Is Anti-Virus Dead? « Aggressive Virus Defense

Is Anti-Virus Dead?

Frequently speakers will pronounce the typical virus detection scheme of pattern matching “doesn’t work” and (for dramatic emphasis or hyperbole) is “dead.” The argument is that pattern files miss so many malicious files. See, for example, Eighty percent of new malware defeats anti-virus, wherein

the general manager of the Australian Computer Emergency Response Team (AusCERT), Graham Ingram, told the audience that popular desktop anti-virus applications “don’t work”.

“At the point we see it as a CERT, which is very early on — the most popular brands of anti-virus on the market … have an 80 percent miss rate. That is not a detection rate that is a miss rate.

“So if you are running these pieces of software, eight out of 10 pieces of malicious code are going to get in,” said Ingram.

This should not be a surprising finding. The population of malware that Graham Ingram drew samples from is the population of newly-released malware samples. As Ingram points out, malware developers test their variants against anti-virus software to avoid detection using current pattern files. They have many tools at their disposal, and can obfuscate their threat to evade pattern matching systems. That is, the samples were designed to avoid detection and many (80%) were successful.

The leap from “misses 80 percent of newly released malware samples” to “doesn’t work” or “is dead” does not get clarified.

Ryan Naraine (in Anti-Virus Is Dead, D-E-A-D, Dead!) cites Mr. Williams as justification for his claim that:

The spyware guys are having a field day playing — and winning — cat-and-mouse with AV vendors. Quick spam run with a new Trojan; sit back and watch the AV guys scramble to ship signatures; tweak the code, send another spam run, watch and giggle as another round of .DAT files get built; repeat, rinse, dry.

Similarly, Amrit Williams blogged that Anti-virus is Dead.

Stand-alone, signature-based, anti-virus is dead. The stand-alone anti-spyware market is over too, if it even existed!
Signature based AV isn’t protecting anyone anymore, it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently.
…
Bottom Line: By the end of 2007 stand-alone AV will be dead, d-e-a-d, dead! Organizations need to evolve their client security programs or expect to see increased costs as the number of agents continues to rise.

Amrit Williams argues that because anti-virus isn’t detecting new variations of threats, its isn’t providing any protection. Mr. Williams also argues that if a system is compromised, it provides no protection from outbound (botnet) traffic and does not detect rootkits that have been installed.

In an August 2009 whitepaper, Cyveillance reports that anti-virus vendors are generally unable to detect that day’s newly released malware.

As the results show, even the most popular AV solutions detect less than half of the latest malware threats. So if you visit a malicious Web site you could have a more than 1 in 2 chance of being infected with malware.

This should not be a surprising finding. What is surprising is that signature-based, preventative methods fared as well as they did against newly-released malware.

A SANS handler diary posting “Is Anti-Virus Dead?” by John Bambenek argues that

anti-virus by its very nature is reactive… it will only block against known threats.

That is its role. Anti-virus software blocks against known threats. The virus pattern updates are reactions to known threats. Once deployed, anti-virus software provides defensive protection against known threats.

Mr. Bambenek also points out that anti-virus solutions never have been sufficient. Exactly.

Chris Brenton has a “Why anti-virus is dead presentation” posted.

In Introducing Stealth Malware Taxonomy, Joanna Rutkowsky provides an image of anti-virus vendors:

The A/V industry has developed lots of mechanisms to determine whether a given executable is “bad” or “good”, such as behavior monitoring, sandboxing, emulation, AI based heuristics and not to mention all the signature based approaches.

In Rutkowska: Anti-Virus Software Is Ineffective (Ryan Narain in e-week October 26, 2006). Ms. Rutkowsky had demonstrated Blue Pill at Black Hat. At the presentation and in the interview, Ms. Rutkowsky explained how undetectable some attacks can be. She, too, seems to have expectations about anti-virus software that would not have been within the product specifications.

I’m not very impressed with existing anti-virus solutions, especially for the Windows platform. They all concentrate on finding “the bad” instead of verifying that system is in a “good” shape.

So, we can see very sophisticated technology employed by anti-virus products to handle various .exe-packers and decide whether the .exe file in question is “good” or “bad.”

