Saturday, February 23, 2008

yes mr. rothman, there is a defense against drive-by downloads

in fact, there are several...

mike rothman's days of incite #5 for 2008 was about malware, and while he makes a good point about the inevitability of getting compromised by malware (it's something you really need to be prepared for, though some of us are still waiting) due in part to lack of user input needed for drive-by downloads to work and the difficulty in avoiding exposure to them, he manages to sow some fear, uncertainty, and doubt in the process by stating that there are no defenses against drive-by downloads...

well not to be contrarian, but there are in fact defenses against drive-by downloads... known-malware/exploit scanning in a layered service provider will block the old ones that get re-used (and we know old exploits get re-used) before they reach the browser or any other web content rendering component on the host...

a behavioural HIPS (or possibly even simple application whitelisting, depending on the circumstances) can conceivably stop known or unknown malware injected into the system through a drive-by download...

also, browsing from a sandbox will generally stop most things (known or unknown) coming in through a drive-by download from getting a foothold in the actual host system (leaving the intrusion in the sandbox itself)...

finally, not having the web rendering component that a particular drive-by download exploits installed and/or using a web-content whitelisting technology (such as the noscript firefox extension) can significantly reduce the vulnerable surface you present to the internet and thereby reduce your chances of being compromised...

remember folks, for every measure there is a counter-measure - drive-by downloads are not a magical super-attack that can't be stopped, they're just means of automatically installing malware when you visit a web page and the process can be blocked...

4 comments:

Luke said...

You are right of course about the defenses.

And I use all of them at different times.

But I get them not from antiviruses... :)

kurt wismer said...

oh really... is that because you don't use anti-virus at all?

and if so, where do you get a known-malware scanner in an LSP... generally speaking the only people who bother making known-malware scanners are in the so-called anti-virus biz... i suppose exploit prevent labs might have been an exception at one point, but they were bought by grisoft some time ago...

Luke said...

Actually I *do* use an antivirus (actually more than one)...
But if i want something beyond known malware scanning antiviruses generally don't provide it.

Let's look at this from a home user context and look at the options you listed and see whether antiviruses have it..

* Sandboxes - No antivirus i'm aware provides this. No doubt you might be able to find 1 or 2 (good luck googling), but they are not representative of what's is available.

* behavioural HIPS - A few do now, but not many.

* application whitelisting - see above.

* known-malware/exploit scanning in a layered service provider - okay this one I don't really use except for Exploitlab's Linkscanner... But I would add that many antiviruses themselves don't even do this :)

* "not having the web rendering component that a particular drive-by download exploits installed and/or using a web-content whitelisting technology " - Why would I use an antivirus for this?


To be clear I'm not saying antiviruses can't (or haven't tried such things in the deep ancient past) provide these types of defenses, but the reality is they don't today (with rare rare exception)!

Oh sure you can always google and find exceptions, but the reality is, even you a "av-expert" have never heard of them before you googled.

I'm no expert, but i love playing and testing all kinds of security software, and I generally can't find AVs that provide such
protection either....

So what does that tell you? As you yourself noted, AVs have being slow to move!

kurt wismer said...

@luke:

3 things... first and foremost - i am not an expert, i have never claimed to be an expert... i am, at best, a specialist (in that i have specialized knowledge)...

second, i think the reason you aren't seeing these things in anti-virus products is because you're too traditional in what you call an anti-virus product...

finally, with regard to lsp's: avg, antivir, mcafee, esafe, dr. web, f-secure, nod32, virusbuster, panda, pctools, trend, and vet all have lsp's - in addition to exploit prevention labs' linkscanner/socketshield which was purchased by grisoft/avg not too long ago (presumably because xpl was doing a better job of it)... and thanks to castle cops i didn't need to pour over google search results to come up with that list...