Last week I struck a cord with a few people when I (once again) complained publicly about the short-comings of AV. I’ve gone on record claiming the current model is broken, so what do I think will help fix it? Below are some of the ideas I’ve had for the future of AV.

1. Shim the web browsers, either between the Internet and the browser (preferred) or between the browser and the OS so that the AV app can keep its fingers around the browser’s throat and control it.
2. Develop vulnerability protection into the browser shim that acts as a virtual patch rather than traditional AV models that look for malware. This will be much more effective at stopping variants than malware protection is.
3. Include a killbit feature to snipe malicious CLSIDs. Granted, this is signature-based but we need a stop-gap in place while heuristic or HIPS-like technology catches up.
4. Utilize P2P-like communication between AV clients within the enterprise. If a host detects a malicious file, have it communicate an MD5 hash of the file to all other hosts and prevent access to that file. This will also help when there is disparity of definition versions within the enterprise.
5. Take advantage of worms that check for a local infection by duping it into thinking the host is already infected. For example, Nimbda first checked if the local machine was infected. If AV could simulate infection automatically, it could prevent an actual infection. AV is pretty useless against worms until a payload is delivered. The ability to simulate an infection could help in that phase of a compromise.

The key is for AV R&D teams to gather in a room with a white board and start a brain-dump, thinking out of the box, leaving no trivial idea unspoken.

One of the things I’ve been doing with my HIPS software is take a closer look at my AV protection, or lack thereof. I have HIPS on roughly 300 hosts on my network, which is a slice of about 1/5th of my entire host population. I have the HIPS software pulling selected events from the event logs of the hosts and aggregating the events to the HIPS logs where I can pour over them.

In the last 24 hours, 2% of the hosts reported an inability to monitor for viruses in real time and there were 50 alerts warning of the inability to open a file due to ‘decomposer engine’ problems (extensions included .cab, .zip, .rar, .exe and more).

I’m not sure which worries me more, the fact that 2% of my hosts have absolutely no realtime protection or that those that do have protection are having serious problems analyzing potential threats…

I can’t even begin to count the number of times my HIPS software has identified (and blocked) malicious behavior of files that many AV companies don’t detect as malicious. Simple rules such as preventing SMTP access, or preventing any FTP downloads to system root have been extremely successful in identifying malicious software and stopping any escalation of compromise or even better, preventing the core function of the malware.

AV technology is miserably inept at protecting hosts from today’s dynamic threats. The current process of getting AV definitions all the way to an end host is a joke;

1. Identify a file to be potentially labeled malicious (there are just too many files)
2. Analyze that file (too much human interaction)
3. Create a signature to detect that file (which often can’t detect slight variants)
4. Distribute that signature to customers (often only once a week)
5. Get those signatures all the way to all enterprise assets

(that have their own problems with the local AV client)

Granted, the system worked well four years ago when viruses were the big threat and all they did was replicate all over the local machine and drained CPU, memory and hard drive resources. Now we have dynamic worms, which can attack a number of different vulnerabilities in order to deliver a bot payload that places the host under the control of a hacker to do any number of things, most notably participate in spam distribution. The trojans are adaptive and fast and the bots they deliver are fluid and stealthy. The technology we’re depending on to protect us from these threats is the complete opposite; cumbersome and static, antiquated and inefficient.

It’s time the AV companies get innovative and rethink the way they address malware detection and prevention.

CSOonline.com has a good article about some emergent technology (the A1000) designed to create rules dynamically to detect malware.

There isn’t a lot of information on the technology yet but it seems that it does have strong roots in IDS tech, which is exactly what I’ve been hoping will happen to AV.

It sounds like it might be gateway-based. I’d prefer it to be closer to the network fabric, possibly based off netflow or something similar. But hey, its a start and from the looks of it, AV is indeed getting their peanut butter stuck in IDS’s chocolate.

Am I being Chicken Little in thinking that remote kernel attacks such as one leveraging the MS08-001 vulnerability will be the next chapter in the arms race between hackers and network defenders?

Alex Wheeler, one of the two responsible for discovering and researching the vulnerability said this; “This is a severe vulnerability across the board. I agree with Microsoft that this is critical and wormable.”

Holly Stewart of ISS said the following on the X-force’s blog; Frequency X

These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP.

I usually have a good FUD radar (FUD-ar?) and it isn’t picking up anything on recent chatter on MS08-001. So far I’m hearing specifics on why this is potentially a big deal, not to mention the caliber of analysts chiming in on the subject.

This week I’ve been sending emails to vendors of our various security applications, seeking clarification on what level of protection they provide. One prominent vendor replied with the following:

Based on the information contained in the MS bulletin we are unsure that [our HIPS product] would mitigate against an exploit targetting that vulnerability - that is why its not listed in that particular row [of a spreadsheet detailing protection levels].

The disclaimer in the [snip] document is because there has been no exploit testing. Just because there is a MS vulnerability does not mean an exploit will be written against it or available.

This despite the fact that Immunity has already publicly demonstrated a successful attack method.

Now I’d like to revisit what Holly said; “These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them.” (emphasis mine)

To me this indicates a significant threat and quite possibly the beginning of a new trend in remote attacks. If I were a hacker, this one would get a lot of attention from me because 1) both XP and Vista are ripe for the picking and 2) it likely gets my code in a position where most security software can’t see or touch it. I’d worm that sucker and use it to deliver my bot and grow a big, nearly bullet-proof bot net that could be diced up and rented to the highest bidders.

Or maybe I’m wrong and the vendor has it right and this is just another MS vulnerability that will come and go. I’m still digging bomb shelters, just in case.

Last weekend at the dentist’s waiting room, I was working on my BlackBerry when the dentist called me back to the chair. I holstered the BB and handed it to my 12-year-old daughter for safe keeping. Once holstered it locks the keyboard requiring a password to get into it.

When I came back from the chair, I went to log into the BB and it said something like ‘attempt 6 out of 10, please enter the word ‘Blackberry’ to continue’. She was trying to guess my password.

She has potential!