The problem: Over the years, anti-virus vendors have adopted more and more responsibility for detecting various forms of malware. An anti-virus vendor who restricted their scope to viruses (employing the SANS definition of virus, where malicious code attaches to trusted code) would have no customers. The customer expectation is to detect worms, Trojan Horse programs, spyware, at least some of the hacking tools. If enough customers complain that their hackings tools have legitimate uses, the anti-virus vendor will drop detection. Anti-virus vendors face legal challenges when they detect Trojan Horse programs. After all, the user chose to install the program (invited the Trojan Horse in). The vendor of the Trojan Horse program can accuse the anti-virus vendor of restraint of trade, as in Zango v. Kaspersky.

Through this scope creep, customers have come to rely upon anti-virus software to enforce the detection of a vague set of out-of-bounds software. Anti-virus vendors willingly encourage this attitude. Disappointment arises when vendor and customer don’t share expectations.

People sometimes choose to install a keylogger to monitor their child’s, spouse’s or employee’s activity. Should anti-virus vendors detect keyloggers, such as Perfect Keylogger, as malware? Someone needed to choose to install Perfect Keylogger, and it is detected as malware but many anti-virus vendors. Competitors, such as Spector Pro, KeyHost, and E-Blaster are not detected as malware.

Presentations, such as Reality Check: Emerging Information Security Threats, show the lengths that attackers go to in an effort to get money. Malware is often employed. It is evident that anti-virus software alone is not sufficient, but it is also evident that anti-virus software is always part of your defenses.

The “Is Anti-Virus Dead?” speculation relies upon expectations that are not shared. If the expectation is that anti-virus software using pattern matching (including heuristics) should always be a sufficient defense, that it should always detect new malware, then that expectation will not be met. Instead, anti-virus software should be supplemented with other measures.

For example, the new malware variations do not reflect new vulnerabilities. The new malware variations are attempts to avoid existing pattern detection of previous exploits. If the vulnerabilities have been mitigated (typically by patching), then the new and undetected malware variations that anti-virus software does not yet detect have no effect.

Bear in mind your preventative and defensive measures:

Patch vulnerabilities.
Use anti-virus software with pattern matching technology to detect known exploits of vulnerabilities, even those you have patched. Prevent the exploits from executing, even those that will fail because the vulnerability has been patched.
Block access to known malware distributors.
Remove unnecessary services and ports.

Supplement these preventative measures with reactive discovery measures.

Use behavioral analysis technology to (among other things) detect unknown exploits of unpatched vulnerabilities. See Using Behavioral Analysis To Discover Undetected Malware.
Use analysis technologies that do not require behavioral analysis, such as those described in “What’s Different About This Approach?” to detect unknown exploits of unpatched vulnerabilities.

Do not confuse the preventative role of pattern matching anti-virus technology with the reactive role of behavioral analysis.

Restore a compromised system to a trustworthy state by reimaging it or using one of the methods described in “Alternatives To Reimaging“. Specifically, do not rely upon virus cleaning measures, for reasons described in “Can You Clean a Virus?“.

This entry was posted on Thursday, June 25th, 2009 at 5:39 pm and is filed under Virus. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Is Anti-Virus Dead?”

Using Behavioral Analysis To Discover Undetected Malware « Aggressive Virus Defense Says:
July 8, 2009 at 9:26 am | Reply
[...] Analysis To Discover Undetected Malware This post exists to flesh-out an outline in “Is Anti-Virus Dead?” The [...]
Revisiting Incident Response « Aggressive Virus Defense Says:
December 14, 2009 at 11:11 am | Reply
[...] Anti-Virus: Note the changed role of Anti-Virus. Its role in Prevention and Recovery is diminished, but its role in Detection is (or should be) more significant. Not “dead“. [...]

Articles

Compliance and Guidance

American Recovery and Reinvestment Act (ARRA) of 2009 Expands HIPAA to protect patient health information.

BreachPrep.org Not if, but when. An incident response plan and notification requirements.

California Security Breach Information Act (CA-1386) Agencies, persons and businesses and their privacy obligations, with similar regulations in 44 states and the District of Columbia

Children's Online Privacy Protection Act of 1998 Privacy, deceptive practices

Control Objectives for Information and related Technology (COBIT) guidance materials for IT governance

Electronic Signatures in Global and National Commerce Act 15 USC Chapter 96 Enforcability of electronic signatures, retention of records

European Network and Information Security Agency (ENISA) Publications, including the CERT Exercises Handbook and Toolkit

GovCert.NL the Computer Emergency Response Team for the Dutch Government, home of awareness products such as movies, our annual reviews, trend reports, Cyber Crime manual and “Cert in a box”.

