AV Software Isn't Dead, But It's Not Healthy

dasButcher writes "Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no, but more is needed. Her answer: reputational analysis. Not a bad idea, but many have tried and failed to make this type of approach work. We've seen it all before: RBLs, integrity grading, etc. What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation. "

AV Software Isn't Dead...

...it's just pining for the fjords.

Re:AV Software Isn't Dead...

[Archangel+Michael]

Whoo-hoo-hoo, look who knows so much. It just so happens that your friend here is only MOSTLY dead.

Re:AV Software Isn't Dead...

[phoenixwade]

...it's just pining for the fjords. it's not pinin'! it's passed on! This software is no more! It has ceased to be! it's expired and gone to meet 'is maker! it's a stiff! Bereft of life, it rests in peace! If you hadn't nailed it to the perch it'd be pushing up the daisies! its metabolic processes are now history! it's off the twig! it's kicked the bucket, it's shuffled off its mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-SOFTWARE PRODUCT!!

(I love the opportunity to make a Monty Python Reference! Second only to South Park.... oh, yeah:)

They killed AV Software...... You Bastards!

The fewer the merrier

[Reverse+Gear]

I sure am not a big security expert, so forgive my n00bish words here.

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need. Not by default to allow everything and then pick the things you do not want, but go the other way around and make the default to not allow anything and then enable the things you need.
I guess this is one of the reasons I like Gentoo so much, I know everything that is installed on the system and I can remove it if I don't like it.
I don't like to install all kinds of things that I do not know what is and do not know if I can trust. The more things I have installed the more vulnerabilities I also have.

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

Re:The fewer the merrier

[truthsearch]

At the last place I worked, the IT department had their own XP distribution for the corporate desktops (ghost script or whatever). They started the process by deleting one DLL at a time and watching what broke. The problem was when my team created some new custom software we'd sometimes come across some fundametal problems because DLLs were missing. And these errors weren't always easy to track down.

Now you might say we'd run into this problem with any operating system. But when using Microsoft development tools on a Microsoft OS, the system makes the assumption that every basic dependancy which is built into the OS is there, which is reasonable. If it isn't things get flaky and hard to debug.

Windows (at least up to XP) simply isn't built for this level of customization. Therefore, if you want security through minimalism, Linux is the better way to go.

Re:The fewer the merrier

[danpsmith]

One of my friends once ran a version of Windows XP that he had pretty much scraped everything of that didn't need to be there, I think he was a lot more secure than he would have been had he filled his computer with all kinds of AV and anti-malware programs, some of them seem to be causing more problems than they solve anyhow.

I think you are right in this thinking. Windows XP's services that are enabled by default are ludicrous. That's one of the main security problems with XP. What I don't understand is why someone doesn't just allow the computer to start with absolutely no services enabled, and then gradually ramp up to what the computer actually needs, turning services on only as they are needed.

For instance, shutting down a service might make a certain set of USB gadgets might not work. But when you plug the USB device in, Windows itself (or the OS itself) could recognize that the service is needed for the device to function and automatically enable the service. Depending upon how much this costs it could automatically disable the service again if it isn't being utilized by anything else.

Maybe I'm being naive, but that doesn't seem like too much to ask. On really strange services you could prompt for password information in order to ramp up the ability to use them or something. Makes sense to me.

It seems to me that windows has everything enabled by default to be user friendly. But couldn't you do the same thing using this method? Instead of having a bunch of running services running at idle constantly, turn em on when you need em.

Re:The fewer the merrier

[stratjakt]

Gentoo just crapped its pants on me in the middle of an "emerge -uD world", and now the box is borked. Won't boot, not even in single user mode. Reinstallation is a multi-day affair. Fuck that. At least you can flatten and rebuild a windows box in an afternoon.

But boy is it secure, it cant even spawn a tty.

Re:The fewer the merrier

[Intron]

Deleting DLLs is not the right way to "minimize the system". What you want to do is turn off unneeded services, not blow holes in your OS. Linux would fail just as badly if to turn off services you started deleting the contents of /usr/lib instead of disabling daemons in /etc/init.d.

