AV Gets a Facelift

New features such as whitelisting take the spotlight in next generation of endpoint protection products

Antivirus products get a yearly makeover, which may seem unnecessary on the surface, but is actually crucial for AV vendors to survive and stave off the droves of new malware variants affecting everyone from the home user to enterprise IT shops.

As part of this annual reinvention, AV vendors must also add new features to keep their products as effective as possible and to justify the annual renewal costs. So what trends and features should you be on the lookout for in antivirus solutions in the new year?

The most obvious shift in AV is the move to integrated protection. Every major antivirus vendor is offering an "endpoint security suite” that bundles traditional antivirus with some type of behavioral detection, and a host-based firewall with intrusion prevention capabilities. This is a huge plus for IT shops because it means that you only have to install and maintain just one or two protection software packages.

But too much integration can be bad for customers. Symantec and Sophos, for example, are building their network access control (NAC) solutions around their endpoint security suites -- leveraging the software on the endpoint to perform host-based integrity checks. This is a good solution for customers who prefer dealing with as few vendors as possible, but it may not be the best option when looking to deploy “best of breed” technologies that best fit a particular environment.

With the shift from network-based attacks to client-side exploitation and the proliferation of malware, antivirus vendors are using distributed technologies to collect and analyze malware due to the substantial increase. Christopher Bolin, McAfee's CTO, says the company's analysis labs, for example, have seen an over 50 percent increase in the malware samples submitted to them for review, making 2007 a record-breaking year.

In October of last year, eEye Digital Security began offering its Blink endpoint security solution free for personal use -- with the caveat that it would gather any attack data on those clients to its central collection and analysis server. Robert Stull, a product manager at eEye, back then said the purpose of this arrangement was to collect information about client-side attacks that eEye's honeypots (which traditionally focus on network-based attacks) couldn't gather. That essentially made the free Blink Personal installations a distributed client-based honeypot network for eEye.

Then Panda Security this year published a white paper detailing its Collective Intelligence platform, which leverages Panda’s installed base by comparing memory and processes against information in Panda’s central servers. When conditions meet a particular threshold, suspicious files are then uploaded into Panda’s servers (with the client’s permission) and processed through an automated malware classification process that then builds signatures and remediation steps for the client. (See AV Vendor Adopts 'Herd' Intelligence.)

Application whitelisting, meanwhile, is enjoying a resurgence, as antivirus vendors are increasingly adopting it. The task of identifying and documenting all known bad files in a blacklist (think virus signatures) is simply unachievable. But in comparison, listing all applications that are allowed to run within a corporate network is a cakewalk.

While whitelisting holds promise, few IT shops are willing to take the plunge as wholeheartedly as Brent Rickles, senior vice president and CIO of First National Bank in Texas. Two years ago, the bank replaced its desktop AV solution with a whitelisting package, Lumension’s Sanctuary Application Control. It still runs AV at the network gateway, and using this layered approach, the bank hasn't been hit by a malware infection since it made the switch, Rickles says.

Meanwhile, antivirus vendors are stepping up to the plate: Kaspersky Lab recently partnered with Bit9 for its whitelisting capabilities, which include Bit9’s extensive application knowledge base. Symantec also appears to be going the whitelisting direction: Brian Foster, senior director of product management for Symantec’s Endpoint Security Group, says whitelisting is the future.

Bottom line: This is not your father's AV. AV is just a small element of the endpoint security suites that AV vendors are peddling today. But despite its shortcomings, you still need AV technology to stay safe from today's malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • McAfee Inc. (NYSE: MFE)
  • Lumension Security
  • Symantec Corp. (Nasdaq: SYMC)
  • Sophos plc
  • eEye Digital Security
  • Panda Security
  • Kaspersky Lab
  • Bit9 Inc.
  • Editors' Choice
    Robert Lemos, Contributing Writer, Dark Reading
    Shikha Kothari, Senior Security Adviser, Eden Data