.gif)
Last week’s article in the New York Times is highlighting an issue most IT and ICS professionals have known for a while: Anti-Virus sucks. Anti-Virus rarely works against new threats, detection mechanisms can be easily fooled, and as this paper by Feng Xue from Blackhat 2008 illustrates, Anti-Virus programs can even be used as virus transmission vectors.
The concept of ‘Anti-Virus’, a tool that systematically prevents, detects, and eradicates all computer based viruses is no longer valid. What we have instead is a reasonable risk reduction from known threats, and the capability to respond to new threats in a manageable, standard, and timely manner.
So what should an Anti-Virus company focus on now as their key deliverable to customers?
There are going to be a lot of answers to that question. I’m starting down the track that Anti-Virus companies should think more about incident response than the ineffective signatures. How quickly can they respond when there is suspicious activity on a network, how swiftly do they analyze the threat, and come up with an effective response?
I’m not saying replace anti-virus. On the contrary, AV has a good place in security simply because it is automated protection against well known conditions. Without it, the security folks would be swamped in ordinary mass-market virus infection, and might miss important signals of an more advanced compromise.
The combination of imperfect prevention and effective response is the route that electricity providers have taken in power operations. For instance, transmission protection is handled by protective relays that watch for electrical conditions that are known or predicted to cause failure. But, transmission engineers also have a contingent of smart people, capable of analyzing electrical conditions and responding to unforeseen electrical events.
Maybe this is the future of AV, maybe it isn’t. But I find it fun to think about on stressful afternoons before S4.
I think a discussion of AV should include the following:
- how often did we tell others to not use default allow? Well that’s basically what AV is
- operational cost for using AV on the plant floor must factor in memory consumption and CPU use (on typical plant floor systems, AV is by far the most exhaustive application) and unpredictable runtime behavior
- deploying signature updates can lead to new security problems, up to plant floor systems being connected to the Internet for the sole purpose of pulling them. Who knows, maybe some Shodan targets can be explained simply by this ‘worst practice’.
Final thought: Before we go about discussing wether to replace AV or not, a good starting point would be to determine who is actually using it properly.
I see the problems with IDS and IPS too. For an example, how do you properly detect use of the new zero-day Java exploit or a Poison Ivy variant with an IDS today? You don’t. You would need a combination of an IDS, an AV system and a sandbox environment. You would need to carve out any files in the traffic with the IDS, scan those with the AV and run them in the sandbox to find out if they are malicious. And even then you can’t be sure, the malware may behave differently if it detects it is being run in a VM environment or in debug mode. And an IDS/AV/Sandbox solution is a very complex solution to rather simple attack methods. It’s 30 lines of code vs. 1.000.000 or more lines.