Security Basics -- Malware Protection
This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here.
When most people think of technical controls for information security, the first one they tend to think of is anti-virus software. After it was first widely commercialized in the late 1980s, antivirus software became known as the thing you needed to have to deal with the security of your computer. And by the mid-90s, when the connecting, communicating, and downloading over the Internet became more and more the reason for using a computer, antivirus software came to be seen as an essential accessory to modern computing life.
The traditional approach of anti-virus software was to check digital files against a set of “signatures” of known virus (or, more broadly, malicious software or malware) files, in order to delete or quarantine dangerous files found stored on the computer. This technique has been refined and enhanced, particularly by the use of heuristic signatures, but it is still the fundamental way that most anti-malware software works — files on the system (or traversing the network) are checked against signatures of known malware files in order to find files that match and are therefore believed to be malware.
This approach has limits and problems that are fairly obvious. The general idea, sometimes known as “finding known bad,” requires identifying specific malicious code before additional instances of that same malicious code can be found. As the number of distinct known malware samples continued, through the 2000s, to increase exponentially, detecting new malicious files based on signatures of the individual file became more and more impractical. First of all, the quantity of signatures would simply be too large; comparing new code against an ever-growing list of signatures eventually takes too much time and computing resources. More importantly, variants of malware “families” were being generated so quickly that file-specific signatures could not be created and updated fast enough to protect against the latest bits of malware.
Heuristic Detection has allowed antivirus software to keep up against these limitations, at least somewhat. Heuristic detection seeks to detect malicious files based on similarity to known malware files, using various rules and forms of fuzzy logic. Heuristic signatures are designed to match against not just a single file but also against others with characteristics that are similar in ways relevant to what makes the file “bad.” Heuristic signatures will often match against new variations of known malware files, depending on the type and extent of the variation; however, they still fail to catch many such variations.
Despite these limitations, antivirus software is still widely considered a basic security requirement. The use of antivirus software, or “host-based malware detection and prevention” software, is required by many security compliance guidelines. And even with its limitations, most antivirus software will still detect and head off many threats to your systems. Most organizations will, and should, continue to deploy antivirus software. There are many considerations to keep in mind to make sure that you get the most out of your antivirus solution.
You want to be sure that:
In picking a product, AV Test is a good source of unbiased information on antivirus software: https://www.av-test.org/en/
Over the past several years, some vendors have introduced alternatives to traditional antivirus software. These are products that have the same basic purpose — to sit on the host and detect, prevent, and/or remediate malware infections — but that perform their detection via techniques that are very different from traditional, signature-based antivirus. Netflix’s recent announcement that they were dropping anti-virus in favor of such a solution gained a lot of attention. We will be writing more about the principles behind some of these solutions in an upcoming post.
When most people think of technical controls for information security, the first one they tend to think of is anti-virus software. After it was first widely commercialized in the late 1980s, antivirus software became known as the thing you needed to have to deal with the security of your computer. And by the mid-90s, when the connecting, communicating, and downloading over the Internet became more and more the reason for using a computer, antivirus software came to be seen as an essential accessory to modern computing life.The traditional approach of anti-virus software was to check digital files against a set of “signatures” of known virus (or, more broadly, malicious software or malware) files, in order to delete or quarantine dangerous files found stored on the computer. This technique has been refined and enhanced, particularly by the use of heuristic signatures, but it is still the fundamental way that most anti-malware software works — files on the system (or traversing the network) are checked against signatures of known malware files in order to find files that match and are therefore believed to be malware.
This approach has limits and problems that are fairly obvious. The general idea, sometimes known as “finding known bad,” requires identifying specific malicious code before additional instances of that same malicious code can be found. As the number of distinct known malware samples continued, through the 2000s, to increase exponentially, detecting new malicious files based on signatures of the individual file became more and more impractical. First of all, the quantity of signatures would simply be too large; comparing new code against an ever-growing list of signatures eventually takes too much time and computing resources. More importantly, variants of malware “families” were being generated so quickly that file-specific signatures could not be created and updated fast enough to protect against the latest bits of malware.
Heuristic Detection has allowed antivirus software to keep up against these limitations, at least somewhat. Heuristic detection seeks to detect malicious files based on similarity to known malware files, using various rules and forms of fuzzy logic. Heuristic signatures are designed to match against not just a single file but also against others with characteristics that are similar in ways relevant to what makes the file “bad.” Heuristic signatures will often match against new variations of known malware files, depending on the type and extent of the variation; however, they still fail to catch many such variations.
Despite these limitations, antivirus software is still widely considered a basic security requirement. The use of antivirus software, or “host-based malware detection and prevention” software, is required by many security compliance guidelines. And even with its limitations, most antivirus software will still detect and head off many threats to your systems. Most organizations will, and should, continue to deploy antivirus software. There are many considerations to keep in mind to make sure that you get the most out of your antivirus solution.
You want to be sure that:
- Users cannot disable the software or modify the configuration. If users disable your AV software, it’s not doing its job.
- Signatures are updating frequently. Frequently these days is twice daily or more. Also be sure that the AV client software itself is being updated as appropriate (this happens less frequently, but not infrequently).
- Detections are being reported centrally. You should be following up on malware detections, not just trusting the software to take care of everything. If you’re not getting alerts from time-to-time, how do you know alerting is working? If you’re not sure, you can use a safe “test” file to trigger an alert. http://www.eicar.org/86-0-Intended-use.html It is good to run such a test monthly, unannounced, and see if your helpdesk or other party that should be receiving alerts does receive an alert and do something about it.
- You can run a report on what hosts are running the software, if any have failed or been disabled, and if updates are functioning. A good business-class antivirus solution enables you to manage the software all the time, not just install it and forget about it.
- Additional features are appropriate, are configured properly, and don't conflict with other security products in use. Many "antivirus" products today incorporate host-based intrusion prevention, firewalls, and other functionality. This can be a good thing, but if your antivirus product's firewall conflicts with another firewall (such as the built-in Windows firewall), you can be in for a lot of frustration and troubleshooting.
In picking a product, AV Test is a good source of unbiased information on antivirus software: https://www.av-test.org/en/
Over the past several years, some vendors have introduced alternatives to traditional antivirus software. These are products that have the same basic purpose — to sit on the host and detect, prevent, and/or remediate malware infections — but that perform their detection via techniques that are very different from traditional, signature-based antivirus. Netflix’s recent announcement that they were dropping anti-virus in favor of such a solution gained a lot of attention. We will be writing more about the principles behind some of these solutions in an upcoming post.
Comments
Post a Comment