Re:The fewer the merrier

[Tanktalus]

Er...? You've disabled IIS. The OS detects an incoming request on port 80. It enables IIS. Attacker leaves behind malware. IIS goes back down.

Other than that, I like your idea. If, for example, when it detected a service was needed, it popped up a nice dialog box saying something like, "Windows has detected an incoming request on port 80. is currently disabled. Enable? [ ] Don't ask this again. [Yes] [No]". And then, here's an important bit, if no response is detected within 30 seconds, assume "No", and continue. And log this in the system log. Maybe even email it to the user so they see it. (The email wouldn't happen for requests that were marked "Don't ask this again".)

I'm pretty sure a similar concept on Linux could apply - even if there's no user interface, just logging what comes in. In fact, I suspect some people have already set up iptables or ipchains or whatever to do exactly that: log all "intrusion" attempts. With a bit of work, I'm sure that some ports could be emailed (say, by default), with some trivial manner of masking ports (analogous to the "Don't ask this again" from above) to not receive notices about that port anymore. Possibly with netmasks - email me if someone comes in on 443 from 192.168.0.0/255.255.255.0, but not anyone else (ignore https requests from the internet completely).

In fact, I'm pretty sure someone has something like this already ... probably on sourceforge by now ;-)

Re:The fewer the merrier

[laffer1]

At first, this sounded like a good idea. Consider though that the OS still needs to have code to detect what the USB device is. So windows must see hey i've got a USB mouse or whatever and then load the service for it. That means the service is started later after scripts have time to bork the environment, and many services common on desktops will get triggered eventually anyway. So an attacker or rather his script may have to wait some time to get his malware executed but it will still occur. Since the service is not started early in the boot process, the environment could be tainted as well.

There is a balance between good security and flat out disabling valuable functionality. This balance is why Microsoft made Windows so open to begin with. They didn't see any threat and wanted users to be able to do whatever they wanted. (minus view the source code and customize at that level)

One problem with open source is that we don't have everything users want yet. A typical end user wants to be able to surf, edit photos, read email, IM, listen to music, watch DVDs and run office productivity software. Then you start getting to specialized groups like people who use financial software, play games, develop software, engineering apps, math apps, etc. At the same time, these users expect usb devices, sound cards, tv tuners, printers, and any other thing they plug-in to just work. Some linux distros have this down, but there is no consistency in applications. Many projects actually have to put up translation lists telling the user what the browser, im client and things are called. IE = firefox, MSN = gaim and so on. When you start disabling services, things start to break or become more difficult for the user. It doesn't mean everything should be on (who needs an echo server running).

So your idea may work for a subset of services or kernel modules, but we need other approaches to secure many services. Lets face it the approach may not be right, but trend micro is correct in assuming they need some new tricks. Vista is slightly more secure than previous versions of windows and as such malware authors are going to step up to the new challenge. So detection software must also improve. Its like the transition from telnet to ssh. For awhile, I felt *safe* using ssh because there were so many other targets on a clear channel to attack. As more people migrate to vista, or better systems the type of attacks will change.

Your idea requires validation that loading a service is really necessary and safe.

Can I be the first to say it?

[zappepcs]

We need a new word to deal with this technology:

Webutation; The reputation an entity has, stemming from its web presence.

Re:Can I be the first to say it?

[Xtravar]

Brilliant! Let me have a try!

I'm e-sick to iDeath of WRDZ being webhanced to .Sell morenet of the360 blueSame VoIPOOP.

JAVA!!!

Trivial answer!

[VincenzoRomano]

Is a conventional signature-based antivirus technology dead? Trend Micro CEO Eva Chen says no.

If you ask an Oil company whether oil derived fuel engines are dead, they'll answer the same way.

Reutational analysis roblematic

If eople want to use reutational analysis on this roblem, there's lenty of others I'd ersonally trust over Trend Micro.

