Modern Antivirus Sucks
Its about time antivirus software as we know it gets a steroid injection.
Anyone who has recently uploaded a suspect file to VirusTotal.com knows that in most cases, only a few of the AV engines produce consistent results. The other day I came some malicious behavior being blocked by my HIPS software. I uploaded the misbehaving executable to virustotal.com and only DrWeb detected malicious software. WTF is DrWeb!?
I’m afraid I’m guilty of becoming complacent with the AV solution we have deployed at work and to be honest, our HIPS seems to be identifying more malware these days than our AV software and the HIPS isn’t ‘armed’ with virus definitions.
Earlier this year, Jan Monsch conducted an experiment to test antivirus gateways. To perform the test he embedded the EICAR test files and a Netsky variant into six different Word file type and a zip file. He then used VirusTotal.com to test 27 different AV engines. The results were less than encouraging. According to Jan:
When looking at the alternative file formats we can see that not half of the scanner products are fit to detect the malicious embedded objects.
The main point of Jans research is that alternate Word file formats are still a viable attack vector because a vast majority of the antivirus vendors are unable to decode the format and detect a virus.
We’ve had Word file formats for how long!?
Enterprise-class AV hasn’t had any major advances for quite a long time. Here’s something the AV folks can learn from the HIPS folks; node-to-node communication. When node X discovers malware, it should communicate this to all other nodes on the network so they can add that file to their list of ‘off limits’ files. This will help nodes that, for whatever reason, don’t have the most recent definitions. This would especially help if the malicious file was found on a network share.
Alert aggregation and event correlation would be an awesome feature in a centrally-managed AV solution. Imagine if a virus is blasted to your entire organization and 60% of your users have that virus sitting in their email inbox. Now imagine that when five or six of these hosts’ AV software detects the virus, the management system correlates that and in return sends an email or pager alert to the IT staff so they can remove the file. Better yet, combine node-to-node communication with event correlation and have the management system not only notify IT staff, but also communicate a new ‘off limits’ list to all nodes so additional hosts can’t open the file?
Wow, AV innovation…what a breath of fresh air THAT would be.
same issue with us. had a actual virus slip through in email and uploaded to the same site and found quite varying results. We we’re quite shocked now that something like virustotal.com empowered us to see what ‘other scanners thought’. Other then getting Microsoft Forefront Antigen http://www.microsoft.com/antigen/default.mspx which has multiple scan engine abilities… not sure what the enterprise is able to do.
By sonicbum on 11.13.06 10:33 pm
Jan said in his article – you can evade AV detection, so when you can’t detect virus or trojan what will you correleate? If you have even 10% station already infected with some virus/trojan and total number of workstations is 10000 how you will recover?
Max.
By Max on 11.24.06 2:13 am
Max-
You are very right, the correlation feature certainly does need to come after they tune and optimize the detection engine. I wasn\’t saying those features are needed now. Rather, they are an innovation that should be added only after they have a successful detection engine that isn\’t as easily evaded.
And for your second question, if we have 10% of our user base infected, that\’s a pretty big outbreak. My response is the same regardless of the total workstations but it depends on the type of bug that did the compromise. If its a network scanning worm I\’d have the IT folks burn CDs with all the necessary remediating tools then physically unplug the compromised hosts for repair.
If the compromise impacted security software like disabling AV scanners or it installed a backdoor/bot, I\’d recommend a complete rebuild. Its a lot of work but sometimes necessary when you have a deep compromise.
In cases like these, its always good to have draconian egress filters on your firewalls. Many times that will block and alert you to the program trying to phone home.
By Michael on 11.25.06 10:13 am