Antivirus in rugged health
Anyone who is fortunate or unfortunate enough to spend much time at security conferences will probably be used to being told that antivirus is dead by people that want to sell you something else, and to me, that has always sounded like more than a touch of exaggeration.
IT can be dogged by statements like this; indeed a very traditional antivirus product that just compares files with a list of malware signatures is coming to the end of its usefulness. That doesn’t make antivirus technology redundant, just one method of detection.
Modern endpoint protection malware suites are something very different. Such products will have signatures at their core, not only signature for files but for behaviour, network traffic and even for file origin. Such endpoint protection suites integrate with the computer to provide firewall, intrusion prevention, browser protection and more, so providing a layered protection model that is far more effective than the old signature model. Nothing new there for anyone who is remotely interested in such things. Now compare this change with changes in the way modern malware has changed the way it attacks clients. two great examples are the generic downloader and cryptoware:
A generic downloader is normally embedded in an Email attachment, and is in part a, return to the macro virus. It will attempt to manipulate a user into running an office macro designed to collect malware from the Internet, or other infected machine. The generic downloader is not itself the malware. The attacker can change the downloader code almost constantly to avoid traditional signature based scanners. However, its behavior must remain broadly similar, to connect to the Internet, download the true malware and then execute it. It is this sort of behaviour that modern systems can defend against and traditional systems struggle.
It is much the same the same for cryptoware, also known as ransomware. A user is tricked into downloading a cryptographic client and then that client starts encrypting files in a way almost indistinguishable from a legitimate request from the operating system, until the luckless user is asked to pay a ransom to get their files back. It is therefore the behavior of the client as the malware loads, and tries to contact the dark corners of the Internet that creates an opportunity for detection, even if an exact file signature is not available.
This leads to a couple of important security points, these modern suites only really work if the whole suite is installed, and enabled within a suitable framework, and secondly such suites needs to be managed throughout their life to make sure they continue to deliver the required level of protection. An example of this point is that the anti-malware client itself might contain vulnerabilities and the need to patch your all security software needs to be considered alongside patching your operating systems and applications.
Then there is always the cloud to think about. Antivirus has made use of cloud services long before they were called that for tasks such as the download of signature updates. Over the past few years much more interesting use is being made of cloud services for anti-malware. The cloud can support anti-malware software running on a client, for example by checking against cloud databases for a files reputation or a files source or to some extent replace it by forcing all Internet traffic through a proxy server. The cloud proxy server will have the latest signatures, reputation data, black lists etc continuously refreshed.
There have been, and remain all sorts of ideas to protect client computers using technology that doesn’t rely on the end point itself, especially when that client is virtualised. To be really effective in delivering the protection needed a complex local client is still needed. Laptops need additional thought, exposed to so many more threats than a data centre supported virtual desktop.
I think we can be forgiven for occasionally referring to these modern solutions by the old name of antivirus, and the next time a salesman tells you AV is dead just think what else can work with application level encryption, third party removable storage and airport hotspots hundreds of miles away from friendly network.