One of the things I’ve been doing with my HIPS software is take a closer look at my AV protection, or lack thereof. I have HIPS on roughly 300 hosts on my network, which is a slice of about 1/5th of my entire host population. I have the HIPS software pulling selected events from the event logs of the hosts and aggregating the events to the HIPS logs where I can pour over them.

In the last 24 hours, 2% of the hosts reported an inability to monitor for viruses in real time and there were 50 alerts warning of the inability to open a file due to ‘decomposer engine’ problems (extensions included .cab, .zip, .rar, .exe and more).

I’m not sure which worries me more, the fact that 2% of my hosts have absolutely no realtime protection or that those that do have protection are having serious problems analyzing potential threats…

I can’t even begin to count the number of times my HIPS software has identified (and blocked) malicious behavior of files that many AV companies don’t detect as malicious. Simple rules such as preventing SMTP access, or preventing any FTP downloads to system root have been extremely successful in identifying malicious software and stopping any escalation of compromise or even better, preventing the core function of the malware.

AV technology is miserably inept at protecting hosts from today’s dynamic threats. The current process of getting AV definitions all the way to an end host is a joke;

1. Identify a file to be potentially labeled malicious (there are just too many files)
2. Analyze that file (too much human interaction)
3. Create a signature to detect that file (which often can’t detect slight variants)
4. Distribute that signature to customers (often only once a week)
5. Get those signatures all the way to all enterprise assets

(that have their own problems with the local AV client)

Granted, the system worked well four years ago when viruses were the big threat and all they did was replicate all over the local machine and drained CPU, memory and hard drive resources. Now we have dynamic worms, which can attack a number of different vulnerabilities in order to deliver a bot payload that places the host under the control of a hacker to do any number of things, most notably participate in spam distribution. The trojans are adaptive and fast and the bots they deliver are fluid and stealthy. The technology we’re depending on to protect us from these threats is the complete opposite; cumbersome and static, antiquated and inefficient.

It’s time the AV companies get innovative and rethink the way they address malware detection and prevention.

I posted an article back in April of ’07 bemoaning the piss-poor performance of current antivirus technology and it looks like the mainstream guys are slowly picking it up as well.

According to this article by PCWorld.com, their tests showed that “the best performer detected only one in four new malware samples.” Catching 25% of new malware is actually a very good percentage given the reactive nature of current AV technology. That might have been great in the 90′s, when the top threat was viruses who’s propagation was largely limited to the local host but viruses are a threat of the past. Worms, trojans and bots are the current soup de jour for the bad guys and reactive countermeasures are simply inadequate at preventing them. Yes, I said prevent. I want my antivirus software to stop the attack before it becomes an infection. Once it’s an infection, it’s an incident and I have to spend time, and more importantly, money to fix it and that’s after I’ve already spent time and money on AV software and its maintenance.

As I’ve said before, AV technology needs to get their peanut butter stuck in IPS technology’s chocolate. AV should be more aware of malicious behavior as well as known malicious content. Most AV software already hooks into the kernel. Why not leverage that low-level awareness more effectively? Snarf those memory calls. Sniff that NIC access. New listener? I think not! Shut that process down and quarantine it.

‘But Michael, that’s the job of your HIPS’ you say? That’s exactly my point.
(more…)

I haven’t figured out yet what the fascination is with Bruce Schneier. A friend sent me a link to a Q&A with Bruce the almighty and his answer to the first question immediately turned me off. The very first question boiled down to ‘what will be the most incredible technology in 50 years?’ and it takes Schneier three paragraphs to basically say ‘I don’t know, but it’ll be bad ass.’

The article is so rife with ‘love me, for I am Schneier’ it isn’t even funny. I’d count his links to his own articles and references to himself just to prove a point, but I’d rather tend to my toenail fungus.

And yes, I intentionally did not include the link to the article. If you’re a Schneier sycophant, you’ve already read it.

What’s ironic is just yesterday I mentioned how this sort of post on other security blogs turned me off them completely…I suppose that makes me Michael the hypocrite. I’m okay with that.

Me:I’m having serious second thoughts about Leopard. After updating iTunes and Quicktime yesterday, I’ve had three separate apps go tits-up.

Luke: really?

Me: yeah, really. It feels more like a fucking windows machine now.

I’m not sure if Leopard was rushed, or if it wasn’t well tested, or if I’m an isolated case. I certainly didn’t have this problem going to Tiger.

However, it just occurred to me that I’ve maintained the same basic build since friggin’ Cheetah, the first iteration of OS X. We’re now five OS versions beyond Cheetah. Now THAT is impressive. Try that on a Windows machine.

I guess its time to plan for a full rebuild.

This is one example of why software can be so vulnerable. Below is output from a HIPS log on one our laptops:

Why does MS Word have to be the FTP Client? Why doesn’t Word call an FTP client (like IE) and pass it the URL to fetch?

Adding FTP functionality to word-processing software adds additional attack vectors at the cost of convenience.