One of the things I’ve been doing with my HIPS software is take a closer look at my AV protection, or lack thereof. I have HIPS on roughly 300 hosts on my network, which is a slice of about 1/5th of my entire host population. I have the HIPS software pulling selected events from the event logs of the hosts and aggregating the events to the HIPS logs where I can pour over them.

In the last 24 hours, 2% of the hosts reported an inability to monitor for viruses in real time and there were 50 alerts warning of the inability to open a file due to ‘decomposer engine’ problems (extensions included .cab, .zip, .rar, .exe and more).

I’m not sure which worries me more, the fact that 2% of my hosts have absolutely no realtime protection or that those that do have protection are having serious problems analyzing potential threats…

I can’t even begin to count the number of times my HIPS software has identified (and blocked) malicious behavior of files that many AV companies don’t detect as malicious. Simple rules such as preventing SMTP access, or preventing any FTP downloads to system root have been extremely successful in identifying malicious software and stopping any escalation of compromise or even better, preventing the core function of the malware.

AV technology is miserably inept at protecting hosts from today’s dynamic threats. The current process of getting AV definitions all the way to an end host is a joke;

1. Identify a file to be potentially labeled malicious (there are just too many files)
2. Analyze that file (too much human interaction)
3. Create a signature to detect that file (which often can’t detect slight variants)
4. Distribute that signature to customers (often only once a week)
5. Get those signatures all the way to all enterprise assets

(that have their own problems with the local AV client)

Granted, the system worked well four years ago when viruses were the big threat and all they did was replicate all over the local machine and drained CPU, memory and hard drive resources. Now we have dynamic worms, which can attack a number of different vulnerabilities in order to deliver a bot payload that places the host under the control of a hacker to do any number of things, most notably participate in spam distribution. The trojans are adaptive and fast and the bots they deliver are fluid and stealthy. The technology we’re depending on to protect us from these threats is the complete opposite; cumbersome and static, antiquated and inefficient.

It’s time the AV companies get innovative and rethink the way they address malware detection and prevention.