my current thoughts on the state of antivirus

I still maintain that AntiVirus software is a necessity for computers these days. But after reading some thoughts from Michael about AV, I’m wondering if my long-standing Top 5 Security Step is less and less founded in rationality. As a quick summary, I’ll say that AV is dying in the enterprise, but as a consumer protection, it is still an easy and easily understood suggestion. In the enterprise, AV is simply evolving either migrating into other layers or into things like HIPS. As a bottomline, be open and think about the role of AV in your situation. I expect (and welcome!) strong reaction from Wismer on any holes in this post! 🙂

(I run AV on my home Windows boxes. I also use it on my mail gateway. My Linux boxes do not run AV. At work, we use AV and soon HIPS on all systems, and we’re a fully Windows shop.)

So what is AV supposed to be doing? Well, it is supposed to block, detect, and clean various bits of malware from my system. It does this in realtime and with regular scans.

  • Signature-based– Everyone digs on AVs signatures being a limiting factor. This is true and is illustrated by the TSA no-fly lists. Jason Bourne’s name appears on this list. When Jason Bourne attempts to board an airplane, someone compares his name to that on some ubiquitous list of baddies. What if Jason changes his name to James Bourne? He’ll get through. What if there is another, completely innocent person named Jason Bourne? He might get denied access. Signatures work no better, really. And what if his name gets printed as Bourne, Jason? This is a bit like a file getting scrambled or encrypted a bit. It still works, but might not exactly match the signature list.
  • Protects against email-borne malware– AV protects against bad things sent via email. The problem here is threefold. First, many users are slowly getting used to not clicking random files in emails that they didn’t request (slow but sure!). Second, mail servers and gateways are getting better at stripping bad attachments and files. Third, any brand new threats that attack otherwise trusted files like pdf or doc, are no better stopped by AV at the host than the AV at the gateway. I’ve found our third-party spam filter provider is far better at detecting and scrubbing and reacting to spam and new attacks than we ever could hope to be (part of the outsourcing trend of security commodity services).
  • Protects against network-borne malware– AV protects against bad things banging against and entering the system from the network, via network shares on the host or the host connecting to network shares. This can also include old exploits that pop vulnerable services/stacks in Windows or Windows-borne apps. We’ve not seen a huge number of these like we did 4+ years ago. The network is getting more protected as the OS incarnations become more solid (arguably) and network security matures. Firewalls, IDS/IPS, gateway AV, and even simple router ACLs/NAT keep a lot of things safer than they used to be. We’re also getting better at detecting when something bad is circulating on the network. I believe all of this progress is not due to technology, but the slowly incrementing of technical experience and expertise in the enterprise and commercial tools. All of this means AVs use to protect against network-borne malware is a bit more redundant.
  • Protects against web-borne malware– This is my more dubious claim, but I don’t have a feeling that AV protects me all that much from the various web-borne attacks. Sure it can detect and maybe stop the big ones, but there are innumerable ways to write such malware. I’m just as worried about the targeted attack from a niche hacking site I visit as the Super Bowl page with some generic dropped script. Things like web filters and HIPS and limited rights help the enterprise user. Things like non-standard browsers and NoScript types of add-ons help home users. I think the impact of AV on this vector is diminished.
  • Keeps the system running smoothly– Malware still bears the telltale trait of slowing our systems to a crawl, in many cases. We don’t like this. It soaks up productivity, increases user frustration with technology, and can harm the system itself up to overheating or simply an unrecoverable OS. Other security factors have been pushing data to be more secured and available, especially in backups or on the trusted networks. This means the physical end point is becoming more expendable as the least costly of our worries. Likewise, a pwned system with lots of malware can simply be rebuilt in such an environment, with little real loss. Home users are typically not as lucky in this regard.
  • Protection against known attacks– My problem with this sort of an assertion is twofold. First, protection is against only known attacks, not bleeding-edge unknown ones. AV is not the only victim here, since the attacks *are* unknown! Likewise, the inverse is true, AV protects against known attacks no better than protections in other layers, like the mail gateway or web filter. Second, keeping systems and applications patched (always easier said than done!) should also protect against known attacks. I would never happily justify slack patching due to AV protection.
  • Provides security in untrusted networks.– I’ll argue that this is still true, but also reduced and probably eclipsed by a good bi-directional firewall and HIPS. It’s a fact of life that computers can now move at will from the trusted network to untrusted ones. Even if your laptop usage is small, it helps to just treat everything like it is mobile. While AVs role is diminished by edge and perimeter security measures, those are gone in an untrusted network.
  • Keeps the computer safer from human stupidity– There’s a reason this bullet is last: it’s especially important. Users can still make mistakes, and it really does help to catch those mistakes. Even if they happen and detectors raise alarms, I’d rather know something is borked than not know it. I really see AVs main purpose these days to be protecting against human error. Yes, other tools and approaches like limited rights and HIPS can do the same thing, but at least AV is easily accessible to home consumers, and more understood. If a malware from 3 years ago gets sent to my users, I can expect one, someday, to accidentally click on it (come on, we’ve all accidentally run something we didn’t mean to at some point!), and that’s the safety net AV maintains. I’d rather my parents run AV than a FW or HIPS and not know whether to allow an action or not.

