I truly believe that 2010 is a turning point in endpoint security. The old antivirus model has reached the end of its practical usefulness and the disadvantages of an approach with a foundation of blacklisting far outweigh its benefits. Operation Aurora and the attacks against major online brands perfectly illustrates the failure of our old paradigm to protect endpoints.
Later this week, we are launching a fun (and funny) awareness campaign, called Planet Antivirus, highlighting the weaknesses of antivirus and focusing on the need to completely rethink our approach to how we defend endpoints. Today I am kicking this campaign off by highlighting the top five failures of antivirus technology:
-
Antivirus is a performance hog — One of the most common complaints we hear about antivirus is its performance impact. This can weigh heavier on the minds of IT managers than its problems with catching new threats. A perfect example of this is a description from CNET Labs on how they test antivirus:
“Antivirus programs are designed to detect and intercept harmful files downloaded to your computer. In order to monitor incoming files, however, antivirus programs — like all applications — need to use system resources. The degree to which an antivirus program detrimentally affects a system’s performance varies from one application to another. CNET Labs tests three areas of antivirus application performance: how deep-file virus scanning impacts overall system performance, how quickly files can be scanned for viruses, and how system boot time is affected by the antivirus program. We also report on how effective the antivirus programs are at identifying viruses by citing the studies of established industry authorities.”
It is telling that the majority of their test is concerned with how antivirus detrimentally impacts system performance. The effectiveness of the antivirus solution is almost an afterthought.
-
Antivirus is an after the fact cleaner and it doesn’t even do that well — The simple fact is that antivirus can’t protect you from getting infected. This is indisputable and has been empirically proven time and again. So why do we still use it? One reason people continue to use antivirus is that it is used to identify infections and to clean up the mess. Unfortunately it doesn’t even do that well. If you are infected by a particularly nasty piece of malware, many times the best option you have is to completely rebuild your system. There is a great post on this on the Cornell Information Technology site titled, “Rebuilding Your System Is the Safest Road to Recovery after a Malware Attack,” that does a good job of making this case:
“Dangerous software hides from repair tools: The IT Security Office recommends formatting one’s hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.
strong>Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.”
-
Antivirus was designed to address a different threat — Despite the addition of heuristics and behavioral models to detect variants of malware, the fact remains that blacklisting is the foundation of antivirus and it was designed to address a different threat than today’s malware. Antivirus originated to protect against propagating threats. These threats either propagated through the sharing of disks and files by individual users or were self propagating worms that identified weaknesses in networked computers and subsequently infected vulnerable systems. Blacklisting in this model was feasible and effective because it was both easy to collect samples of the malware and protect against a limited set of threats.
Today’s threats are different. Today, online crime hinges on the combination of social engineering and vulnerability exploitation that allows the attacker to place a custom piece of malware on the targeted system. This is a much harder problem to solve by blacklisting. The attacks can be customized for uniquely targeted online businesses or groups of businesses with software that would elude even the most sophisticated antivirus solution. My main concern if I was Google or any of the other companies targeted in Operation Aurora wouldn’t be what data they stole from me, but what malware they left behind to use at another time. Most likely they will have to resort to reinstalling those systems as I mentioned in the previous point.
-
Antivirus updates are too frequent and can cause problems — In order to keep up with the exploding world of malware most antivirus applications issue updates at a very regular interval. This can be as frequently as an update a day in some cases. The problem with this is not only does it require regular distribution of these updates to all endpoints with its corresponding performance impact, but the frequency of updates also means that problems from the updates are more likely to occur. The result of a decrease in reliability of signature updates means that many organizations try to test updates before they roll out the new signatures. This simply isn’t practical. The frequency of signature updates means that testing won’t work or even be completed before the next update arrives. Organizations either need to revert to a less frequent update schedule to allow testing, potentially extending the time they are exposed to a new threat, or they need to simply trust that the update files from their antivirus company won’t cause problems. Neither of these options is optimal.
-
Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.
2010 needs to be the year that we begin a healthy discussion of completely re-evaluating the approaches we use to protect our endpoints.
[...] week I kicked off our Planet Antivirus challenge with a blog entry highlighting the top 5 failures of antivirus. My fifth point highlighted the fact that relying on antivirus resulted in a reliance on fire drill [...]