The changing face of antivirus

Perhaps the turning point for antivirus was in 2014, when a Symantec executive declared that antivirus was dead. The statement was in reference to the traditional antivirus approach of comparing software against a database of known viruses.

The “traditional” approach misses new viruses that have not yet made it into the database, and is ineffective against exploits that directly attack computer memory without deploying malicious software onto the compromised computer.

The challenges with “traditional” antivirus were well known in 2014 and various companies had developed solutions. Companies like Hitman Pro with protection against in-memory exploits (acquired by Sophos in 2015), SentenielOne with the ability to rollback encrypted files from crypto viruses, and Malwarebytes with virus cleanup tools.

Now, four years since the “antivirus is dead” statement, we have significant improvements in the capabilities of “modern” antivirus solutions.

If you are planning a Windows migration project it may be the perfect time revisit your antivirus technology.

In this post I’ll highlight the key advancements to consider.

Heuristic techniques

Heuristic techniques look for traits in software to determine if it has malicious intent. This can be done before both before execution (static analysis) and after execution (dynamic analysis).

When used successfully, the technique catches malicious software that has never been seen before, something signature based techniques cannot do.

The technology boosting this approach is machine learning. In terms of antivirus we are talking about supervised machine learning. The idea is you can train a computer model to recognise good and bad software by feeding it examples of each. Then when you give it an unknown piece of software, it will make a decision if the software is likely good or bad.

A virus can easily be modified to change its “signature” and thus avoid traditional signature based protection techniques. It is much harder to change how malicious software works and avoid effective heuristic models. As such, the idea is that heuristic techniques will be more effective with new viruses.

In the case of in-memory, or fileless, exploits, heuristics provide an approach for observing the behaviour of activity on a computer to identify malicious behaviour. In this situation, there is no malicious software to examine, as such signature based techniques are irrelevant. Machine learning techniques are also being used for in-memory (fileless) exploit identification.

Cleanup tools

In traditional antivirus products, if you got an infection you were on your own.

It was not uncommon for corporate IT departments to rebuild infected machines.

Then tools from companies such as Malwarebytes started to provide effective solutions for removing and cleaning up a virus infection.

These cleanup tools are now becoming available in antivirus solutions.

Contain

Every administrator knows the pain of an infected computer that is pumping out malicious traffic and can’t be contained.

This happens when a computer is on the network, but both local support and users cant identify it, and unattended remote access isn’t available (fast forward to calls to the network team and shutting down network ports).

Antivirus solutions now include solutions to remotely isolate an endpoint, while keeping a management port connectivity to the AV admin console. If need be, the machine can be shutdown.

Recovery tools

With traditional antivirus approaches, if you were unluckly enough to be hit a crypto virus, often your only option was to recover from backup. Perhaps not a huge deal, however the restore process takes valuable user and support staff time.

There are now antivirus products that include the ability to stop and then rollback encrypted files from crypto virus attacks. The solutions leverage Windows Volume Shadow Copy Service (VSS), together with their own index file, to allow just the files encrypted by a malicious service to be restored. The result is effective containment and recovery from crypto virus attacks saving significant business disruptions.

Forensic tools

After an infection, traditional antivirus approaches rarely provide information on how the breach occurred. Was the infection delivered via email, Internet, USB drive, or over the network? What preventative actions should you apply? Today there are solutions that provide a detailed timeline of an infection. This provides valuable intelligence on preventing a reoccurrence.

Fileless malware protection

Threats have become more sophisticated with exploits that do not leave a file on the infected machine. Remote exploits that inject processes directly into memory of a target machine receive no protection from traditional antivirus looking for a file to scan. As mentioned in the machine learning section, modern antivirus solutions include capacity to detect malicious actions derived from fileless malware.

So how to do you choose a product?

My advice on how to choose a product:

  • Cyber security strategy. Have a cyber security strategy so that you know your threats and risks, and thus build a defence in depth based strategy based on a recognised framework such as from NIST. In the context of this strategy you can define your antivirus requirement within available end point protection platforms. For example, perhaps you need disk encryption, or application whitelisting, or host intrusion protection, or Internet URL blocking, and perhaps you only need protection functions and prefer to outsource detection and response functions.
  • Understand the administrative requirements. Understand the process and operational impact to deploy and operate the solution. Avoid buying solutions with features that you do not have the time or skill to use.
  • Supported systems. Make sure your inventory of hardware and software systems are supported. Support gaps on virtual desktops, Macs, Linux, and old Windows operating systems are not uncommon.
  • Understand the solution maturity. There are pros and cons of emerging products and of established products. Make sure you understand the pros and cons and how these fit with your organisation and IT security strategy.
  • Independent review. Independent malware testing labs provide evaluations that are impossible for non specialists to complete. That said, independent reviews have been relatively controversial recently in the antivirus market. The reviews are useful if you understand the scope of the tests, and how the scope aligns to your requirements. For example, some reviews ignore recovery features in antivirus solutions.
  • Pilot. All vendors offer trials of some sort. Take advantage of a trial, but make sure you use you real representative systems in the trial, rather than isolated clean testing machines. You want to find out if the vendors solution behaves nicely with your unique combination of users, computers and software.

 

Leave a Reply