Oh the stories I could tell as a former emloyee of this comany. Not only the missing "p" problem; there was the time they used a telephone number as a phishing signature (too bad it was the actual phone number of one of the largest banks in the US--and that all that bank's legitimate email to customers was trashed)--that was one big account they lost the next day. Or what about the time that a bad signature file took down about 80% of PCs in Japan. Or when it turned out that the library that scans for viruses was actually a vulnerability. Or the time...

Soooo glad I don't work for those guys any more.

I read it the other way around

[Billly+Gates]

AV software is alive more than ever thanks to crackers on the internet and buffer overflow malware ads on webpages.

PRoblem is the software is not healthy indeed and can screw up a whole system. ITs like their approach to neutralizing a hammer is to encapsulate the whole thing. Every i/o transaction is read and maybe even virtualized.

Does it stop virii? Hell no. I worked help desk at a gaming company which uses the IE sdk for some code on the logon screen. Anyway it wont load if any viruses or keyboard monitoring programs are installing which use the IE sdk. I get many callers saying "WTF. I have norton. What do you mean my system is infected!?". I then clean the system with some cheesy app that is not an antivirus program.

The first 3 rules of computer security.

[khasim]

#1. There is no security without physical security.

#2. Run only what you absolutely need.

#3. Run it with the minimum rights possible.

The reason that Trend Micro's "new" approach will fail is ... rather long. Follow along for a moment.

a. Vulnerability is found and exploit is written.
b. Exploit needs to be distributed.
c. Exploit is distributed via a quick spam flood - they have no protection against this.
d. Exploit is posted on a web site - how do the bad people drive traffic to that site?
e. They use a compromised site. They hide the exploit in a directory that robots.txt says not to scan. Either Trend Micro violated robots.txt or it cannot find the exploit.
f. So Trend Micro will have to violate robots.txt and that behaviour should be noticeable. So the bad guys would hide that file from something that looks like a webcrawler that doesn't respect robots.txt.

And we're back at the beginning.

Re:The first 3 rules of computer security.

[voice_of_all_reason]

#1. There is no security without physical security.

Hire a bodyguard to stand over your ethernet jack, then chase down and beat interlopers with a nightstick? I like the way you think...

This is why reliance on AV software is dangerous

[Alioth]

Funnily enough, I just wrote about this:

http://slashdot.org/~Alioth/journal/167405 - includes a link to a major study of a piece of malware which went undetected by the AV companies for months.

Or just go to http://www.secureworks.com/research/threats/gozi/ if you don't want to read my crap.

I've personally witnessed two malware infections where the malware arrived up to a week before the AV companies had updated their definitions.

Botnet

[daeg]

So to defend against botnets, Trend Micro will make a massive spidering botnet capable of indexing and cataloging 100 million domains. If Morissette were available, I'd quiz her if this situation qualifies as ironic.

So help me if they don't honor robots.txt.

You have to trust something

[starseeker]

At a certain point, networking requires trust in order to realise it's potential benefits. Open source wouldn't work if everyone had to read every line of source code before running a program, so various organizations and projects develop trust and reputations. We know Debian, Fedora, Gentoo, etc. are OK and can proceed to use them with minimal trouble. A brand new Linux distribution must climb that hill, in addition to providing sufficient incentive for people to find out if they can be trusted. That's tough.

The anonymous nature of the web is what allows things like virus writers to succeed - if they couldn't hide, they wouldn't assume the responsibility for what they're doing (well OK a few nut cases would, but the same is true in real life.) However, forcing unique identities on people opens up a host of other problems, some of them more serious than the ones we have today.

So we must operate in the twilight world of making networks which cannot be successfully attacked by bad actors. There are a wide variety of intermediate solutions, like today's anti-spam techniques, wikipedia's system and even slashdot's own moderation system. But none are perfect and none can be perfect - the problem is not solvable in general. Open source actually helps this in one major way - the community controls that operate in the real world to keep human social systems functional also operate (to some degree) in small scale projects. There the individual traits of interested parties become known over time, and recognition and trust can be built up based on more than just a name or email address. It is not perfectly robust, but then no system to date has been.