    While I feel, personally, that the role and importance of AV in the enterprise is dying or greatly diminished, I would not recommend any shops abandon AV without doing a couple things.

  • Replace the AV with something– Chances are this will be a HIPS product, but replace it with something. I don’t think I’m fully ready to strip the host of third-party protection or leave it with just firewalls in place.
  • Examine your laws and regulations– Does some regulation specifically require AV to be present (PCI)? Then you have to keep it, really. You might also have to make an extra good case to your lawyers or mgmt teams; AV necessity is pretty deeply ingrained now.
  • Examine your defense in depth– A lot of the usefulness of AV is being eroded by layers of defenses and replacement products. Sure you can replace AV with HIPS, but don’t argue against AV if you don’t have network perimeter and edge device protections to stop malware from entering the safety of your trusted networks. Make sure you still have confidence in your other mitigating security measures.
  • Prove the value of the alternatives or the invalue of AV– Set up some tests with your techs to evaluate the real benefits of AV. Granted, I doubt your results will be publish-worthy, but try to understand what gets by the AV and what gets by HIPS if that is your alternative. Scrape your spam filter for bad files, put them onto a box with both products, and attempt to run them. Try to run them on an unsecured box, and see if you can push or install the products after the infection. And so on. Understand what you’re replacing, so that you can be more confident with the added or decreased value of your decision. Or have your vendors/partners do this for you. Maybe HIPS will provide additional benefits like perhaps an inbound firewall or other alerting mechanisms that go beyond just AV actions. These tests may go a long ways to garnering you support in the enterprise.
  • 2 thoughts on “my current thoughts on the state of antivirus

    1. I agree with you that it isn’t time to jettison AV yet. It still provides at least *some* level of protection. However, it certainly is time to put pressure on the vendors to radically rethink their models.
      I don’t have a lot of the minute details thought out myself on what AV should look like in the next 10 years, but here are some of the things I’ve thought of recently (almost all of which focus on the browser, which is currently the front lines in this war on malware);

      • Shim the web browsers, either between the Internet and the browser (preferred) or between the browser and the OS so that the AV app can keep its fingers around the browser’s throat and control it.
      • Develop vulnerability protection into the browser shim that acts as a virtual patch rather than traditional AV models that look for malware. This will be much more effective at stopping variants than malware protection is.
      • Include a killbit feature to snipe malicious CLSIDs. Granted, this is signature-based but we need a stop-gap in place while heuristic or HIPS-like technology catches up.
      • Utilize P2P-like communication between AV clients within the enterprise. If a host detects a malicious file, have it communicate an MD5 hash of the file to all other hosts and prevent access to that file. This will also help when there is disparity of definition versions within the enterprise.
      • Take advantage of worms that check for a local infection by duping it into thinking the host is already infected. For example, Nimbda first checked if the local machine was infected. If AV could simulate infection automatically, it could prevent an actual infection. AV is pretty useless against worms until a payload is delivered. The ability to simulate an infection could help in that phase of a compromise.

    Comments are closed.