Why do users think AV is the answer to ultimate protection? My only guess is AV vendors' poor marketing messages that claim their products are the best. They're not going to say something like, "We detect and stop 92% of malware the average end-user encounters!" That's not very comforting, if that's even an accurate number. I'd say detection/protection rates are less based on the malware I've personally discovered and submitted to VirusTotal.
In addition, what about companies that deal with targeted malware attacks? Unless the attacker has absolutely no clue what he's doing, it's not difficult to create a malicious executable with very low detection rates. Two examples are covered in slides 17-20 in Paul Asadoorian's "Late-Breaking Computer Attack Vectors" document from October 2008 (PDF).
The first is Nick Harbour's PE-Scrambler, which was released at DefCon and used in the "Race to Zero" that highlighted the ease of which known, detectable malware could be modified to bypass AV detection. Note: The PE-Scrambler site was recently taken down for some unknown reason.
The second method is using the msfencode tool included in the Metasploit Framework. Msfencode is capable of encoding executable files using several different techniques that can lower the effectiveness in AV products in detecting it. Paul shows several examples of encoding a file and the number of AV products that were able to detect it in using several iterations of msfencode in the presentation linked above.
Erik's article does mention that users should practice layered defense, but, honestly, what layered defense techniques do most users have at their disposal? Corporate users have us security professionals to answer that question, but what about the average home user or small business without full-time IT security professionals? I think the options wind up being consumer firewalls and AV, followed by common sense and a bit of paranoia, but not much else.
Bad habits at home often follow a user into the workplace through bad user behavior and using malware infected removable storage devices. Are you doing anything to help promote good behavior both at work and home?
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.