Ayuda de vídeo de Screencast
Security Community Blog

AntiVirus: To Be or Not To Be

Created: 14 Mayo 2007 • Updated: 15 Abril 2009 • 7 comments
el cuadro de los BFoster
0 0 Votos
Login to vote
 

Hello there.  This is my first blog and I hope the reader finds it interesting and useful.   My team has been working on a big project inside Symantec code named Hamlet.  It is one of the most important projects that Symantec is working on.   Driving a project so critical to Symantec’s customers and partners, is both a lot of fun and a lot of pressure.  ;) In my Blog, I plan to write a lot about this release.  The topic this time is whether traditional antivirus technology is dead.

 

There is a lot of discussion in the media right now about the usefulness of traditional AV based technologies.  I have even participated in a couple of those discussions such as this one at Network World.  The discussions are generally started by small intrusion prevention companies that are trying to make a name for themselves or analyst firms trying to stir up some controversy.   I should mention that neither one of those motives are bad.  Most of these discussions bring up the issue that traditional AV technology cannot keep up with the volume of threats.  For example, in the last 6 months of 2006, Symantec identified 8258 new Win32 variants.  With the pace of new variants as well as the rise of targeted and zero day attacks, the small companies and analysts argue that customers are not secure solely using their traditional antivirus based solutions.  Based on this, a few of them broadly and boldly proclaim AV is dead.

 

Coming from the biggest antivirus company in the world, this might seem strange to read, but guess what?  I think they are right; at least about their premise.  I do not agree with their conclusion.  In the landscape of today’s dynamic threat environment, traditional signature based antivirus technologies are not enough to protect endpoints for consumers, small businesses , or large enterprises.  To me, this is not new news.  Back when Slammer first hit in January 2003, it became clear to Symantec that traditional signature based detection technologies were not sufficient.  Since 2003, Symantec has been adding technologies to our end point products that catch threats without relying on signatures.

 

As I mentioned, the conclusion that is often offered is that AntiVirus is dead.  On this point, I strongly disagree for three reasons.  First, there are still a lot of threats out there that traditional antivirus protection can provide protection from.  Let me pick on Slammer again.  For two years after the threat came out, the vulnerability was still the number 1 attack that Symantec saw.  Refer to the Sept 2005 ISTR for more information on that.  Second, as our customers start deploying more and more proactive solutions that can threats without signatures, the signatures are still necessary to clean the threat up.  For example, let’s say we notice a process doing something bad so we prevent it, yet we do not necessarily know everything we need to in order to successfully clean that threat up.  That is another area where signature based AV continues to play a vital role on the endpoint.

 

Therefore, let me conclude this first Blog entry by saying that traditional signature based antivirus is still a critical element of desktop security.  Nobody should be without.  At the same time, it is not enough.  Additional technologies are required to provide complete protection, either based on behavioral approaches such as Symantec’s SONAR or whitelisting capabitility as exists in Symantec’s Sygate Enterprise Protection and Symantec Critical System Protection.  In future Blogs, I will tie this back to Hamlet in how we are focused on redefining what enterprise antivirus is all about.  I will also talk about Microsoft’s entry into the commercial endpoint security market (hint: they are only bringing out signature based solutions, not very timely. ;)  That is all for now.  Until next time.
 
Regards,
Brian Foster

Comentarios ComentariosIr al último comentario

el cuadro de los ipsecevangelist

This is an extremely controversial topic. Especially when we look at what the other AV vendors are offering/integrating with their technologies. Take McAfee for example; they realized (as did Symantec) the traditional AV practice of protection based on signatures wasn't going to be enough. We have all known this for a long time...thus the heuristic technologies were introduced over ten years ago to detect new variants. I understand the heuristic detection was still done using pattern matching (i.e. signatures) but it was still a step in the right direction.

Getting back to my point, McAfee integrated spyware detection and so did just about everyone else. They then went a step beyond and integrated buffer overflow protection (even though it was only a subset of the full product) which not just raised the bar for AV protection but set a new standard which now included true zero-day protection. I was hoping for Symantec as well as the other AV vendors to step up and do the same but for over two years nobody came through. Last year we saw some improvements but they were small and not highlighted. They were mentioned almost as after thoughts instead of key new advantages.

In my opinion, signature based detection isn’t dead. As you mentioned we still have to clean up the problems and with almost 200K known viruses out there…we are going to need all the help we can get. Even for those technologies who are trying to virtualize sessions to prevent infections, it won’t be enough. If the virtual session is compromised and the user doesn’t know it, they are acting as a conduit for whatever Trojan, worm, or what have you until the user ends their session/connection.

