Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/18/2013
01:01 AM
50%
50%

Time To Dump Antivirus As Endpoint Protection?

Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them

The shortcomings of antivirus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.

When Google analyzed, for example, the performance of four antivirus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected. While the Internet giant did not name the providers of the software nor discuss the testing environment, the results are in line with other studies as well.

"AV, which is part of the cost of defense, is not causing a commensurate increase in cost for attackers," says Brian Foster, chief technology officers of Damballa and a former executive with antivirus firm McAfee. "The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden--at least for the next 24 hours."

Just the same, information security managers looking to free up budget for other--possibly more efficient--measures will have a hard time justifying replacing antivirus with other technologies, security experts say. No one interviewed for this article recommended that companies completely ditch antivirus or anti-malware software in favor of another solution. Compliance mandates, for example, can require that companies in certain industries must maintain antivirus software.

Instead, additional technologies should be called up to bolster the endpoint's ability to prevent malware from running on a system.

[Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network. See When Antivirus Fails, All Is Not Lost.]

"So what we really need to do is get rid of the stuff that is not working, and put on new innovative techniques that stop the future threats," says Anup Ghosh, CEO and founder of Invincea, which uses secure containers to prevent malware from doing damage to a user's system.

Companies that want to reduce their reliance on antivirus software to secure their users' systems have four possible options.

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware. However, besides being a step back towards the fragile "crunchy on the outside, chewy on the inside" model of enterprise security that has been jettisoned in recent years, antivirus protection has been shown to have positive effects on security.

In its latest Security Intelligence Report, Microsoft found that computers that had no anti-malware protection were 5.5 times more likely, on average, to be infected with malicious code. Anti-malware protection played a greater role in more modern versions of Windows: Unprotected Windows XP systems were 3.5 times more likely, unprotected Windows 7 Service Pack 1 systems 9.5 times more likely, and unprotected Windows 8 systems 14 times more likely to be infected than the same system with anti-malware software.

"Although there is no such thing as a perfect security product, the findings ... clearly show that using real-time security software from a reputable vendor and keeping it up to date are two of the most important steps individuals and organizations can take to reduce the risk they face from malware and potentially unwanted software," the report states.

2. Beef up the blacklist
Companies can also use companion programs that give antivirus scanners a helping hand. Antivirus software typically takes the blacklist approach to security: Detect malicious software that attempts to run on the system and stop it. Many alternatives to the standard antivirus software augment this system.

Malwarebytes, for example, works alongside antivirus and helps users detect and--if found, clean--malware. Sourcefire's Immunet uses a crowdsourcing approach, combining results from its own systems and that of other antivirus programs.

3. Use a whitelist
Some security firms have approached the problem by creating lists of known-good files and only allowing those files to run. Known as whitelisting, the security technology has helped detect threats, but has been criticized as hard to manage in an enterprise unless the information technology group prohibits users from installing their own software on systems.

In addition, because whitelisting software is the ultimate arbiter of what can be trusted, a breach of the security system can give total access to an attacker. The theft of a digital certificate from security firm Bit9 in July 2012, left the firm's clients open to attack, as any malware signed with the certificate was considered a benign file.

Yet, the technology seems to be improving. Stegosystems, a startup that has patented technology for detecting unauthorized code running on a protected system, uses steganographic certificates to validate code at runtime, blocking not only non-authorized code, but also preventing exploits from launching.

"While the code is actually running, it is checking every single function on the stack to verify that it has its appropriate credential and that the code itself is intact--that there is no rootkit, buffer overflow, return programming and so forth," says Tom Probert, chief technology officer and founder of the firm.

4. Focus on isolation
Finally, companies can place all potentially malicious code from untrusted sources inside virtual machines, monitoring them for signs of malicious activity. Security firm Bromium, for example, uses dozens of microVMs to keep untrusted code isolated from the important data on the system. Rival Invincea uses secure containers to similarly separate potentially malicious software from important data.

"We feel that people should look at a better depth of protection such as that protects the kernel," Rahul Kashyap, Bromium's chief security architect. "When you are adding in new layer of isolation in your environment, it is important that the new layer is something that you can trust."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
da cappin
50%
50%
da cappin,
User Rank: Apprentice
5/16/2013 | 4:31:50 PM
re: Time To Dump Antivirus As Endpoint Protection?
Antivirus is a poor infosec control that should have been commonly replaced by alternate control(s) long ago, such as compartmenting. A low-risk-tolerance web-browsing compartment could be further controlled by something like whitetrash.sf.net. Discussion of isolation and containers just sounds like "cardboard" layers of boundary scoping that don't actually prevent or protect -- they simply require an adversary with more persistence.

We know for fact that adding a layer of controls like EMET or ChromeFrame will do a lot more than upgrading/fully-patching IE and installing X AV from vendor Y. Additionally, Enterprise management agents (e.g. ePO, AirWatch, et al) open up the surface attack area with new concepts of trust that adversaries can utilize for exploitation/pivoting.
macker490
50%
50%
macker490,
User Rank: Ninja
4/19/2013 | 12:20:42 PM
re: Time To Dump Antivirus As Endpoint Protection?
point #5
Learn to use ( e.g. PGP ) Electronic Signatures to authenticate transmittals

Transmittals include e/mail, EFTs, Credit Cards, online shopping/banking/tax reports, and most particularly software .- if you are using a computer for commercial purposes the old garage computer concept of "run anything you find" -- has to go,.... back to the garage computer. not the commercial one.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...