Network worms are still effective
A good friend recently emailed me to ask if AV would protect his servers from the Conficker worm and I thought this would be a good opportunity to continue my anti-antivirus tirade.
The short answer to the question ‘will AV protect me from conficker’ is “somewhat.” Here’s why. Below are the typical phases of a worm, starting with the prime infection, usually done by seeding hosts/bots that are already under control through other compromises:
- Scan for vulnerable services on hosts
(usually noisy and vulnerable to IPS/IDS/HIPS and draconian firewalling) - Compromise vulnerable service
(vulnerable to IPS/IDS/HIPS and maybe AV) - Have owned service download payload
(vulnerable to IPS/IDS and AV) - Execute payload
(vulnerable to HIPS) - Repeat from step #1
Usually AV isn’t effective (or even relevant) until a file hits the system (step #3). Some AV suites have HIPS built in and may block the behavior at #2. But that is rare (obviously, given the effectiveness of worms still).
Your best bet is to apply the patch as soon as you can. It was released in October so it’s had plenty of vetting. Most AV does detect the payload but AV can be inaccurate and unreliable any more and is reactive by nature. If AV alerts on the file, that means steps 1 and 2 have been successful. With enough compromised hosts on your network scanning and attacking, it could DoS the service on vulnerable hosts, even though AV is catching the payload.
My main beef with AV can be read here.
There is also a lot of good information in the comments of this post where I contemplate what a future AV package could look like.
The moral of the story is that AV will help but should be part of a layered solution. The solution that has worked very well for us so far is:
- Draconian firewall rules (egress and ingress)
- IPS units backing up all firewalls to protect open ports
- Automated patch management
- HIPS software on all laptops
- Defined and practiced incident response
