NEWS FROM THE LAB - Thursday, January 10, 2013

On the Topic of AV Being Useless Posted by SecResponse @ 13:31 GMT

I have lately been following and participating in discussions as to whether or not antivirus products are useless and just waste of money. And as I am employed by F-Secure, my position on the matter may be rather obvious. But rather than going on with the same tired argument, I would like to shine some attention to some common patterns and misconceptions that repeat themselves in almost all discussions.

Pattern 1: Someone tries to use VirusTotal scan results as an argument.

VirusTotal is a very useful system for getting initial information about some particular sample but it does not give reliable indication about performance of various antivirus products. The folks at VirusTotal themselves know this, and they do not like their system being abused in bad research. In fact, VT has declared this for years already in their section about page. See the section called — BAD IDEA: VirusTotal for antivirus/URL scanner testing.

From VT: "At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being…" (Emphasis mine.)

The reason for this is threefold. Firstly the engines that AV vendors provide to VT are not exactly the same configuration as are in the real-world product and do not receive the same care and attention as real products do, if a sample is missing in VT�s results we do not care as much as we do for our paying customers.

Secondly no organization in its right mind would provide its most advanced technology into a comparative system where attackers can test their new creations at leisure, and try until they are able to circumvent enough scanners to their liking.

Thirdly VirusTotal does not try to execute the files with actual products being installed. This means that any run-time heuristics, behavioral monitoring, and memory scanning are out of the game. And thus the detection results are meager when compared to full products. But it is understandable why VT does not execute files, executing everything on every engine would require massive resources, and many samples would still fail due to missing components that would be present in a real infection case.

Pattern 2: Testers scan files locally that they have downloaded and unpacked (from password protected archives) from some collection and complain if some malware file is not detected.

Even when using the real product to scan such collections or forensic result files, you are still not really using the product as it is intended, scanning is only the third to last line of defense.
The antivirus industry realized years ago that there is no way it can give sufficient protection just by scanning files.
We switched our focus into trying to prevent hostile content from ever reaching the target rather than trying to detect it when it is already running in the system.

The typical antivirus product, or should I say security suite, contains multiple layers of defense of which file scanning is only small part.
What is being used varies from product to product. But the typical product has at least these layers.

1. URL/Web access filtering.

This is done to prevent users from ever coming into contact with hostile attack sites.

2. HTTP, et cetera protocol scanning.

To catch the hostile content before it reaches Web browser or other client.

3. Exploit detection.

To block the exploit before it is able to take over the client. And if the exploit is not detected as such, many products also contain measures to prevent exploits from successfully running.

4. Network ("cloud") reputation queries.

To query file or file pattern reputation from back end servers. This is the part that many people have argued should replace traditional antivirus. But actually we are already doing that as one tool in our arsenal. So it didn�t replace, but rather, enhanced existing AV.

5. Sandboxing and file based heuristics.

To catch new exploits / payloads dropped before they have a chance to execute.

6. Traditional file scanning.

This is the part many folks think of when they speak of "antivirus". Protection-wise it provides probably 15-20% of cover.

7. Memory scanning.

This detects malware that never lands to disk, or circumvents packers that we cannot handle with sandboxes or static unpacking.

8. Runtime heuristics and memory scanning.

Currently the last line of defense, to catch files that behave in a suspicious or malicious manner.

My apologies for not going into details with the various technologies, but it would make this post too long explain in detail why every layer is needed and how they work. But anyway, the point is that the fact that some threat is not detected by a scanner doesn�t mean that it wouldn�t be blocked in the case of a real attack.

Real working security is based on multiple layers of protection. And what is greatly amusing to us is that people who claim that AV is useless usually recommend some technology listed above e as a new solution. And well, we�re already doing that, but since whatever they recommended is not a complete solution, we also do need the other layers.

Pattern 3: Blacklisting is stupid. People should do white listing.

If white listing was a feasible option, do you really think we wouldn�t be utilizing it already?
Or actually, we do white listing, but only for performance improvements and false alarm avoidance.

The problem with white listing is that it deals only with executable files, and thus does not prevent the system from being infected in the first place, and if the attack resides only in memory the white list has nothing to check against.
Also, white listing does not work against exploit documents or websites, since you cannot build a white list of every clean document or website content.

Pattern 4: Antivirus should be in the net, not on the desktop.

It would be very nice to be able to offload all security onto a server somewhere and never to worry about AV hogging resources. But unfortunately this is not feasible due to the fact that computers are mobile.

With a static desktop that is never ever connected to anything else other than an office network, one could theoretically be able to do all security at the network level. But in reality most computers are laptops, which are connected from one network to another all the time and the only thing that stays constant is what is installed on the device.

Also, pure network based AV provides no protection against USB and other media based malware.

One could of course use pure "cloud" AV that is very light on the client, but that would only give you less protection as you would drop some of the protection technologies, so you end up with less capable product compared to full set.

Pattern 5: But I have this massive amount of data from our servers and we see malware gets though.

The reason for this is twofold.

First, what is seen is a portion of attacks that get through, we do not (or should not) claim to give 100% protection; we are only able to stop most of the attacks. On how well each respective product is, you can see from tests which use the actual product. Nobody gets 100% protection right all the time. Thus there will always be some attacks that get through.

Secondly a lot of corporations hamstring their AV product by preventing the network queries back to the AV�s servers, which means the AV product has to work only with local heuristics and scan engines. And this means the company is giving up layers 1 and 4 of the total defense set and is thus getting much less protection than it would if it allow all technologies to be used.

Pattern 6: AVs misses 98-100% of the malware I see.

Well, saying that AV misses 100% of the malware it misses is kind of self explanatory.

What you see is the portion that was able to get past the defenses of whatever product you or your client is using.

And we would very much appreciate if you would contact us and tell us everything you know about the attack. The malicious file alone does not give a complete enough picture for us to further develop our file scanning and behavioral heuristics.

Pattern 7: AV is useless against APT attacks.

Advanced persistent attacks are very difficult to block, and so far nobody has complete answer to them, and never will as attackers will adapt to whatever defenses you have. AV is one important layer against advanced attacks, but is not alone enough.

But then again, without AV you would have to worry about advanced attacks and all the rest that you currently are being protected from. So how does it help to advocate to not to use AV and increase your attack surface even further?

Beware people who tell you that your defenses are not perfect and thus you should get rid of them.