Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - What is "up to date anti-virus software"? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What is "up to date anti-virus software"?

Published: 2013-04-26
Last Updated: 2013-04-28 07:22:43 UTC
by Russ McRee (Version: 1)
12 comment(s)

On the heels of my post on Microsoft's SIRv4 earlier this week, reader Ray posed a great question that elicited some nuanced responses from fellow handlers Mark H and Swa F. All parties have agreed to allow me to share the conversation with the ISC readership.

From Ray:

What is, "up to date anti-virus software"?  Is there a de facto standard of how often or what defines when a system is up to date or not up to date?  My goal isn't to split hairs.  There are a lot of moving pieces (in the background) to this question & where I work.  I would like to know what other organizations use; besides sooner is better. 

Mark H's response:

To me the definition of up to date is the latest pattern file for that particular application.  So I tend to configure AV products to check at least hourly for updates and apply them.  Some product interestingly however still consider daily or weekly to be ok.  Putting on my QSA hat usually I accept daily updates as being ok (assuming that the AV product is therefore at the lates pattern update), go beyond that and you'd best have a very good reason for lagging.

Ray's reply:

While wearing the AV hat at my last company I expected a drop in infections when I stabilized our (pattern file) distributions, but didn't expect such a dramatic drop in the rate.  With three updates a day I hit < .5% systems were more than one day out of date.  Since moving to a different company with different responsibilities I see one update a day and a 5 day window for updates with the target of only 90% of systems updated I see...room for improvement but face a mind set challenge.  I was curious what other "standards" were.

Swa's feedback:

Agreement with Mark: hourly is THE way to go. 

Add internal servers to help distribute it and allow in the field updates for machines at home or while roaming out there.
Make it so that the machine gets isolated in quarantine on your internal network if it's more than a long weekend out of date on updates. 
I'd suggest a trade off between this aggressive updating - transparent to the user as long as they do not sabotage it - vs a daily scan of the entire drive - which is far from transparent. 
Also focus on those not getting updated on time: figure out why and how to fix it. 
There's no point in paying for AV updates if you do not use them. Any self respecting attacker checks their handy work against something like VirusTotal, so being behind even a little bit makes the AV useless. 
Sure you might someday trip over a bad AV update. So what? It's easy to know what it did wrong and recover from it? Easy to know what it did is absolutely untrue for any modern malware. Those that still think that need a reality check. The only recovery of malware that works is "nuke from high orbit" all the rest does not yield reliable machines. 
 
Russ' 2 cents:
 
I'll follow up on Swa's point. There is no "recovery" from malware in my world. There is no running a tool to "clean up" after an infection. Nuke from space is the only solution or the machine(s) remain entirely suspect.
So have a plan for reimaging systems conveniently and efficiently, store data on separare drives or partions, and practice safe backup. Because when you pop a valid AV alert in my shop? BOOM...
 

Photo courtesy of nukeitfromorbit.com 

Great discussion, Ray and handlers. Thanks for letting us share.

Russ McRee | @holisticinfosec

Keywords: anti virus
12 comment(s)
Diary Archives