Saturday, February 09, 2008

the state of anti-virus

there have been some posts and discussions recently about anti-virus that i thought were interesting (and not just because my name was invoked) and rather that split my thoughts between multiple sites i've opted to combine everything here... thankfully most involved welcome open debate on the subject, though others not so much - but refusing to believe malware and vulnerabilities are orthogonal to one another kinda limits where the discussion can go, so oh well...

so i'm going to start with michael's post over at mcwresearch.com... now i hope michael doesn't take this the wrong way, but i quite enjoyed the irony of his post's title - "AV must innovate or die"... michael of course comes from a behaviour-based HIPS background and behaviour-based HIPS (or at the very least it's precursor) began it's life in an anti-virus product...

furthermore, as i've mentioned before, anti-virus isn't just blacklist-based scanners... rather it's an archaic term for anti-malware and since HIPS is itself a type of anti-malware technology, HIPS is fundamentally part of the same industry that michael is criticizing - which means he himself is making that innovation happen and making sure 'anti-virus' doesn't die...

of course, when michael used the term anti-virus, he really was just talking about known-malware scanners and criticizing them for not being able to do what is totally outside the scope of a known-malware scanner - block unauthorized behaviour... that's actually a pretty unfair criticism since he's only considering the scanner technology itself and no technology (not scanners or HIPS) is perfect, they all do different things and they all have their limitations... he's mentioned in the past that anti-virus needs to get it's peanut butter mixed in with IPS's chocolate so i'm going to give michael a treat... symantec has HIPS, mcafee has HIPS, trend micro has HIPS, sophos has HIPS, kaspersky has HIPS built into KIS, f-secure has HIPS, panda has HIPS, etc... perhaps in the future michael will consider all the technologies that traditional av vendors make available so that he doesn't have to compare apples to oranges anymore...

the other post that caught my eye was this one by lonervamp (he's also a michael but let's not get ambiguous) about where he sees the state of anti-virus being... he also refers to anti-virus in a strictly known-malware scanning context and discusses the role it's supposed to play in a defensive strategy and how it's benefits have waned with the development of procedural and technological layers that complement it's use... i would actually tend to agree with that observation, but i'd also note that being complementary is a commutative property - known-malware scanning complements those other layers as well... could you go without scanning entirely? sure, just like you could use only scanning, but they're better together than they are on their own... that the benefits of known-malware scanning wane in the presence of complementary layers is entirely understandable and expected as the layers in a multi-layered defense will generally partially overlap each other... it's because of that overlap that the benefits of any individual layer may wane, but a layer isn't redundant or useless unless it's completely overlapped by the other layers...

so a question that is perhaps of interest to both posters is at what point does known-malware scanning become entirely redundant?... personally, i don't think it ever does... any given technology has an achilles heel that can allow a piece of malware to get past it... for known-malware scanning this achilles heel is novelty - new/unknown malware is clearly not something known-malware scanning can deal with... other technologies have their own weaknesses too but as weaknesses go novelty is unique because it's the only one that wears off... the media makes quite a big deal out of all the new malware being created and how it keeps getting past known-malware scanners, and at the same time it rarely mentions cases of malware incidents involving old malware... this leads to the erroneous impression that one needn't worry about old malware... old malware still pops up for a variety of different reasons and although it may use tricks that can still allow it to get past other technologies, by the time it gets old it's not going to be getting past a known-malware scanner anymore...

lonervamp also made a distinction between home use and business use, suggesting that known-malware scanning was more likely to be displaced in the business than in the home... i can certainly see that - one of the strengths of known-malware scanning is that the expertise that makes it work is embedded in the product so that the user is relieved of having that burden... many other technologies require knowledge and skill from the customer that may or may not be there... in a business you're much more likely to have trained, knowledgeable individuals (the IT staff) who can make the intelligent decisions necessary for products with more client side configuration to work effectively... that means that alternative technologies become a more feasible option in that environment...

that isn't to say i'd suggest dropping known-malware scanning though... even in a business i think it has it's place... i don't think it should be the only type of technology used, mind you - there are many types of technology available (sometimes even from a single vendor) and they're just waiting to be used... if i were going to suggest anything it would be more comprehensive layering, not simply different layers... the goal should be better overall coverage and substituting one layer for another isn't necessarily the way to get there...

