint Protection?
Antivirus is a poor infosec control that should have been commonly replaced by alternate control(s) long ago, such as compartmenting. A low-risk-tolerance web-browsing compartment could be further controlled by something like whitetrash.sf.net. Discussion of isolation and containers just sounds like "cardboard" layers of boundary scoping that don't actually prevent or protect -- they simply require an adversary with more persistence.

We know for fact that adding a layer of controls like EMET or ChromeFrame will do a lot more than upgrading/fully-patching IE and installing X AV from vendor Y. Additionally, Enterprise management agents (e.g. ePO, AirWatch, et al) open up the surface attack area with new concepts of trust that adversaries can utilize for exploitation/pivoting.
macker490
50%
50%
macker490,
User Rank: Ninja
4/19/2013 | 12:20:42 PM
re: Time To Dump Antivirus As Endpoint Protection?
point #5
Learn to use ( e.g. PGP ) Electronic Signatures to authenticate transmittals

Transmittals include e/mail, EFTs, Credit Cards, online shopping/banking/tax reports, and most particularly software .- if you are using a computer for commercial purposes the old garage computer concept of "run anything you find" -- has to go,.... back to the garage computer. not the commercial one.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.