Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Antivirus: The emperor is naked InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Antivirus: The emperor is naked

Published: 2007-07-23
Last Updated: 2007-07-23 18:27:25 UTC
by Daniel Wesemann (Version: 3)
0 comment(s)

Over the weekend, I read a report by an anti-virus firm about the "discovery" of a malware serving host which creates a new, unique malware binary "on the fly" for every exploited PC connecting to retrieve it. As if this were anything new, really.  But rather than to draw the obvious conclusion from this discovery - namely that the antivirus approach of the last 20 years, which is based on the assumption that you can keep up with creating "patterns" for all bad things out there, has completely outlived its usefulness - the article went on to extol the virtues of new "behavioural" virus defense software.

Time is overdue to radically change tactics on the malware defense side - but why doesn't anyone do it? Is it because the Anti-Virus vendors, reveling in their plum revenue stream of "update licenses", do not really see any need to change ? Is it because the operating system vendors have their eyes set on this same (for them: additional) revenue stream, and don't want to dry it up by making a few changes to the OS itself ?

At least for the corporate environment, the "solution" would be kinda obvious. Large firms have standardized their workplace computers, and use automated software distribution tools to patch, update and deploy software on client PCs. Frequently, the distribution mechanism used is even from the same vendor as the operating system on the workstations. All that's needed to make life a misery for malware in such an environment is a component which enforces that workstations only load/run executable code that has been deployed to the workstation via the software distribution system that the firm already has and uses. Wouldn't this be an useful application of all the DRM code for a change ?

Yes, I'm aware that this still leaves a number of attack points and injection techniques uncovered. And yes, this would not completely remove the need for anti virus software. But it sure would be a huge step in the right direction.

I think it's time to stop pretending that the emperor is wearing clothes.

 

Update 1800 UTC:  A few readers have interpreted the above as advocacy for vendor signed software. This is not at all what I meant. Neither am I recommending to painstakingly maintain a whitelist of good binaries.  All I'm suggesting is that large (Fortune-500 style) companies, who already have a strictly standardized workstation build and a solid software distribution process, could - with the right add-on tool - use their software/patch distribution as a method of policy enforcement, if the workstations would not run any code that did not come from the firm's SWDIST.  Yes this wouldn't work in R&D shops where folks are used to "download and install" the tools that they need, but it could be a huge step in the right direction in malware defense for firms like banks, etc, that already are running tightly locked down desktops anyway.

Keywords:
0 comment(s)
Diary Archives