Blog

ESF: Controls: Anti-Malware

By Mike Rothman

As we’ve discussed throughout the Endpoint Security Fundamentals series, adequately protecting endpoint devices entails more than just an endpoint security suite. That said, we still have to defend against malware, which means we’ve got to figure out what is important in an endpoint suite and how to get the most value from the investment.

The Rise of Socially-Engineered Malware

To state the obvious, over the past few years malware has dramatically changed. Not just the techniques used, but also the volume. It’s typical for an anti-virus companies to identify 1-2 million new malware samples per month. Yes, that’s a huge amount. But it gets worse: a large portion of malware today gets obfuscated within legitimate looking software packages.

A good example of this is fake anti-virus software. If one of your users happens to click on a link and end up on a compromised site (by any means), a nice little window pops up telling them they are infected and need to download an anti-virus program to clean up the attack. Part of that is true – upon visiting the site a drive-by attack did compromise the machine. But in this case, the antidote is a lot worse than the system because this new “anti-virus” package leaves behind a nasty trojan (typically ZeuS or Conficker).

The folks at NSS Labs have dubbed this attack “socially-engineered malware,” because it hides the malware and preys upon the user’s penchant to install the compromised payload with disastrous results. That definition is as good as any, so we’ll go with it.

Cloud and reputation

The good news is that the anti-malware companies are not sitting still. They continue to make investments in new detection techniques to try to keep pace. Some do better than others (check out NSS Labs’ comparative tests for the most objective and relevant testing – in our opinion anyway), but what is really clear is how broken the old blacklist, signature-based model has gotten. With 2 million malware samples per month, there is no way keeping a list of bad stuff on each device remains feasible.

The three main techniques added over the past few years are:

  • Cloud-based Signatures – Since it’s not possible to keep a billion signatures in an endpoint agent, the vendors try to divide and conquer the issue. So they split the signature database between the agent and an online (cloud) repository. If an endpoint encounters a file not in its local store, it sends a signature to the cloud for checking against the full list. This has given the blacklist model some temporary legs, but it’s not a panacea, and the AV vendors know it.
  • Reputation – A technique pioneered by the anti-spam companies a few years ago involves inferring the intent of a site by tracking what that site does and assigning it a reputation score. If the site has a bad reputation, the endpoint agent doesn’t let the site’s files or executables run. Obviously this is highly dependent on the scale and accuracy of the reputation database. Reputation has become important for most security offerings, including perimeter and web filtering, in addition to anti-spam and endpoint security.
  • Integrated HIPS – Another technique in use today is host intrusion prevention. But not necessarily signature-based HIPS, which was the first generation. Today most HIPS looks more like file integrity monitoring, so the agent has a list of sensitive system files which should not be changed. When a malware agent runs and tries to change one of these files, the agent blocks the request – detecting the attack.

So today’s anti-malware agents attempt to detect malware both before execution (via reputation) and during execution (signatures and HIPS), so they can block attacks. But to be clear, the industry is always trying to catch up with the malware authors.

Making things even more difficult, users have an unfortunate tendency to disregard security warnings, allow the called-out risky behavior, and then get pwned. This can be alleviated slightly with high-confidence detection (if we know it’s a virus, we don’t have to offer the user a chance to run it) or stronger administrative policies which authorize not even letting users override the anti-malware software. But it’s still a fundamentally intractable problem.

Management is key

Selecting an anti-malware agent typically comes down to two factors: price and management. Price is obvious – plenty of upstarts want to take market share from Symantec and McAfee. They use price and an aggressive distribution channel to try and displace the incumbents. All the vendors also have migration tools, which dramatically lower switching costs.

In terms of management, it usually comes down to personal preference, because all the tools have reasonably mature consoles. Some use open data stores, so customers can build their own reporting and visualization tools. For others, the built-in stuff is good enough. Architecturally, some consoles are more distributed than others, and so scale better to large enterprise operations. But anti-malware remains a commodity market.

One aspect to consider is the size and frequency of signature and agent updates, especially for larger environments. If the anti-malware vendor sends 30mb updates 5 times a day, that will create problems in low-bandwidth environments such as South America or Africa.