Gramm-Leach-Bliley Act (GLBA) AKA Financial Modernization Act of 1999; customer privacy protection, notification of privacy protection, management liability; employee training

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Kennedy-Kassebaum; privacy compliance, not just a health care issue

Information Technology Information Sharing and Analysis Center (IT-ISAC) Public section with best practices, news, references and a suspicious file submission vehicle. Private section for organizations

ISO 27001 Online Security Management Standard

ISO 27001 Security Promotes and explains the ISO/IEC 27000-family of information security standards and provides resources.

IT Infrastructure Threat Modeling Guide provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (S

NIST 800-53 rev 2 Recommended Security Controls for Federal Information Systems

NIST Computer Security Resource Center Guidance

NIST CSRC FISMA Implementation Project National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Federal Information Security Management Act (FISMA)

NIST: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Introductory? A detailed risk management guide, using HIPAA to give the abstract subject some substance.

Payment Card Industry (PCI) Data Security Standard (DSS)

Payment Card Industry (PCI) Data Security Standards (DSS) See “Roadmap to PCI Compliance” for an implementation plan

RCW 19.255 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (businesses)

RCW 42.56.590 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (agencies)

Role-Based Access Control (RBAC) and Sarbanes-Oxley Compliance

Sarbanes-Oxley Act of 2002 (SOX) Fraud and accountability. Section 404: Audit internal controls.

Security Content Automation Protocol (SCAP) SCAP is a specification established by NIST for expressing and manipulating security data in standardized ways.

Society of Payment Security Professionals – Complaince Demystified Secure Payments, PCI DSS, Regulatory Compliance Blog

Statement on Auditing Standards (SAS) 70 Compliance Resource Guide Internal Controls, compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities.

Truth To Power Compliance and guidance research and advisory community

U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU

Current threat news

AV-Test.org See their collection of LINKS Anti Virus, Anti Spyware, Personal Firewalls, Security Suites, Corporate Editions, Online-Scanner, Virus Infos, Virus Libraries, Security Blogs AND their Update Frequency of Anti-Virus Software (number of updates in the past

Bad Mal Web Russian Business Network (RBN) where are they now?

Banking Information Security News Need security breach horror stories? The ones everyone hears about?

CERTStation News Threat Management Advisory (TMA) Summary of recent activity

CircleID Breaking Internet News, Opinions and Blogs

Cyber-TA (Threat Analytics)

Dark Reading Information Week Business Journal

Department of Homeland Security (DHS) Daily Open Source Infrastructure Report

Department of Homeland Security News email or RSS

DShield Mirror of ISC. ISC uses the DShield distributed intrusion detection system for data collection and analysis. Submit firewall logs here.

Emerging Threats More real threats that mainstream media doesn’t cover, with SNORT signatures and firewall rules

Exploit-db Vulnerabilities. Take vulnerabilities seriously, and if it takes damples to become serious, then look here.

ExtremeTech News, 802.11 tips

GNUCITIZEN

HostExploit Current threat news

Hosts News More real threats that mainstream media doesn’t cover

hpHosts Malicious URL list

Immunity CANVAS Early Updates You may not be able to afford their test tool, but you may wish to follow the exploits as they appear.

Malware Advisor

Malware Block List Collects links to malware

Malware Domain List (MDL) WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.

Malware Patrol Malware Patrol is a free, automated and user contributed system for verifying URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.

Malware Web Threats More real threats that mainstream media doesn’t cover

MalwareURL Malicious URL list

NIST's CVE database

Offensive Computing Submit a suspicious file AND more real threats that mainstream media doesn’t cover

SANS Internet Storm Center (ISC) SANS

Security Wizardry Computer Network Defence Operational Picture from Talisker Computer

SecurityFocus Bugtraq mailing list

Shadowserver Foundation Bot and botnet statistics and whitepapers, malware definitions,

Spyware Sucks More real threats that mainstream media doesn’t cover

Spyware Warrior

SpywareGuide

SRI Inc Malware Threat Center Most Aggressive Malware Attack Source and Filters, Most Effective Malware-Related Snort Signatures, Most Prolific BotNet Command and Control Servers and Filters, Most Observed Malware-Related DNS Names, Most Effective Antivirus Tools Against New Malware B

Stop Badware

sudosecure.net More real threats that mainstream media doesn’t cover

Team Cymru Research NFP a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. By researching the ‘who’ and ‘why’ of malicious Internet activity worldwide, Team Cymru helps organizations identify and eradicate problems.

