Read Time: 4 Minutes
Over the past few years, we have seen the occasional flurry of articles stating that anti-virus is dead, and inadequate to protect companies against modern attacks. A recent example of such an article is this one from Forbes.
Stories like this leave us in the cyber defense industry both amused and perplexed.
We are amused, because the anti-virus that these articles are so eager to kill hasn’t really existed since 2008, so for us the old ways of doing things are long dead. And at the same time, we are perplexed on how to explain to people that their understanding of the field isn’t exactly state of the art.
Especially since there are so-called “next generation” vendors who exploit this kind of confusion in their marketing.
The old way of protecting against attacks was based solely on anti-virus scan engines, in which the software uses a database of anti-virus signatures to detect known malware in Windows or other computer file systems, has not been at the forefront of protection for past 8 years. Scan engines started to lose their effectiveness around 2006, when server-generated polymorphic malware started to become the norm. Which means that what was then-known as the anti-virus industry started to look for new solutions.
The key problem with scan engines is that attackers can easily set up test environments with all commonly used anti-virus products, and test new malware until they thwart anti-virus scanners. And as attackers basically have an unlimited amount of time, it is certain that they will find a way to modify malware so that it is no longer detected. This situation is easily seen in various “tests” where a researcher uploads new malware binaries to VirusTotal or other big sample aggregators that use AV scan engine results as a lure to get people to upload samples. This kind of test is inaccurate for two main reasons: first, it skips all the actual protection layers that come into play before the AV engine; and second, even for things where we still use AV engines, we keep the most useful detections away from VirusTotal.
So yes indeed, the old way of relying just on anti-virus databases and scan engines is dead, and has been resting in peace for many years. Although many products use scan engines (including F-Secure’s) as a last line of defense and clean up, we do not rely solely on scan engines to provide complete protection.
On January 2013, we posted an article explaining the basics of how anti-virus (or cyber defense) products have evolved since scan engines. And of course the evolution did not stop in 2013.
The basic idea of modern protection is to understand how the attacker works. And instead of chasing the exploit of the day and malware of the second, we concentrate on resources that attackers need in order to succeed, and deny access to those resources.
Currently the most effective method in the protection arsenal is limiting the attack surface available to attackers. Specifically, we aim to either identify the exploit kit or other attack by traffic patterns, or simply deny access to Java, Flash, and other potentially dangerous elements when they come from unknown sources.
This means that in most cases the actual attack does not even take place, because the attacker is either unable to contact the victim, or is unable to send the content that contains the exploit that would be used to attack the victim.
If the contact prevention fails, we will use methods that either generically detect exploits, or detect the behavior changes in exploited applications. The end is the same – preventing the exploit from successfully taking over the victim system.
If the exploit is able to run, we are still able to counter it with behavioral monitoring, cloud-based analysis, and other methods.
Thus in most cases, we have been able to counter the attack well before scan engine updates arrive.
And while most protection is done using more advanced methods, scan engines still have their uses. Once a particular malware is known, we can use scan engines to distribute protection to clients en masse. This allows known threats to be detected and identified at the outer layers – something that more generic methods are unable to do. Scan engines also allow vast numbers of samples to be identified and categorized en masse, which helps save energy. In this sense, scan engines can be thought of as a type of green technology.
Plus, the scan engine has no need to exist in the end-user clients. We already offer “outsourced” server-based scanning in corporate products, in which the end-user workstations send files to be scanned on the corporate scan server. And we’ re prototyping the same approach for consumer products, so it is very likely that in couple years the scan engines will exist only in the corporate or cloud-based servers.
Oh and those “next gen” companies also use scan engines. They just call them IOC (indicator of compromise) scanners.
-Written by Jarno Niemelä, Senior Researcher, F-Secure Labs
[Image by Alexandre Dulaunoy | via Flickr]