Anti-Virus is Dead! « The Wandering CIO

Apr/10

Anti-Virus is Dead!

I have felt the current anti-virus approach is unsustainable and less secure than we think for some time. But recent news events have really driven home the issues. (I personally think anti-virus is dead…yep, dead)

Some points to ponder:

It’s less secure than we think because of the “zero-day” problem that nobody really likes to talk about – under a signature-based approach I can only detect what is in the signature file. An antivirus vendor has to “capture” a virus to create a signature – and then distribute the updated signature to me before I am actually protected. So we think because we run AV software we are protected – we aren’t. Much like there is a gap between when a new human virus emerges (H1N1) and a vaccine is produced (months later) we are only protected from virus the AV vendor knows about and has had the time to update and distribute the “vaccine” (signature file). The much publicized Google China hack was a zero-day exploit.

This approach works, sort of, when there are 40 new viruses released per day, or 400. What about when there are 4 billion released per day? Clearly this process can be overwhelmed right? There is already clear evidence that virus manufacturers know this vulnerability and are trying to exploit it.

“Beginning in June 2009, Google charted a massive increase in the number of unique fake antivirus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate antivirus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.” [1]

The other news item of course was the MacAfee fiasco (and this has happened to others in the past). If you haven’t heard the story MacAfee recently distributed a bad/corrupted signature file.[2] This falsely identified the SVCHOST.EXE Windows file as a virus, effectively killing the PC. Among those affected were US police forces and Intel. If you stop and think about it running AV software on your computer creates another attack vector – if I can get in the middle and send your computer an “engineered” signature file I can kill anything on it, including the OS.

So what’s the solution?

Whitelisting and its variations (signed code + whitelisted vendors, etc.). Think about the positives from a security standpoint:

Impervious to the zero day problem. Only whitelisted code can run. Period.
No signature file to update every day. Only have to update the whitelist when I add or change software on the machine.
Less/no performance degradation. Instead of scanning every file all time against thousands or millions of AV signatures I just check the file hash (which is basically instantaneous).
Built into the Windows 7 OS – something Microsoft never did with Anti-Virus.

Yes, I realize that managing the whitelist is more work (probably). But there is real value in the extra effort in terms of additional security.

- The Wandering CIO

Sources:

Share and Enjoy:

Anti-Virus, Security, Whitelisting

RSS feed for this post (comments) · TrackBack URI

September 2010
M	T	W	T	F	S	S
« Jun
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Interesting Tidbits

Homeroom Security: book about the insanity of zero-tolerance classroom policies
Salon's got a blood-boiling interview with Aaron Kupchik, author of Homeroom Security: School Discipline in an Age of Fear, a close look at four very different US schools. Each school has a different demographic and different location, but the thing they all share is a set of zero-tolerance policies that turn them into Kafka-esque nightmares: They start […]
Salesforce Completes The Puzzle With Jigsaw For CRM
When Salesforce.com bought crowdsourced business contact database Jigsaw for $142 million earlier this year, the CRM giant said that it would combine its suite of applications with Jigsaw’s model for the automation of acquiring and keeping up-to-date business contact data. Today, Salesforce is unveiling Jigsaw's deep integration into the company's […]
Viral Video: "I Want Your Money" [BoomTown]
In the interests of political fairness, here is a trailer for a documentary coming out in mid-October that takes aim at President Barack Obama’s economic policies. Titled “I Want Your Money,” the controversial trailer has already gotten over 1.76 million views on YouTube. (Take that, Michael Moore!) Here’s the description of the film: “Set against the backdr […]
If You’ve Got Social Media Fatigue, UR DOIN IT WRONG
Just as I was reading Paul Carr’s latest column about quitting social media, my husband looked at his phone and broke into a huge smile. He is a graphic designer and has long been a fan of Chank Fonts. Earlier that day, he’d taken a picture of a retro-looking podiatrist office, posting it on Twitter with the word “Font-o-licious.” It didn’t go viral. It didn […]
Founder Institute: How To Launch In 10 Steps With Less Than $2,000
For any entrepreneur, the challenge of taking an idea to launch can be a daunting and expensive journey. Fortunately, Adeo Ressi, founder of TheFunded and startup accelerator, Founder Institute, has a ten step plan. While there is no foolproof recipe for every launch, Ressi says his template will help any tech entrepreneur get a business off the ground for l […]

The Wandering CIO

Personal Observations on Leading Information Technology