Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/18/2013
01:01 AM
50%
50%

Time To Dump Antivirus As Endpoint Protection?

Attackers find it easy to avoid signature- and heuristic-based anti-malware defenses. Experts recommend alternatives to antivirus programs be used alongside them, not in lieu of them

The shortcomings of antivirus software are well known in the security industry, where the programs are typically considered an eminently fallible last line of defense.

When Google analyzed, for example, the performance of four antivirus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected. While the Internet giant did not name the providers of the software nor discuss the testing environment, the results are in line with other studies as well.

"AV, which is part of the cost of defense, is not causing a commensurate increase in cost for attackers," says Brian Foster, chief technology officers of Damballa and a former executive with antivirus firm McAfee. "The attackers just build a new version, run it by VirusTotal, and as soon as they get it past all 43 vendors there, they know they are golden--at least for the next 24 hours."

Just the same, information security managers looking to free up budget for other--possibly more efficient--measures will have a hard time justifying replacing antivirus with other technologies, security experts say. No one interviewed for this article recommended that companies completely ditch antivirus or anti-malware software in favor of another solution. Compliance mandates, for example, can require that companies in certain industries must maintain antivirus software.

Instead, additional technologies should be called up to bolster the endpoint's ability to prevent malware from running on a system.

[Following Flame, Stuxnet, and Duqu, even the antivirus industry is questioning its ability to stop targeted attacks. Yet other technologies exist to catch malware in the corporate network. See When Antivirus Fails, All Is Not Lost.]

"So what we really need to do is get rid of the stuff that is not working, and put on new innovative techniques that stop the future threats," says Anup Ghosh, CEO and founder of Invincea, which uses secure containers to prevent malware from doing damage to a user's system.

Companies that want to reduce their reliance on antivirus software to secure their users' systems have four possible options.

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware. However, besides being a step back towards the fragile "crunchy on the outside, chewy on the inside" model of enterprise security that has been jettisoned in recent years, antivirus protection has been shown to have positive effects on security.

In its latest Security Intelligence Report, Microsoft found that computers that had no anti-malware protection were 5.5 times more likely, on average, to be infected with malicious code. Anti-malware protection played a greater role in more modern versions of Windows: Unprotected Windows XP systems were 3.5 times more likely, unprotected Windows 7 Service Pack 1 systems 9.5 times more likely, and unprotected Windows 8 systems 14 times more likely to be infected than the same system with anti-malware software.

"Although there is no such thing as a perfect security product, the findings ... clearly show that using real-time security software from a reputable vendor and keeping it up to date are two of the most important steps individuals and organizations can take to reduce the risk they face from malware and potentially unwanted software," the report states.

2. Beef up the blacklist
Companies can also use companion programs that give antivirus scanners a helping hand. Antivirus software typically takes the blacklist approach to security: Detect malicious software that attempts to run on the system and stop it. Many alternatives to the standard antivirus software augment this system.

Malwarebytes, for example, works alongside antivirus and helps users detect and--if found, clean--malware. Sourcefire's Immunet uses a crowdsourcing approach, combining results from its own systems and that of other antivirus programs.

3. Use a whitelist
Some security firms have approached the problem by creating lists of known-good files and only allowing those files to run. Known as whitelisting, the security technology has helped detect threats, but has been criticized as hard to manage in an enterprise unless the information technology group prohibits users from installing their own software on systems.

In addition, because whitelisting software is the ultimate arbiter of what can be trusted, a breach of the security system can give total access to an attacker. The theft of a digital certificate from security firm Bit9 in July 2012, left the firm's clients open to attack, as any malware signed with the certificate was considered a benign file.

Yet, the technology seems to be improving. Stegosystems, a startup that has patented technology for detecting unauthorized code running on a protected system, uses steganographic certificates to validate code at runtime, blocking not only non-authorized code, but also preventing exploits from launching.

"While the code is actually running, it is checking every single function on the stack to verify that it has its appropriate credential and that the code itself is intact--that there is no rootkit, buffer overflow, return programming and so forth," says Tom Probert, chief technology officer and founder of the firm.

4. Focus on isolation
Finally, companies can place all potentially malicious code from untrusted sources inside virtual machines, monitoring them for signs of malicious activity. Security firm Bromium, for example, uses dozens of microVMs to keep untrusted code isolated from the important data on the system. Rival Invincea uses secure containers to similarly separate potentially malicious software from important data.

"We feel that people should look at a better depth of protection such as that protects the kernel," Rahul Kashyap, Bromium's chief security architect. "When you are adding in new layer of isolation in your environment, it is important that the new layer is something that you can trust."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
macker490
50%
50%
macker490,
User Rank: Ninja
4/19/2013 | 12:20:42 PM
re: Time To Dump Antivirus As Endpoint Protection?
point #5
Learn to use ( e.g. PGP ) Electronic Signatures to authenticate transmittals

Transmittals include e/mail, EFTs, Credit Cards, online shopping/banking/tax reports, and most particularly software .- if you are using a computer for commercial purposes the old garage computer concept of "run anything you find" -- has to go,.... back to the garage computer. not the commercial one.
da cappin
50%
50%
da cappin,
User Rank: Apprentice
5/16/2013 | 4:31:50 PM
re: Time To Dump Antivirus As Endpoint Protection?
Antivirus is a poor infosec control that should have been commonly replaced by alternate control(s) long ago, such as compartmenting. A low-risk-tolerance web-browsing compartment could be further controlled by something like whitetrash.sf.net. Discussion of isolation and containers just sounds like "cardboard" layers of boundary scoping that don't actually prevent or protect -- they simply require an adversary with more persistence.

We know for fact that adding a layer of controls like EMET or ChromeFrame will do a lot more than upgrading/fully-patching IE and installing X AV from vendor Y. Additionally, Enterprise management agents (e.g. ePO, AirWatch, et al) open up the surface attack area with new concepts of trust that adversaries can utilize for exploitation/pivoting.
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.