TeMerc Internet Countermeasures Emerging Security Threats and News

The H (formerly Heise Online UK) News, more Linux orientation than many

Threatpost Kaspersky’s consolidated web threat news

Twitter: Elcomsoft

UnderForge of Lack More real threats that mainstream media doesn’t cover

US-CERT

Washington Post Security Fix column by Brian Krebs

Subscriptions

Tools

Adeona On hold. Free service to track stolen laptops.

Avira Antivir Rescue System Rootkit hunter

Blat A Win32 Command Line SMTP Mailer

BotHunter IDS-ish botnet scanner from SRI International

DIFRwear RFID blocking wallets

DTSearch Text Retrieval and Full Text Search, instantly search terabytes of text

Flawfilder Scan source code for possible security weaknesses

FortiClient Endpoint Security Suite Standard edition, free Firewall / VPN security, Antivirus and Malware protection, Web Filtering, Endpoint Control and WAN Optimization

Freeware utilities

Gargoyle malware discovery across large file systems

Gmer Rootkit hunter

GNU Utilities for Win32 Including grep

IceSword Detect keyloggers, rootkits

KeePass Password Safe free, open source, light-weight and easy-to-use password manager for Windows. You can store your passwords in a highly-encrypted database, which is locked with one master password or key file.

Lenny Zeltser Cheat Sheets nothing wrong with having these cheat sheets on hand at all times.

log2timeline Root cause analysis. Review many Windows artifacts to construct a sequence of events

Maltego Maltego collects publically available information about you, your company, your phone number, and many more.

Malwarebytes' Anti-Malware Malware discovery

Mandiant Red Curtain by Nick Harbour, search for suspicious files

Microsoft Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-base

Microsoft Office enhancements Free from Microsoft

Microsoft Security Essentials Antivirus

Microsoft Windows SteadyState Microsoft utility to reset a shared access computer

Microsoft Windows SysInternals PsExec, ProcessExplorer, Process Monitor, FileMon, DiskMon, RegMon, AutoRuns, and so forth

Microsoft's free software Ultimate List of Free Windows Software from Microsoft

Microsoft's Security Tools Part of Security TechCenter. Assess vulnerabilities and strengthen security with these tools and technologies.

Microsoft's Solution Accelerators “IT Compliance Management Guide” “Security Compliance Management toolkit”, “Malware Removal Starter Kit: How to Combat Malware Using Windows PE”, “Windows Server 2008 Security Guide” (and Vista and XP Security Guides), for example

Microsoft's Windows Server 2003 Resource Kit Tools a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.

Nagios IT Infrastructure monitoring

Nessus Nessus Vulnerability Scanner from Tenable Network Security

nmap “Network Mapper” at insecure.org, a free and open source utility for network exploration or security auditing.

OpenDNS Trustworthy DNS servers and optional content filtering

PBX in a Flash the Lean, Mean Asterisk Machine

Prevx Prevx Edge rootkit hunter

Quintessential Network Tools Page, The mobrien.com DNS, Routing, Calculators, Performance, Security

Robtex Internet toolkit

Script Decoder Decode JScript, ASP pages, VBScript obfuscated with Microsoft’s Windows Script Encoder (screnc.exe)

Scuba by Imperva a free, lightweight java utility that scans (Oracle, IBM DB2, Microsoft SQL Server, and Sybase) databases for known vulnerabilities and configuration flaws

Secunia PSI Inventories your system to determine if any software has security vulnerabilities with vendor patches. (free)

Security xploded Tools and articles; IE, Firefox and Chrome password decrypters, ProcNetMonitor

SlavaSoft FSUM Hash (Message Digest) or Checksum calculator in a command line with wild cards and recursion (free)

SlavaSoft HashCalc Hash (Message Digest), CRC, and HMAC calculator in a GUI (free)

Splunk Time-based log review. Consolidates logs from any product.

Swatch Event log monitoring

Tinc is a self-contained VPN solution

Trend Micro System Information Collector (SIC) All-in-one “what’s suspicious about my system?” utility

Ultimate Boot CD For Windows A bootable recovery CD that contains software used for repairing, restoring, or diagnosing computer problems.

VideoJak is an IP Video security assessment tool that can simulate a proof of concept video interception or replay test against a targeted, user-selected video session.

Wireshark (formerly Ethereal) Network Protcol Analyzer

Xirrus WiFi Inspector Xirrus Wi-Fi Inspector and Xirrus Wi-Fi Monitor Gadgets/Widgets to troubleshoot 802.11 and detect rogue access points

Aggressive Virus Defense