Free AV: You get what you pay for…

Another aspect of anti-malware to consider is free AV, pioneered by folks like AVG and Avast, who claim up to 100 million users of their free products. To be clear, in a consumer context free AV can work fine. But it’s not a suite, so you won’t get a personal firewall or HIPS. There won’t be a cloud-based offering behind the tool, and it won’t use new techniques like reputation to defend against malware. Finally, there are no management tools, so you’ll have to manage every device individually, which loses feasibility past a handful.

For a number of use cases (like your mom’s machine), free AV should be fine. And to be clear, the entire intent of these vendors in giving away the anti-malware engine is to entice you to upgrade to their paid products. That said, I use free AV on my remaining PC, and also in the virtual Windows images running on my Macs, and it works fine. But free AV is generally a poor fit for organizations.

White listing: disruptive or niche?

You can’t really talk about anti-malware without mentioning Application White Listing (AWL). This approach basically only allows authorized executables to run on endpoint devices, thus blocking any unauthorized applications – which includes malware. AWL has the rap of being very disruptive to the end-user experience, by breaking lots of authorized applications and the like. Part of that rep is deserved, but we believe the technology has the potential to fundamentally change how we fight malware.

To be clear, AWL is not there yet. For some use cases (like embedded devices, kiosks, and control systems), the technology is a no-brainer. For general purpose PCs, it comes back to how much mojo security has in dictating what can run and what can’t. Though there are management capabilities (like trusting certain application updates) emerging to address the user disruption issue, we believe AWL will remain a niche technology for the next 2-3 years.

But as AWL matures and the traditional ways of detecting and blocking malware increasingly fail, we expect AWL to become a key technique and appear in more and more of the existing anti-malware suites.

Layers of defense

Yet, we still default to the tried and true method of layering security defenses. Anti-malware agents cannot be the only defense against the bad stuff out there – not if you actually want to protect your devices, anyway. We’ve harped on this throughout the series, relative to the importance of using other tactics on the endpoints (including running updated software and secure configurations) and within the network to compensate for the fact that anti-malware is an inexact science. And don’t forget about the importance of monitoring everything, given that as much as we try to prevent, in many cases reacting faster is the only option we have.

Next we’ll wrap up the controls portion of this series by talking about personal firewalls, a deeper dive on HIPS, and USB device control.


Other posts in the Endpoint Security Fundamentals Series

No Related Posts
Comments

@paul, as you can imagine I have an opinion on most everything, just as my wife. ;-)

But seriously, one of the biggest impediments to AWL adoption has little to do with technology. Clearly that can improve, but regardless of how “friction-free” the technology becomes there is still the perception issue that plagues the technology. And we all know that perception is reality, especially when security managers put their reputations on the line to back a new technology. So yes, it’s certainly a mindset issue first.

But I don’t want to minimize the importance of continuing to evolve the technology both from a user-experience standpoint, as well as a management standpoint. The AWL products have evolved, but there is still work to do on that front. It’s about communication to the end user as much as anything else. There can be no doubt as to why an application fails to run, as well as mapping out the process to get approval for that specific application. Yes, most of that is probably workflow based, but it’s critical.

As mentioned in the post, I believe AWL-like functionality will become the primary anti-malware enforcement mechanism over the next 5-7 years. But getting there will be bumpy and more likely the endpoint suite players will embrace the technology under the hood to save their cash cows (the endpoint suites).

Mike.

By Mike Rothman


Hey Mike,

Most of the AWL vendors these days are building flexible ways to add applications based on some simple interrogations, rather than just maintaining a global whitelist.  (You mentioned trusting updaters; digitally signed code and trusted locations come to mind as well.)  Do you have specific thoughts on how far AWL technology needs to evolve before it is relevant to production environmnents? Or is this an evolution in mindset that will need to be realized first?

THX

—PZ

THX

—PZ

By Paul Zimski


just a quick note: some reputation systems (symantec’s notably) will alert on things that lack an established good reputation, rather than just alerting on those with a bad reputation.

also, a lot of what you correctly identify as missing from free av’s are actually available in other free products, with the exception of management functionality (because the free tools are intended for personal non-commercial use where management is generally a non-issue and the licenses often exclude anything commercial).

By kurt wismer


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.