Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Antivirus: The emperor is naked SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Antivirus: The emperor is naked

Over the weekend, I read a report by an anti-virus firm about the "discovery" of a malware serving host which creates a new, unique malware binary "on the fly" for every exploited PC connecting to retrieve it. As if this were anything new, really.  But rather than to draw the obvious conclusion from this discovery - namely that the antivirus approach of the last 20 years, which is based on the assumption that you can keep up with creating "patterns" for all bad things out there, has completely outlived its usefulness - the article went on to extol the virtues of new "behavioural" virus defense software.

Time is overdue to radically change tactics on the malware defense side - but why doesn't anyone do it? Is it because the Anti-Virus vendors, reveling in their plum revenue stream of "update licenses", do not really see any need to change ? Is it because the operating system vendors have their eyes set on this same (for them: additional) revenue stream, and don't want to dry it up by making a few changes to the OS itself ?

At least for the corporate environment, the "solution" would be kinda obvious. Large firms have standardized their workplace computers, and use automated software distribution tools to patch, update and deploy software on client PCs. Frequently, the distribution mechanism used is even from the same vendor as the operating system on the workstations. All that's needed to make life a misery for malware in such an environment is a component which enforces that workstations only load/run executable code deployed to the workstation via the corporate software distribution system. Wouldn't this be an useful application of all the DRM code for a change ?

Yes, I'm aware that this still leaves a number of attack points and injection techniques uncovered. And yes, this would not completely remove the need for anti virus software. But it sure would be a huge step in the right direction.

I think it's time to stop pretending that the emperor is wearing clothes.


385 Posts
ISC Handler
Jul 23rd 2007

Sign Up for Free or Log In to start participating in the conversation!