11 comments:

kurt wismer said...

y'know, i've been thinking about it and i think maybe michael from mcwresearch is a consumer of HIPS rather than a producer... doh!

Anonymous said...

Kurt:

The fact that you're accusing me of not being "...interested in open debate" is hysterical.

The reason I don't wish to continue trading off in a battle comment Pong with you is that you're not interested in being open.

If you really read my original post, you'll see that I liked Tippet's posts even if I didn't agree with everything he said.

I presented PROS and CONS. I said so in the post. You were more interested in taking apart sentence structure than exploring the dialog.

You choose to just suggest that you're right and everyone else is wrong.

That's not debate. That's ego.

It's also annoying.

My $0.02.

/Hoff

kurt wismer said...

@hoff:
"The fact that you're accusing me of not being "...interested in open debate" is hysterical."

i specifically linked to the comment where you said you found such debates boring... that really doesn't sound like being interested to me...

"If you really read my original post, you'll see that I liked Tippet's posts even if I didn't agree with everything he said."

my apologies if my comments to your post were unclear - i never tried to suggest you were disrespectful of tippett's opinions, i was simply reacting to the aspersions you were casting on the field where he made his actual contributions...

had you not felt the need to get those minor digs in in the first place i likely wouldn't have commented... that was the only thing i was responding to...

"I presented PROS and CONS. I said so in the post. You were more interested in taking apart sentence structure than exploring the dialog."

it has been said that any really interesting debate ultimately comes down to the question of meaning... since meaning is imparted by those things, i do include them in the set of things i look at...

"You choose to just suggest that you're right and everyone else is wrong."

see the previous comment where i acknowledge one of my own errors...

i'm not the kind of person who won't admit when he's wrong...

"That's not debate. That's ego."

i was not the one who made a veiled attempt at making the discussion personal - i considered responding in kind but ultimately decided not to...

Unknown said...

I would like to comment on traditional identities/definitions provided by AV vendors, even when a pro-active technique like behaviour can be used to detect new threats. Typically, if a machine is actually infected before the behavioural rule has been created, or a more traditional identity, it requires specific knowledge of the particular piece of malware in order to do clean-up. You must understand the threat specifically in order to properly reverse its effects. Often pro-active detections will also be modified to protect against the new behaviour, but you would still want to have a detailed identity produced in order to restore a machine to a clean state.

kurt wismer said...

@chet:
i would tend to agree with you, although i know a large number of people these days wouldn't... many would say wipe-and-reinstall is the better option for recovery - the smarter ones (the ones who do prep work in anticipation of preventative failures) would instead go for restoring from an image made prior to malware contamination (and hopefully realize why restoring from an image isn't anywhere near the same thing as wipe-and-reinstall)... unfortunately, neither of those give any clue if sensitive data might have gotten out as a result of the malware getting in... specific knowledge of what got in is really the best indicator if something could have gotten out...

i'd also like to draw attention to the fact that you bring up a very good point: the discussions so far have all been about prevention only, they've ignored detection of preventative failures and recovery... known-malware scanners are one of the few tools that can be used for all 3 of those aspects of anti-malware security...

Unknown said...

Hrm, I had no idea there was such discussion going on! :) Didn't mean to dig into it, by any means!

I think business is just going to feel the pain of spending money on AV products, and instead question that value, and maybe displace it for something else. Not to say AV doesn't add value, but AV on the perimeters and other protections on the hosts may end up making it look very much like AV is being displaced. Users will go home, declare to a friend they don't use AV at work on their systems, and it'll spread from there. Ick.

Still, I'm not about to proclaim myself a guru in how AV scans or better ways AV can scan or protect...so your points are all well-taken, bro. :)

kurt wismer said...

