Friday, June 06, 2014

Is antivirus a waste of time?

Symantec turns from prevention to remediation (article) as the company comes to grips with dropping detection rates for new viruses and malware.  Many savvy companies have already begun to analyse viruses using multi-engine systems like Virus Total which can generate a consensus on a piece of malware if you're lucky.

To what do we owe this great turn of events?
a) Could it be the cool tricks APTs use to bypass antivirus disclosed at RSA 2013?
b) The tips given at BlackHat 2013 to fool virus engines?
c) Could it be the codifying of those tricks into Metasploit for the script kiddies to push-button hack?
The answer is Yes.

The tricks used by APTs and by hackers in general to bypass anti-virus are very easy and extremely effective... so much so, that trying to detect them would be almost impossible and if detected would lead to a huge amount of false positives since many programs share those same API calls.  So the former revelation by Symantec is just common-sense... not a shock or even really that surprising.

So what is a person to do?

For a long time now I've championed the use of a Trip-Wire like app.  Just a simple hash of files and key registry segments... if those areas change then the user is given the opportunity to restore them to the original settings.  You can take this idea as far as you want, with VMs or what have you.  User's are not perfect and we all know they can be fooled easily but even savvy kids know that when they're surfing the web they should not have something get installed that they didn't ask for.

I agree it's time to go back to a leaner AV with greater attention to segmentation of information and an absolutely rock-solid restoration capability.  There are few things more frustrating than removing a virus only to find that you have to re-build a home user's machine from scratch because there are still tentacles of the bug infesting the remotest areas of the OS.

But good luck finding this kind of solution for a price you can stomach.  Maybe an AV company will build this up but if the past is any indication it will come with 100 megs of useless legacy crap installed with it.  So far it seems that freeware solutions steer clear of this type of app maybe due to patents in the area or simply because it's dangerous to restore anything to a computer and thereby risk the legal repercussions of not getting it perfect.

What does the business do?

Business will have to turn to multi-engine AV systems and to anomaly detection systems like Fire Eye, Tripwire, Splunk to catch hacks after the fact.  You can roll your own tools, write Snort rules, block massive lists of IP addresses. I believe the industry is coming to a tipping point where lower costs tools are needed.  I enjoy writing my own, but most companies don't have the people with the skills to take a day or two on a new tool.  Also, pet projects can take on a life of their own as their capabilities need to expand to support additional systems and log types.  I recently wrote a sniffer and a log analysis system that feeds into SQL Server (with full text search).   A few stored procs shape the data into useful intel but parsing new and varied types of logs becomes a pain point and Splunk starts looking better if you have a wide variety of input.  These are the kinds of decisions you'll find yourself dealing with more and more as the attackers continue to outpace the defenders.

I'll talk more about how to deal with this tipping point shortly as a reset is needed to tip the scales back in the favor of defense.