What would my solution be? In a perfect world I would like to see an integrated solution for the client which would be managed by a single agent and a single management server. The client product would include: antivirus, anti-spyware/adware, buffer overflow protection, fire walling functions, heuristics, and of course some sort of rootkit protection. Of course I’m referring to the enterprise/corporate environment with this but that is where I hang my hat for security specialization. This would be accomplished through technology integration and not the installation of multiple products managed by multiple servers.

Sorry for the long comment…perhaps I should start my own blog ;)

0
Login to vote
el cuadro de los The Baron

Congratulation on starting this Blog, I wish you well. The information is well received. I would like to ask : What steps are been taken to minimized code and allow greater system resources to be available for better performance. I read the comment were a suite of applications (Integrated Solutions)will serve well but, if we integrate hardware to this equation, would it help?. I see AV software applications that use a lot of resources and customers in AH trying to understand why their computers are running so slow.

0
Login to vote
el cuadro de los bgladstein

An interesting analysis Brian - but there's one constituency involved in the "Antivirus is Dead" discussion that you did not mention: the customer. The point that "The Baron" raises is one we hear all the time - with all the additional technologies that need to be added on top of antivirus to keep it up to date, the users are more and more inconvenienced with constant disk grinding and error messages like "tshie.exe is trying to access port 1003"... customers don't understand it, and they don't like paying for it. Just yesterday I got another call from a customer who is fed up with AV and throwing it out.

If AV is not dead, it is at the very least on life support. As evidenced by the fact that AV vendors have to keep plugging its holes with additional technologies just to maintain a layer of protection that is already porous.

Meanwhile, our customers using whitelisting are replacing AV with a system that doesn't need to be updated, requires minimal security expertise to be managed, and performs significantly better on the desktop. For some of the reasons why, check out this blog posting at http://www.bit9.com/blog/home/tabid/15398/bid/2355.... You'll also find really interesting case studies on other portions of the website.

0
Login to vote
el cuadro de los BFoster

Baron,

I have experienced some of the same pain. In fact, for SAV 9.x and 10.x, I was very uncomfortable with the performance penalties customers had to pay to get integrated anti-spyware protection. Part of the gameplan with the SEP 11.0 release was to give some back. In SEP 11.0, we reachitected the client with an eye to lower memory usage and idle time. In addition, we did things like throttling the disk i/o (not just processor usage) during scans. The net result is that SEP 11.0 takes less memory and impacts the machine much less than SAV 8.x - 10.x ever did.

That said, we are not done. We are working on even more performance improvements for futures version of SEP 11.0

I think hardware can help out. This is especially true when we start talking about virtualization. Symantec is publically supporting the work that Intel is doing around vPro. I think you will see some exciting things there around both endpoint protection and network access control.

0
Login to vote
el cuadro de los BFoster

bgladstein,

Thanks for the comments and the link. Lots of good stuff to read there. You are an active blogger. I am having difficulties doing this once a month. LOL.

I talk to a lot of enterprise customers and I have not talked to a single customer that is ready to turn the AV off and just go down the whitelisting path (except on some ATM machines.) You mention this yourself in your Blog (which is great by the way!.) It does ultimately come down to the need to have layers of protection. There is no silver bullet. As soon as a customer makes this determination, I would argue that the customer wants a solution that has less complexity and costs than multiple agents and consoles. That "want" is what is driving my team. Today, whitelisting capability makes up 5-10% of SEP 11.0. We allow application controls and device controls. SEP 13.0 might be 40-50% whitelisting and the rest behavorial and signature based malware detection. The key is that my team will focus on providing endpoint security that protects from the current threats with reduced costs and complexity.

By the way, I am a big fan of both Bit9 and SignaCert. You guys are doing good work.

0
Login to vote
el cuadro de los Courtney

<< Deleted by moderator >>

-1
Login to vote
el cuadro de los BluePoint Security

As I know company's don't want to turn off the av engine and just go with the whitelisting approach. BluePoint Security to my knowledge is the first security company to bring you both in an easy to use platform for BOTH the personal and enterprise solution. BluePoint Security has brought both av technology and whitelisting to their customers. The enterprise has the ability to be controlled through one computer or many. The personal version platform is made to look just like what you would see in an av product. I do believe that the ability to install this software over an infected machine/company and stop the unknown code from running, plus give you the ability to clean things up is going to be the standard in the next few years.

0
Login to vote