@lonervamp:
"I think business is just going to feel the pain of spending money on AV products, and instead question that value, and maybe displace it for something else."

i suspect you're right, and i do anticipate that businesses will experiment with just the sort of substitution you're talking about... but i have no idea if they're going to wind up with better overall coverage as a result - it depends on what layers they already have in addition to the one they're swapping out and even on the specific products chosen... i don't know that anyone can really say in general what the net effect will be... with an additive approach it's easier to say that there will likely be a net improvement, but you're right that cost could easily be a concern that would probably make that an unpalatable approach...

Unknown said...

The problem with perimeter protection is that it reduces your exposure to the total malware threat, however it completely ignores any holes in the system. It is totally absurd to pretend you can save a few bucks by only protecting the perimeter and somehow control and monitor every given file that may enter your network. The cost of a cleanup is absolutely insane if you are unprotected on the inside and a single machine is infected. An organization of 5000 users may spend $50000 USD to purchase protection, yet productivity loss from one wide-spread infection (which it would be if you had no AV or HIPS/pro-active detection internally) is more costly than that merely in man hours, let alone the cost of potentially lost or compromised data.

This all comes back to your point of a layered defense. Some threats will get through the perimeter due to the nature and diversity of applications. Some workstations will always somehow not have total protection, or will be victim to an OS flaw, or application flaw that may bypass protection mechanisms. Without a layered approach, organizations will be at risk of serious financial losses, or data theft. These techniques do not entirely protect a given entity, however they are about the best the industry can offer as a solution to the problem at this time without every company employing a team of security specialists to customize their defenses on an daily, if not hourly basis. None of us that work in security research like that it has to be this way, but the maturity of computing and security at this time nearly require anyone responsible for data security and safety to take this approach.

Thanks,
Chet

kurt wismer said...

@chet:
"It is totally absurd to pretend you can save a few bucks by only protecting the perimeter and somehow control and monitor every given file that may enter your network."

indeed, using a scanner only at the gateway pretty much ignores attacks that come into workstations over encrypted channels (ex. encrypted mass mailers, multi-stage attacks that use their own encrypted tunnels, or possibly even anything over ssl unless you've got a man-in-the-middle ssl proxy set up), among other things...

however, i don't think anyone is suggesting a scanner at the gateway and then nothing on the workstations... rather, i think the suggestion is scanning at the gateway and then generic/behavioural detection (or perhaps even application whitelisting) on the workstations... some of those generic tools are quite capable...

personally, though, i prefer to have as many different layers (i go pretty far but not so far as to use multiple scanners or that sort of thing) as i can on a system...

Rick Shaw said...

Kurt-

You nailed it. I am indeed a consumer. I am a security manager for a moderate firm (~1,600 employees). Why do you say 'doh!'?

Chet-

"Typically, if a machine is actually infected before the behavioural rule has been created, or a more traditional identity, it requires specific knowledge of the particular piece of malware in order to do clean-up. You must understand the threat specifically in order to properly reverse its effects."

Great point and is exactly why I utilize generic 'observation' rules in my HIPS. I know I won't be able to prevent or even sometimes contain all malware on a host and in the unfortunate case of a compromise, I do my best to observe so that I can learn and adapt.

I fully understand that AV technology will always be reactive and once the fight is reduced to a fight with the actual malware, you are in the end game. However, the core problems I'm observing in AV are problems dealing with variants, speed of delivery of definitions, the ability to decompose or decode samples, and overall client stability and reliability.

I expect an awful lot from my security software and am willing to pay a premium for a quality, cutting-edge solution that gives me a weapon that is at least as effective as the weapon the enemy wields.

Granted, the bad guys will always have the initiative and the good guys will always be in defense, but that doesn't mean we have to become complacent with an obviously failing solution (malware analysis and detection).

Anyone want to borrow my soap box? =)

kurt wismer said...

@michael:
"the ability to decompose or decode samples"

could you clarify that a bit? are you talking on user machines or at the vendor site? what kind of samples?

"I expect an awful lot from my security software and am willing to pay a premium for a quality, cutting-edge solution that gives me a weapon that is at least as effective as the weapon the enemy wields."

no single weapon is going to give you what you want, nor is one likely to be forthcoming... part of the reason is that you're actually dealing with a bunch of separate enemies with different weapons so you really can't expect a single weapon to be capable of countering many upon many other weapons...