As for heuristics: they are an often misunderstood aspect of AV technology (again, mostly because of the marketing). They are not magic and are equivalent to a more permissive signature (for example one heuristic might be to flag executables which contain the algoritm to use \Device\PhysicalMemory to remove themselves from the process list). They detect “new” malware only in the sense that the detected malware wasn’t seen by a human virus analyst, but it is still based on “old” and well understood technologies. This means that heuristics can be evaded at least in two ways: (a) using new technologies or (b) hiding the usage of old technologies.

AV on company desktops is really overkill (IMHO) and also less secure than a good whitelisting product. Whitelisting is a simple and efficient way to provide a 99.99% protection and is easily applicable in a corporate environment where there is an IT department. AV products are more suitable for home users who don’t have the necesarry knowledge to decide if a piece of software is legit or not and want to run a wide variety of code on their machines.

Finally I would like to apologize if I offended you with the word “overengineered”. The truth is that I don’t have experience in managing / supporting large corporate networks, but I imagine that if I had to I could sleep sound knowing that a whitelisting solution is in place and not complicating myself if IDS’s/IPS’s.

Regarding AV; I agree that in its current state it is a reactive technology and that is the whole problem. Its time that intrusion prevention gets their peanut butter stuck in AV’s chocolate. ‘Heuristics’ or similar technology in AV is key to the future of the product.

Regarding our security infrastructure being over-engineered, I haven’t heard that one before! I might understand your thinking the home-brewed IDS backing up the retail IPS might be overkill but it isn’t simply because they perform similar duties in different ways:

1. The retail IPS is a best-in-class solution that does deep-packet inspection and protocol analysis and has the ability to act on packets.

2. The home-brewed IDS monitors for deny statements based on firewall rules (configured as you said, default deny) and alerts on 3 pre-defined thresholds of X, Y and Z events.

The home-brewed IDS is much faster than the IPS because it is doing much less.

Not to mention the fact that the IPS doesn’t block a worm’s scan, only the payload delivery. Therefore with the IDS, we get a warning at the scanning phase of the worm (as long as the scans are blocked by the firewall).

First a suggestion: there are two other sites out there (that I know of) similar to Virustotal (although VirusTotal is the coolest and most actively developed one). You can use them if VirusTotal has an outage.

Second of all, in my opinion you seem to fall in the trap of the marketing people of the security vendors when you blame AV’s for not caching the given bot. AV technology is a reactive one by its nature and the whole “you can be safe just by installing our product” is propagated by the marketing department with no real technological foundation (as you just found out). Congratulation to you for having such detailed detection mechanisms which made possible to (a) find out that there is a problem and (b) get detailed data about it, but isn’t it a little overengineered? By creating a default deny policy for everything not sanctioned by the IT department these things can be easily avoided. While I realize that creating a whitelist might sound complicated and in some cases very difficult (how do you tell the CEO that s/he cant install games on her/his laptop?), ultimately it is the safest approach and will prevent 99% of the malware out there.