Take ‘em for what their worth; this is a collection of events logged from 277 hosts located in 12 different office locations with five unique, central AV servers managed by five different IT departments.

The statistics have been collected over 11 days:

The failure to open a file is attributed to, according to the event log, “extraction errors encountered by the Decomposer Engines” which I assume are the engines that translate the file to something the AV software can scan, whether the file is an executable file, compressed file, text file, etc.

Now, is it really possible that on 277 laptops there have only been a total of 7 pieces of malware that have made it all the way to the machine? I’d love to say this number is accurate and the result of defense in depth, but I’m not ready to say that just yet.

What countermeasures do we have in place that would help?

1. Strict email attachment filters based on file extension alone
2. ‘Course grain’ AV at the spam gateway, before the email hits our servers
3. ‘Fine grain’ AV at the email gateway before the email hits the inboxes
4. IPS units protecting web browser attacks, but only while hosts are on our network
5. Behavioral HIPS on all laptops

Does that battery of defenses look like something that could reduce the number of threats that make it to our laptops to only 7 in 11 days for 277 hosts?

That’s a pretty good success story if its true. However, given that we have 1,253 cases of a failure to open a file, we have possibly 1,253 additional viruses that we can’t detect, not to mention the 969 alerts that the AV software is failing to auto-protect some hosts.

But as my grandpappy always says; if it seems too good to be true, it likely is too good to be true.

*The AV software logs multiple events on a single host, therefore I’ll have to distill these events to find an accurate count of the number of unique hosts or files affected.

Last week I struck a cord with a few people when I (once again) complained publicly about the short-comings of AV. I’ve gone on record claiming the current model is broken, so what do I think will help fix it? Below are some of the ideas I’ve had for the future of AV.

1. Shim the web browsers, either between the Internet and the browser (preferred) or between the browser and the OS so that the AV app can keep its fingers around the browser’s throat and control it.
2. Develop vulnerability protection into the browser shim that acts as a virtual patch rather than traditional AV models that look for malware. This will be much more effective at stopping variants than malware protection is.
3. Include a killbit feature to snipe malicious CLSIDs. Granted, this is signature-based but we need a stop-gap in place while heuristic or HIPS-like technology catches up.
4. Utilize P2P-like communication between AV clients within the enterprise. If a host detects a malicious file, have it communicate an MD5 hash of the file to all other hosts and prevent access to that file. This will also help when there is disparity of definition versions within the enterprise.
5. Take advantage of worms that check for a local infection by duping it into thinking the host is already infected. For example, Nimbda first checked if the local machine was infected. If AV could simulate infection automatically, it could prevent an actual infection. AV is pretty useless against worms until a payload is delivered. The ability to simulate an infection could help in that phase of a compromise.

The key is for AV R&D teams to gather in a room with a white board and start a brain-dump, thinking out of the box, leaving no trivial idea unspoken.

One of the things I’ve been doing with my HIPS software is take a closer look at my AV protection, or lack thereof. I have HIPS on roughly 300 hosts on my network, which is a slice of about 1/5th of my entire host population. I have the HIPS software pulling selected events from the event logs of the hosts and aggregating the events to the HIPS logs where I can pour over them.

In the last 24 hours, 2% of the hosts reported an inability to monitor for viruses in real time and there were 50 alerts warning of the inability to open a file due to ‘decomposer engine’ problems (extensions included .cab, .zip, .rar, .exe and more).

I’m not sure which worries me more, the fact that 2% of my hosts have absolutely no realtime protection or that those that do have protection are having serious problems analyzing potential threats…

I can’t even begin to count the number of times my HIPS software has identified (and blocked) malicious behavior of files that many AV companies don’t detect as malicious. Simple rules such as preventing SMTP access, or preventing any FTP downloads to system root have been extremely successful in identifying malicious software and stopping any escalation of compromise or even better, preventing the core function of the malware.

AV technology is miserably inept at protecting hosts from today’s dynamic threats. The current process of getting AV definitions all the way to an end host is a joke;

1. Identify a file to be potentially labeled malicious (there are just too many files)
2. Analyze that file (too much human interaction)
3. Create a signature to detect that file (which often can’t detect slight variants)
4. Distribute that signature to customers (often only once a week)
5. Get those signatures all the way to all enterprise assets

(that have their own problems with the local AV client)

Granted, the system worked well four years ago when viruses were the big threat and all they did was replicate all over the local machine and drained CPU, memory and hard drive resources. Now we have dynamic worms, which can attack a number of different vulnerabilities in order to deliver a bot payload that places the host under the control of a hacker to do any number of things, most notably participate in spam distribution. The trojans are adaptive and fast and the bots they deliver are fluid and stealthy. The technology we’re depending on to protect us from these threats is the complete opposite; cumbersome and static, antiquated and inefficient.

It’s time the AV companies get innovative and rethink the way they address malware detection and prevention.

CSOonline.com has a good article about some emergent technology (the A1000) designed to create rules dynamically to detect malware.

There isn’t a lot of information on the technology yet but it seems that it does have strong roots in IDS tech, which is exactly what I’ve been hoping will happen to AV.

It sounds like it might be gateway-based. I’d prefer it to be closer to the network fabric, possibly based off netflow or something similar. But hey, its a start and from the looks of it, AV is indeed getting their peanut butter stuck in IDS’s chocolate.

I posted an article back in April of ‘07 bemoaning the piss-poor performance of current antivirus technology and it looks like the mainstream guys are slowly picking it up as well.

According to this article by PCWorld.com, their tests showed that “the best performer detected only one in four new malware samples.” Catching 25% of new malware is actually a very good percentage given the reactive nature of current AV technology. That might have been great in the 90’s, when the top threat was viruses who’s propagation was largely limited to the local host but viruses are a threat of the past. Worms, trojans and bots are the current soup de jour for the bad guys and reactive countermeasures are simply inadequate at preventing them. Yes, I said prevent. I want my antivirus software to stop the attack before it becomes an infection. Once it’s an infection, it’s an incident and I have to spend time, and more importantly, money to fix it and that’s after I’ve already spent time and money on AV software and its maintenance.

As I’ve said before, AV technology needs to get their peanut butter stuck in IPS technology’s chocolate. AV should be more aware of malicious behavior as well as known malicious content. Most AV software already hooks into the kernel. Why not leverage that low-level awareness more effectively? Snarf those memory calls. Sniff that NIC access. New listener? I think not! Shut that process down and quarantine it.

‘But Michael, that’s the job of your HIPS’ you say? That’s exactly my point.
(more…)