Virus problems will continue as long as there are people wanting to write viruses, as they are simply an electronic version of spray painting walls, defacing monuments, or other useless and harmful activities that have persisted since the beginnings of civilization. We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology. The fact that spam emails can be identified at all, for example, is really just an indication of the lack of skill of spam writers. Likewise, someone really wanting to distribute a virus can just make a freeware program that actually does something real and useful long enough to build a reputation, and then when it is widely distributed trashes every system it is installed on. There are always ways to attack a target, if enough effort is put into the planning. The trick is to be fault tolerent and recover quickly. In specific cases better security can be achieved (classified information, etc.) but for the general case it will always come down to dealing with the consequences of antisocial behavior as it happens.

Re:You have to trust something

[99BottlesOfBeerInMyF]

At a certain point, networking requires trust in order to realise it's potential benefits... We must rely on community, the most robust tools we can devise, and (finally) building our own web of trust based on things we have found to work. These issues are fundamental to the human condition and (like all social problems) cannot be resolved by technology.

I agree with most of your comment, at least in principal. I think one of the most important ways the industry needs to jump if it is going to make the malware problem a minor inconvenience or a rarity, is to build tools to harness the intelligence and trust of others, be they communities, formal organizations, or commercial enterprises.

OS's need to start relying upon the amount of trust given to a piece of software or network service and restricting them appropriately based upon that level of trust. Channels for "voting" on how much some software or service should be trusted need to be made open and user configurable. And by "voting" I don't mean individual people should be voting on if some software is reliable. I mean the user should be subscribing to intelligence feeds from malware watchdog groups, commercial anti-malware services, OS vendor provided services, and online communities. The end user should be responsible for deciding who they trust and the OS should be responsible for translating that trust into one consolidated policy for restricting the access given to Web sites, applications, network services, etc.

I want to be able to get a random executable in my e-mail inbox, double click on it to run it, and have the OS discover if it is signed, if it is certified, if it matches any malware signatures, and what level of trust it should be given based upon a merge of several different information sources to which I have subscribed. Then I want the OS to automatically apply an ACL to that executable or even run it in a VM, based upon the ACL included in the application (if present) the ACL my OS has specified for that trust level/app type, and the ACL suggestions from said information services. I want all this to happen more or less in the background with me just double clicking it.

I honestly think that until such a system is build into mainstream OS's the malware problem will continue, full speed ahead. The problem with this is only Microsoft is in a position to really do this because of their monopoly and their position as the only real target for current malware. Further, I don't think they are capable of doing it because of the way they are organized. They don't lose enough money when their users are compromised because of their monopoly. Their entire business is built on lock-in instead of quality, so they would almost certainly implement a signing/certifying system that locked user into them, and thus provided mostly useless information since there would be no competition among providers. They have repeatedly shown themselves incapable of taking security seriously and when UI is a vital part of security they have never, ever shipped anything that was not a disaster.

My only real hope for the malware situation to be contained is encroaching OS X on the desktop and encroaching Linux in business that might break their choke hold long enough for someone else to do it right, or for MS to be forced to compete to survive, resulting in a real change in Redmond. Without antitrust laws being enforced, however, it is a long shot.

Wont work

[cyberbob2351]

The newly released OfficeScan 8.0 will include endpoint security features that will block access to Web sites that have a reputation as sources for malicious activity.

Considering the fact that the infestation could be due to either a worm infection, or could come about by accessing a webserver that is in actuality a compromised botnet drone, how on earth is such a reputation system supposed to be effective?

Most of your issues will not come from the same sites over and over. The only exception to this is crack and warez sites, but we already have similar reputation systems implemented.

Reputation does not prevent spread of viruses...

[Dr.+Zowie]

... otherwise there would be no syphilis in the world.

Seriously, there is a pretty direct analogy between (digital epidemiology, computer viruses) and (real epidemiology, real germs). If there were a simple answer to the digital problem, it's a good bet that some population or other would have adopted the analogous strategy to the real epidemiology problem.

STDs offer a good analogy for digital viruses with a Trojan-style (no snickers, please) strategy. In both cases sharing of {data|fluids} yields immediate benefit at some risk. In both cases, populations have adopted reputational strategies to avoid spreading/contracting viruses. In neither case do those strategies work.

