A good friend recently emailed me to ask if AV would protect his servers from the Conficker worm and I thought this would be a good opportunity to continue my anti-antivirus tirade.

The short answer to the question ‘will AV protect me from conficker’ is “somewhat.” Here’s why. Below are the typical phases of a worm, starting with the prime infection, usually done by seeding hosts/bots that are already under control through other compromises:

1. Scan for vulnerable services on hosts
   (usually noisy and vulnerable to IPS/IDS/HIPS and draconian firewalling)
2. Compromise vulnerable service
   (vulnerable to IPS/IDS/HIPS and maybe AV)
3. Have owned service download payload
   (vulnerable to IPS/IDS and AV)
4. Execute payload
   (vulnerable to HIPS)
5. Repeat from step #1

Usually AV isn’t effective (or even relevant) until a file hits the system (step #3). Some AV suites have HIPS built in and may block the behavior at #2. But that is rare (obviously, given the effectiveness of worms still).

Your best bet is to apply the patch as soon as you can. It was released in October so it’s had plenty of vetting. Most AV does detect the payload but AV can be inaccurate and unreliable any more and is reactive by nature. If AV alerts on the file, that means steps 1 and 2 have been successful. With enough compromised hosts on your network scanning and attacking, it could DoS the service on vulnerable hosts, even though AV is catching the payload.

My main beef with AV can be read here.

There is also a lot of good information in the comments of this post where I contemplate what a future AV package could look like.

The moral of the story is that AV will help but should be part of a layered solution. The solution that has worked very well for us so far is:

1. Draconian firewall rules (egress and ingress)
2. IPS units backing up all firewalls to protect open ports
3. Automated patch management
4. HIPS software on all laptops
5. Defined and practiced incident response

Take ‘em for what their worth; this is a collection of events logged from 277 hosts located in 12 different office locations with five unique, central AV servers managed by five different IT departments.

The statistics have been collected over 11 days:

The failure to open a file is attributed to, according to the event log, “extraction errors encountered by the Decomposer Engines” which I assume are the engines that translate the file to something the AV software can scan, whether the file is an executable file, compressed file, text file, etc.

Now, is it really possible that on 277 laptops there have only been a total of 7 pieces of malware that have made it all the way to the machine? I’d love to say this number is accurate and the result of defense in depth, but I’m not ready to say that just yet.

What countermeasures do we have in place that would help?

1. Strict email attachment filters based on file extension alone
2. ‘Course grain’ AV at the spam gateway, before the email hits our servers
3. ‘Fine grain’ AV at the email gateway before the email hits the inboxes
4. IPS units protecting web browser attacks, but only while hosts are on our network
5. Behavioral HIPS on all laptops

Does that battery of defenses look like something that could reduce the number of threats that make it to our laptops to only 7 in 11 days for 277 hosts?

That’s a pretty good success story if its true. However, given that we have 1,253 cases of a failure to open a file, we have possibly 1,253 additional viruses that we can’t detect, not to mention the 969 alerts that the AV software is failing to auto-protect some hosts.

But as my grandpappy always says; if it seems too good to be true, it likely is too good to be true.

*The AV software logs multiple events on a single host, therefore I’ll have to distill these events to find an accurate count of the number of unique hosts or files affected.

Last week I struck a cord with a few people when I (once again) complained publicly about the short-comings of AV. I’ve gone on record claiming the current model is broken, so what do I think will help fix it? Below are some of the ideas I’ve had for the future of AV.

1. Shim the web browsers, either between the Internet and the browser (preferred) or between the browser and the OS so that the AV app can keep its fingers around the browser’s throat and control it.
2. Develop vulnerability protection into the browser shim that acts as a virtual patch rather than traditional AV models that look for malware. This will be much more effective at stopping variants than malware protection is.
3. Include a killbit feature to snipe malicious CLSIDs. Granted, this is signature-based but we need a stop-gap in place while heuristic or HIPS-like technology catches up.
4. Utilize P2P-like communication between AV clients within the enterprise. If a host detects a malicious file, have it communicate an MD5 hash of the file to all other hosts and prevent access to that file. This will also help when there is disparity of definition versions within the enterprise.
5. Take advantage of worms that check for a local infection by duping it into thinking the host is already infected. For example, Nimbda first checked if the local machine was infected. If AV could simulate infection automatically, it could prevent an actual infection. AV is pretty useless against worms until a payload is delivered. The ability to simulate an infection could help in that phase of a compromise.

The key is for AV R&D teams to gather in a room with a white board and start a brain-dump, thinking out of the box, leaving no trivial idea unspoken.

One of the things I’ve been doing with my HIPS software is take a closer look at my AV protection, or lack thereof. I have HIPS on roughly 300 hosts on my network, which is a slice of about 1/5th of my entire host population. I have the HIPS software pulling selected events from the event logs of the hosts and aggregating the events to the HIPS logs where I can pour over them.

In the last 24 hours, 2% of the hosts reported an inability to monitor for viruses in real time and there were 50 alerts warning of the inability to open a file due to ‘decomposer engine’ problems (extensions included .cab, .zip, .rar, .exe and more).

I’m not sure which worries me more, the fact that 2% of my hosts have absolutely no realtime protection or that those that do have protection are having serious problems analyzing potential threats…

I can’t even begin to count the number of times my HIPS software has identified (and blocked) malicious behavior of files that many AV companies don’t detect as malicious. Simple rules such as preventing SMTP access, or preventing any FTP downloads to system root have been extremely successful in identifying malicious software and stopping any escalation of compromise or even better, preventing the core function of the malware.

AV technology is miserably inept at protecting hosts from today’s dynamic threats. The current process of getting AV definitions all the way to an end host is a joke;

1. Identify a file to be potentially labeled malicious (there are just too many files)
2. Analyze that file (too much human interaction)
3. Create a signature to detect that file (which often can’t detect slight variants)
4. Distribute that signature to customers (often only once a week)
5. Get those signatures all the way to all enterprise assets

(that have their own problems with the local AV client)

Granted, the system worked well four years ago when viruses were the big threat and all they did was replicate all over the local machine and drained CPU, memory and hard drive resources. Now we have dynamic worms, which can attack a number of different vulnerabilities in order to deliver a bot payload that places the host under the control of a hacker to do any number of things, most notably participate in spam distribution. The trojans are adaptive and fast and the bots they deliver are fluid and stealthy. The technology we’re depending on to protect us from these threats is the complete opposite; cumbersome and static, antiquated and inefficient.

It’s time the AV companies get innovative and rethink the way they address malware detection and prevention.

CSOonline.com has a good article about some emergent technology (the A1000) designed to create rules dynamically to detect malware.

There isn’t a lot of information on the technology yet but it seems that it does have strong roots in IDS tech, which is exactly what I’ve been hoping will happen to AV.

It sounds like it might be gateway-based. I’d prefer it to be closer to the network fabric, possibly based off netflow or something similar. But hey, its a start and from the looks of it, AV is indeed getting their peanut butter stuck in IDS’s chocolate.