The shortcomings of anti-virus software
No, this isn't about lousy detection rate. I think we're pretty much resigned to that, irrespective of the latest fancy marketing terms the industry uses to sell us the same failed concept. This is about the forensic quality, or rather lack thereof, of anti-virus.
Let's say your anti-virus (AV) happens to find a Spyware. Something like the spyware that I described in yesterday's ISC diary. What does it do with it? If your AV is anything like the products that I've seen in use, it will display a Halloween-like scary pop-up ("Danger! Virus!") and will delete or quarantine the threat.
So far so good. This used to be cool back when all we wanted our anti-virus to do was to get rid of the threat. But these days are over. Increasingly now, anti-virus alerts us (maybe) to a persistent threat that has been on the system for days, weeks, heck, even months. And deleting or quarantining such a threat causes a serious problem: It modifies or eradicates evidence. Yes, we get an alert, but then we are like the CSI guys who get called to a murder scene that doesn't have a body. Sure we can spend hours trying to lift DNA off cigarette stubs, but things would be so much easier if the caller could tell us what exactly he has seen where, and where the body was?
In other words: If anti-virus removes a registry key to unhook a DLL, why can't the AV log tell me (a) where this registry key was and (b) when it was created? You know, this would give a first indication on how far back we have to dig to determine what data was stolen. The same holds true for the actual threat files that get deleted or quarantined: A full MAC (modify/access/create) timestamp in the logs shouldn't be too much to ask for? Maybe garnished with an MD5 checksum for good measure, so that the analyst can tell right away if the exact same threat has been seen on another PC already?
I don't think the AV companies have caught on to this yet - they seem to be deleting and quarantining threats with the same casual indifference like they did 20 years ago, stomping all over the crime scene, and wiping out or contaminating important forensic evidence in the process.
If your enterprise-grade anti-virus software does any better in forensics than described above, please let us know via the contact page. If it has the same shortcomings, please let us know as well, but more importantly, please let your AV vendor know. Maybe, someone listens.
Comments
http://www.carbonblack.com/case-study-malware-infection-2/
http://www.sysforensics.org/2012/06/look-at-carbon-black.html
Joe
Nov 2nd 2012
1 decade ago
What is also made all the more difficult, is there is often no definitive 'list' of what files/keys should and should NOT be on the system at any point in time - dates, signatures can be spoofed, with certificates and any registry keys only secured in software installation restore points - all have been vulnerable to compromise.
Building an image and wiping the disk with the saved image every day would be extreme to say the least!
Highly impracticable given the number of registry reads/writes, would be to keep an accurate image of a complete disk installation and a copy at the beginning of each day. Subsequent comparisons could be logged for differences - but the overhead and analysis would likely be unacceptable.
Logging is one way forward, but how do you protect the logs if the OS API calls and/or disk file system has been compromised?
ps. notice VUPEN have reportedly found a number of 0-day vulns in Windows 8. Things can only get tougher without better tools.
nic
Nov 2nd 2012
1 decade ago
LV
Nov 2nd 2012
1 decade ago
Maxime
Nov 2nd 2012
1 decade ago
Phil
Nov 2nd 2012
1 decade ago
KBR
Nov 2nd 2012
1 decade ago
http://www.bromium.com/product/introducing-vsentry.html
Philippe
Nov 2nd 2012
1 decade ago
Joe
Nov 2nd 2012
1 decade ago
Isn't it about time we gave up on trying to find all the bad and started whitelisting all the good? Shouldn’t we refuse any code that the developer doesn’t digitally sign – so we know where it came from? Limit the allowed application to trusted companies? Further from that switch to whitelisting AV – nothing is allowed to run that’s not approved. We’re aiming to lock down most of our company workstation:
We’ll have trusted fileshares: \\company\installs \\company\executables \\company\deployments
User can only install/run things from those locations; the whitelisting AV will block anything else. Gatekeepers in each area will be able to upload software to the fileshare – the fileshare will run blacklisting AV to make sure it’s clear.
You can download virus.exe or virus.dll as many times as you like – if it’s not approved it can’t run. ATMs have been doing it for years!
C4C
Nov 5th 2012
1 decade ago
On another note, forget about the whitelisting solutions that many in this forum seem to be alluding too as an alternative to standard AV. Just give it a little more thought and you'll realize that that's just trading one intractable problem for another.
Fearless Leader
Nov 6th 2012
1 decade ago