Even with near-perfect "antivirus software" (the antibiotic penicillin), the old monsters of syphilis and gonorrhea still remain on the planet, and penicillin-resistant strains have even evolved. One problem is that reputations are hard to establish and not necessarily accurate; another is that most humans tend to discount future risks in favor of immediate benefits.

Interestingly, the reason that the traditional venereal diseases are treated with penicillin injections (and not an oral course) is that, statistically, patients are unlikely to finish the oral course -- a properly completed oral course of penicillin is as effective as the traditional three injections. There is perhaps a lesson to be learned there about how effective corporate data-hygiene strategies are likely to be.

with apologies to Freedy Johnston

[sammy+baby]

What will make this different? If we're not careful, Trend Micro might give us all a bad Web reputation.

(Sung to the tune of "Bad Reputation", by Freedy Johnston)

I know, I've got a bad reputation:
and it isn't just W32/Delbot.
If I could only keep this damn malware
out of my inbox.

I could have had a normal conversation,
if it wasn't for this firewall.
If it deletes zip files with passwords,
then they're worth fuck-all.

Suddenly, my mail gateway is hosed,
malware is being
installed by the truckload,
keeps breaking down.
Can you help me now? Can you help me now?

This is Crazy Making!

[mpapet]

Why, in this day and age, are we having a conversation about anti-virus anything?

Instead of accommodating Microsoft's severely broken security model, now updated with "are you sure you want to do this?" Just flush that windows partition and install your linux distro of choice, or install linux on the PC and give it away, or get a Mac.

No, sysadmins like me won't be doing this at work anytime soon. Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off.

The extra benefit is I don't have to discover some of the ummm, unusual, tastes-and-preferences in my friends cache.

Re:This is Crazy Making!

[Mister+Whirly]

"Ever since I told family and friends who needed computer support I won't fix windows and gave them the option of buying a mac or switching to Linux, I'm having much more fun on my days off."

Walking my family through command line installs of libraries and helping them chmod permissions so they can access the files they saved. I love the fact that all my dumbshit realtives are now running Linux, I mean who needs time off on weekends anyways!!! Now when my mom wants to install a new printer, insead of just plugging it in, now we get a 3 hour long session fighting with generic Gimp drivers and it still won't print 100% correctly. And my parents were really stoked that the thousands of dollars they had spent on Windows software was now mostly worthless! Yep, if there is one thing Grandma really loves digging into it's compiling her own Linux kernel - she really just can't get enough of it! All and all I'd say that an OS designed for geeks who really love tinkering with their systems is working out terrific for the average computer illiterate masses...

AV are Dead

[smist08]

I stopped realtime scanning when I realized that over 50% of my CPU was going to scanning virus's. Now that it is turned off, things run much faster. E-mail seems to be the main source of virus's, but most email servers scan for virus's so doing a local realtime scan is just a waste of time. Otherwise just avoid memory keys, and disks which is fairly easy. I find Spyware a bigger problem than virus's but just running Spybot every now and then to clean off things installed by other software like webcams seems good enough. Certainly my PC runs much faster and more reliably with AV turned off. Still do a system scan now and then, but haven't found a virus in like five years.

SiteAdvisor

[Strilanc]

Wow, this is the same thing as Site Advisor; except it doesn't warn you about bad websites, it just tells you to fuck off. How hard could it be to modify the site advisor extension to do that?

Re:This is why reliance on AV software is dangerou

[saddlark]

Two times, I've observed that the opensource AV software ClamAV nailed new email virii
about 6 and 12 hours before the commercial alternatives got signatures for them (3-4 examples, names left out to protect the guilty).

Of course, this doesn't always happen, but it's still an interesting observation.

Effort going in the wrong places

[Animats]

If all the effort spent on security approaches we know won't work, like looking for known attacks, were spent on approaches that can work, like fixing operating systems and applications so external content runs in jails that work, and developing reliable means for sanitizing content, we'd be much further along.

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure.

