[Infowarrior] - The Future of Antivirus

Wed Mar 5 22:49:18 UTC 2008

>From CSOonline.com
Antivirus
The Future of Antivirus

http://www.csoonline.com/read/020108/fea_antivirus_pf.html

As signatures proliferate, antivirus vendors must ramp up other techniques
for spotting and squashing malware

Antivirus software makes Greg Shipley so mad he has to laugh. “The
relationship between signature-based antivirus companies and the virus
writers is almost comical―one releases something and then the other reacts,
and they go back and forth. It’s a silly little arms race that has no end.”

Shipley, CTO at Neohapsis, a security consultancy in Chicago, says the worst
part is that the arms race isn’t helpful either to him or his clients. “I
want to get off of signature-based antivirus as rapidly as possible. I think
it’s a broken model and I think it’s an incredible CPU hog.”

The question is, where should he go? Antivirus as an industry has modeled
itself on the human immune system, which slaps a label on things like
viruses so it knows to attack them when it sees that same label, or
signature, again. Signature-based antivirus has moved well beyond that
simple type of signature usage (though at the beginning, it did look for
specific lines of code). In its current, more sophisticated form, it
dominates the market for security software, despite some obvious
limitations: You don’t use it to stop data leakage, for instance, though
many kinds of malware are designed to siphon data out of companies. The
number of malware signatures tracked by security software company F-Secure
doubled in 2007, and while you might cynically expect such a company to say
there’s more malware out there, 2007’s total doubled the number of
signatures F-Secure had built up over the previous 20 years.

Even before 2007, there were plenty of people besides Shipley arguing that
antivirus was an industry in trouble. In fact, in 2006, Robin Bloor, an
analyst at Hurwitz & Associates, penned a report titled “Anti-virus is
dead.” He argued that malware exists only because antivirus software exists,
and said that antivirus software was doomed to be replaced by new forms of
software, which he calls application control, or software authentication
tools. Such tools whitelist the software we use and won’t run anything else
without the user’s explicit permission.

Antivirus firms think their death is greatly exaggerated, thank you very
much―even those that aren’t overly reliant on signatures, like BitDefender,
which says that signature-based techniques account for only 20 percent of
the malware it catches.

“Signatures aren’t dead―you need them,” says Bogdan Dumitru, chief
technology officer of the Romanian firm, which uses behavioral targeting
techniques to stop the remainder of attacks. Its main research focus is to
develop an “undo” feature that will let users hit by malware reverse its
effects. BitDefender hopes to release this feature in 2008.

Meanwhile, Bit9, the application whitelisting company highlighted in
Bloor’s report, uses antivirus software to help build its database―22 kinds
of antivirus software, in fact. In November 2007, it announced a deal to
give access to this database to security software maker Kaspersky Labs. Bit9
officials said that the database will help Kaspersky check new signatures to
limit false positives.

It’s also true that antivirus makers continue to sell billions of dollars
worth of software, despite Bloor’s proclamation. Bloor, though, says that
“the technique of protecting PCs using virus signatures is now on the wane,”
and rattles off a list of whitelisting companies offering software
authentication tools―not just Bit9, but also companies such as Lumension
(formerly SecureWave), Savant Protection, Computer Associates and AppSense.
And he noted the Kaspersky deal and Apple’s use of whitelisting to protect
the iPhone.

Not Just Whitelisting

Antivirus software has its uses. If a system is actually infected by
malware, it “may be the least painful way of removing it,” says David
Harley, administrator of Avien, the antivirus information exchange network,
adding, “Whitelisting does seem to be advocated currently as the panacea du
jour. I think this relentless search for The Answer, discarding one
partially successful solution set for something else in the hope that it
will eliminate the problem, is actually unprofessional.”

Harley makes that argument because he doubts that any single technology
approach will be a 100 percent solution when it comes to security. He wrote
that whitelisting thus is likely a supplemental technology for fighting
malware, making it one of a host of newer technologies that have been
adopted, including heuristics, sandboxing and behavior monitoring.

Corporate CISOs certainly don’t expect to find one answer to their problems.
“If you rely on signatures for security, you’re pretty much dead in the
water,” says Ken Pfeil, head of information security for the Americas Region
of WestLB, a German bank. Pfeil thinks signatures are useful and his firm
uses them. But when new malware appears, he often finds it faster to try to
break it down himself to understand its potential effects, rather than to
wait for his vendor to give him an update. His firm has also adopted tools
that use heuristics techniques and anomaly testing, to add oomph to its
antivirus approach.

That kind of layered approach to software fits with where Natalie Lambert,
an analyst at Forrester Research, thinks the market is going. She says that
signature-based antivirus is “table stakes” for security software, and
techniques like heuristic information processing systems, or HIPS, which
looks for suspicious actions by software, like an application opening itself
from the Temp folder.

Lambert says McAfee is probably furthest along in using HIPS among the big
antivirus makers, having had more time than its rivals to new features added
via corporate acquisitions.

The downside to these technologies is that none are as simple and alluring
as the old signature-based antivirus, which she called a “set it and forget
it” technology. She notes that HIPS technologies are difficult to manage and
will never be as simple as the old model, though she expects they will get
easier over time.

Neohapsis’s Shipley says none of these techniques are really new―he notes
that it’s been more than four years since McAfee purchased Entercept, for
instance. But “what role does it play and what percentage of things does it
stop? I have no visibility into that.” Shipley says he plans to bring in
Bit9 to look at whether it could really replace his current antivirus
software.

Antivirus firms agree that they are becoming something different.

Sophos, for instance, uses several additions to signature-based AV. Sophos
examines program behavior―the modifications a program makes to things like
system configuration and files as the program runs. The company has also
built in a preexecution algorithm, a kind of crystal ball to simulate what
unfamiliar code looks likely to do. Richard Wang, manager of Sophos Labs in
the U.S., says that while signatures are easy to create, things like
preexecution code are harder and thus take more time. But the payoff is that
it can work against multiple strains of malicious software. He said that for
the Storm worm, Sophos generated only one signature but has been able to
recognize all the variants. Wang describes this type of technique as “almost
like a broad-spectrum antibiotic.”

Child’s Play?

Interestingly, the OLPC XO (from the One Laptop Per Child Foundation) is
another place to look at new AV techniques. The XO uses the Bitfrost
specification, developed expressly for this simple computer. OLPC claims
that the system “is both drastically more secure and provides drastically
more usable security than any mainstream system currently on the market.”

The OLPC XO ships in a default mode that is basically locked down but simple
for the user to open up. The Bitfrost specification uses a series of
built-in protections, including sandboxes or program jails for applications
and system-level protections that prevent alterations from code that could
do something harmful.

Whether Bitfrost would work in a corporate environment or will be
commercialized outside the OLPC project is unclear. But Avien’s Harley, for
one, thinks that there are psychological reasons why antivirus software is
unlikely to go away.

“The idea of a solution that stops real threats and doesn’t hamper
nonmalicious objects and processes is very attractive. People (at any rate,
those who aren’t security specialists) like the idea of threat-specific
software as long it catches all incoming malware and doesn’t generate any
false positives, because then they can just install it and forget about it.
Unfortunately, that’s an unattainable ideal.”

Note to Greg Shipley: Don’t hold your breath on getting rid of your
antivirus software.

Michael Fitzgerald is a freelance writer based outside of Boston. Send
feedback to Editor Derek Slater at dslater at cxo.com.

Dated: February 01, 2008