Your AV sucks and you know it…

AV sucks, Security

I’ve been conscious of the inadequacies of our AV solution for a while now and have dedicated FY08 to fixing that. However, there isn’t really an easy question to the answer our AV sucks. Do I buy a similar solution from a different vendor? Do I scrap AV altogether and try a completely new approach? What would that approach be?

Anton Chuvakin Anton’s friend did an ad-hoc experiment in which he tested a number of malicious executables rounded up on a University network. He used Virustotal.com to scan the malware and found that the best software detected 50% of the malware and the worst only detected 2%.

That seems to confirm what I’ve been finding in my environment as well…our AV sucks. Our HIPS software is identifying more malware than our AV software is.

What we’re doing right now is band-aid’ing our AV with least privileges in user land, HIPS software on our laptops, draconian filename filters on email attachments (this is actually pretty successful), and IPS/UTM units. Meanwhile I’m watching Sunbelt software and anxiously waiting for them to spin off their VIPRE engine into a standalone solution so that I can test drive it…

I’d be interested to hear how others are dealing with the problem.

By the way, that last link to Sunbelt is a very good read about why current AV is in the state its in. Set aside some time and read it…

posted by Michael on 04.02.07 @ 2:59 pm |

Looks like there is some confusion: I didn’t do the experiment myself; my friend did.

By Anton Chuvakin on 04.02.07 5:11 pm

AV makes more sense when you wrap your head around it being “prevention” in a “reactive” sort of way. It definitely is not meant to be otherwise, and I think that’s been a big marketing/hype problem for AV for many, many years.

AV does have a benefit in that it can detect known issues (and some unknown ones that meet certain behaviors if you’re lucky), but that’s really all it is and ever has been.

Do I use it at home? Not on my nix boxes. Would I ever advise a company to ditch it to save some money? Never. The worms of yesteryear still seem to find their ways to the tips of user fingers…

By LonerVamp on 04.02.07 5:59 pm

Some good points! I also forgot to mention having AV on the email gateway to catch as many nasties before they hit the host. Again, putting as much security into the network itself and at the gateway(s) to help keep them off the end point is key.

Another trick is to restrict the file types your users can write to your servers. If they have no need to write executable files to your file servers, don’t let them!

By Michael on 04.02.07 8:42 pm

one theory: one av engine/vendor on incoming (http, smtp, im, ftp) and another on hosts.

I am a fan of antigen, which allows 1/2 a dozen or so engines at the same time (now owned by Microsoft… so creds to them in knowing the best AV software for email).

Also, don’t know if other vendors have this yet, but McAfee EPO (AV policy server) can put rouge host sensors on a few client’s in each subnet which will find and log hosts w/o AV… helping you get that last few nine’s of coverage.

Been watching the NAP/NAC space (mostly reading Microsoft, Cisco, and McAfee) and it may get you closer to what you desire. Working with your cisco gear, it can keep your “uncleen” hosts in a restricted vlan until they pass your tests. From what I’ve seen you can take it as far as you like… validating the latest patches, AV, etc.

Still doesn’t fix the bad engine issue though.

By sonicbum on 04.03.07 7:31 am

I like AV on the network choke points still, like mentioned about email gateways. I still think security really wants to move to the network, but the widespread technology people want on systems is really putting pressure against that. :\

By LonerVamp on 04.04.07 12:02 pm

[...] I checked the network IPS and found no alerts for the host, so I downloaded the file to my test workstation (a parallels host, go virtualization!) and scanned it with our AV and of course it didn’t detect anything. Virustotal.com was down at the time so I couldn’t upload it to have it scanned, so I decided to open a port on the firewall for the host so I could capture a full TCP session with the machine it was trying to talk to on port 7654 and lo-and-behold it joined an IRC channel and checked in as a bot (see the sample window below). [...]

By mcwresearch.com » Evaluating malware from a network perspective on 05.01.07 9:55 pm

[...] posted an article back in April of ‘07 bemoaning the piss-poor performance of current antivirus technology and [...]

By mcwresearch.com » Your AV *still* sucks and you know it… on 01.03.08 10:01 am

RSS feed for comments on this post. TrackBack URI