The problem with all this so-called "virus security" is that it's aimed against bulk attacks that are mostly annoyances. It won't detect focused attacks aimed at a business or government site intended to steal serious money or information.

Military security people are trained to make that distinction. Some effort has to be devoted to chasing off kids throwing rocks over the fence, but they're not a real threat. The real threats are subtle, until it's too late. The commercial computer security industry does not get this at all, and doesn't want to.

Re:Effort going in the wrong places

[OriginalArlen]

Think about it. Symantec is a billion dollar company selling a product that barely works. Nobody is spending that kind of money making operating systems more secure. Now far be it from me to defend the great satan, but to be fair Microsoft have spent a lot more than that on improving security since Bill "got it" and sent his memo back in, what was it, 2003? They still haven't trained themselves to make the right call when it comes to usability vs functionality (see UAC, and so on and on) but Vista is a lot more secure out of the box than XP SP2 - which itself was an improvment over 2000. (Which, admittedly, was worse than NT4 which was worse than 3.51, but that's beside the point.)

It probably won't show up in the botnet stats even once Vista is ubiquitous, though, as you still have to allow the user to install arbitrary binaries, which means the attacker just has to fool them. And they've had a lot of practice with that over the last few years. There IS no technical solution to this, unless you completely close the ecosystem - prevent the user installing arbitrary executables, shut down the internet as we know it -- or find an infalliable on-demand method of deducing what a given program is going to do; and if you've got a solution to the halting problem, I'm sure we'd ALL like to hear it ;)

Two Words ...

[malcomvetter]

... Default Deny.

We have seen it in firewalls. We have seen it in military-grade physical security. We have seen it in banking. But, why, oh why, do we not see it with malware?

[Analogy warning] About the best analogy I can come up with that describes just exactly how modern anti-[virus, spyware, threat du jour, or just plain "malware"] is this: Enterprises and home users are outsourcing the task of determining the trustworthiness of software applications that reside on their computers. However, they are forcing the outsourcers (the AV companies) to work both backwards and blind. "Blind" in that the outsourcers are not allowed access to see what applications are actually running within the trusted computing environments (or how well those applications play with others (do they run with scissors?)) and "Backwards" in that the outsourcers are not allowed to simply identify trustworthy software applications-- they're forced to identify the good by ruling out everything that is bad. And we all know that "good" and "bad" are in the eyes of the (ahem) beclicker. [End analogy]

What we need instead is a serious set of solutions (and some are starting to crop up, but I won't cite any because I cannot vouch for their quality) that work in the POSITIVE direction, and not the NEGATIVE direction. In other words, we need anti-malware that simply inventories known good applications, comparing all code execution requests against the guest list before letting them get CPU resident. Assuming that code injection techniques (e.g. buffer overruns) can be quelled by other means (microkernels, randomized memory addressing, read only data memory, etc.), then the likelihood of malware infection with a Default-Deny approach (deny all applications except those on the guest-list/inventory) would dramatically approach zero.

The real problem is ... economics. Anti-[threat du jour] vendors work on subscriptions because they can check for subscriptions before issuing malware signatures (it's the whole incentive concept we see all over again). But, there is no incentive for the customer to check in with the vendor if their tool is just installed and doesn't need re-configuring until the next time a new application is installed (presumably to update the inventory).

And, like many other comments here have already noted, privilege escalation cannot be overlooked. Supposing a default-deny-anti-malware approach exists (and is worth using), if I operate the computer at the same privilege level of the tool itself [regardless of OS], it is possible for malware to disable the controls. And for the clever readers out there, yes, a set of default deny application inventory controls does seem similar to file system level controls--only execution controls further extend the FS permissions to cover the missing gap.

Who cares about behavioral analysis? What behavior I dislike another will certainly like! Who cares about reputational analysis? What you trust, I may not! But, if we all just stop assuming that we can never speak intelligently about the inventory of "good" applications, then we might finally arrive at a solution that ends malware once and for all (well 99.999% anyway, we'd still have to worry about insider-threat ... and at that point it would no longer be a problem (as in a "social problem")).

I guess I went over my two words. Apologies ...