Is it time for a new approach to Virus protection?

Signature-based antivirus is flawed and ancient now. Isn’t there a better way to protect against malware yet?

Do you remember when viruses first appeared in the world of computers? I think I do, though I was still at school. And do you remember the first antivirus programs? They came soon after and they worked in, what seemed at the time, a sensible way. They were written to scan your files, recognise and then remove all the viruses that were then known. The funny thing is that I guess back then, the list of known viruses would probably fit on one side of A4….

Fast forward 30 years.

Now the list of viruses that have been released into the wild counts in the millions. Not only that but, the viruses themselves are designed to replicate and mutate automatically to constantly avoid detection by antivirus programs.

And yet how do we do antivirus? Well, pretty much like we did 30 years ago. The majority of antivirus programs use the same methods to detect viruses in the wild. The chances are that your antivirus program has a signature file that it downloads from the Internet, maybe via a server on your network, every few hours to get the latest set of known viruses to detect and remove from your computer. But how can we possibly expect that to work these days?

The reality is that the major antivirus companies are constantly playing catch up with the viruses and their creators. The reason that companies are still suffering virus attacks is not because their hapless IT staff did not bother to install antivirus software on their computers. It’s because the antivirus software they were using was simply unable to detect and remove the threat before it was too late.

And this is not a theoretical problem. We see the results of these attacks, not just in the news and stories from colleagues, but with our own customers, partners and their staff. We have to think hard about this.

Vendors like Symantec, McAfee and Trend Micro to name a few, have been working in the field of antivirus for many years and yet their products are still somehow not effective enough to protect clients reliably. This has become so normal that is tacitly accepted. It’s like people have stopped expecting antivirus software to actually do its job.

No software will ever be able to keep up with the virus writers

Sometimes IT staff within a company do miss some important tricks in ensuring maximum protection using the AV software that have, but the problem is actually more fundamental than that. No software will ever be able to keep up with the virus writers and their progeny just by looking for specific programmatic signatures and trying to stop them executing. By definition they will always be behind the viruses. You can’t look for something if you don’t know that it exists yet.

There are two problems here

The first, making sure that antivirus software has a real-time list of signatures to work from, is actually pretty simple to deal with. Going back to how conventional antivirus programs work, remember that the software has to download a set of signatures on schedule before it can start looking for viruses. That can easily be improved. In this world of cloud services and always-on connectivity why are we downloading signatures? Why aren’t we just using an online database of signatures in real time?

The second issue, being behind the curve with the blacklist of malicious software, is a much bigger problem, and requires a big change of approach. Instead of looking for known bad files, we have to take a precautionary approach. We have to think about known good as well as known bad files, and then how to deal with the ones in between. Think of it as a posture that we are taking, and we can customise this posture based on our requirements.

What if a virus gets through?

Lastly, we need robust ways of mitigating the damage the viruses can do. In most cases, viruses act by making unwanted changes to our files. Outside of antivirus software, we have had file versioning and shadow copy technology available on server and desktop operating systems for many years now. We need to somehow recruit those technologies into mitigation of virus attacks so that if a threat does get through, we can recover quickly and reliably, and with the minimum of drama.

So, how to solve these problems?

Unfortunately, it is just the case that traditional antivirus vendors have got too much R&D tied up in traditional methods of virus detection and mitigation. They have built their companies on outdated structures of signature creation and distribution. They have, to their credit, tried to graft on what are known as ”heuristic” detection methods which look for malicious behaviour of files as well as specific files signatures, but these are often clumsy, blocking legitimate activity along with malicious activity. Many administrators have no choice but to turn heuristic detection off to avoid users complaining that they can’t work because their bloody antivirus program keeps getting in their way. So, in reality, most customers are still relying on old signature-based detection, and that it simply outdated.

Existing backups might not be enough

At Cerberus, we have been thinking about this problem for a while. We have seen customers that have had properly deployed conventional antivirus, get hit by virus attacks – typically cryptolocker attacks. These viruses, have somehow defeated well deployed and up-to-date antivirus software. While backup can provide reasonable mitigation in these circumstances, there is no doubt that such attacks still cost a lot of time and money in disruption and recovery from the damage they do. And the companies with comprehensive, up to date backups are the lucky ones. Just as common are companies that have weaknesses in their backup strategy and they never fully recover from a major virus outbreak. Viruses have a nasty way of exposing shortcomings in companies’ backup systems…

We have been on the lookout for innovative ways to protect against viruses

Now the first rule is to make sure you have strength in depth, that is, multiple layers of defence. That is why we always recommend that customers have antivirus and web content filtering capabilities on their firewalls. These tools can often protect against particular types of attack where files are downloaded from malicious websites. But to answer the question properly, we have looked for a better approach to server and desktop protection, that addresses the shortcomings of conventional antivirus.

This is why we have adopted Webroot as our preferred antivirus solution.

Webroot have come to this problem with a fresh approach and without the baggage of a traditional antivirus infrastructure. Rather than trying to distribute signatures to millions of computers worldwide, they instead provide a centralised real-time database of known good and known bad files. And to simplify the process of identifying threats, rather than constantly scanning drives for malware, they use a simple hashing process to uniquely identify a file, compare that with the database at runtime (i.e. when the user attempts to run the file), and then make a decision on whether the file is safe to run or not.

This makes the process of detection truly real-time and makes it much easier on the client device. This neatly deals with another common complaint about traditional antivirus software, that can be notorious for dragging down a computer’s performance. Indeed we have seen that Webroot requires a fraction of the compute and memory resources on devices making it ideal for a wide range of desktop systems as well as servers.

 

Where Webroot does not know if a program is safe to run or not, it can either just default block it, which is the most paranoid approach, or it can do something very smart which is that it closely monitor that program and create a journalled log of all changes it makes to files. So it the program is determined to be malicious, all the changes it makes can be reversed with one click.

We have deployed Webroot to dozens of customers now and found that it has performed exactly as we hoped. In fact, one great feature is that because it is so lightweight and does not conflict with other AV software, we can run it over the top of an existing antivirus program. This has allowed us to benchmark its detection rates against other vendors as part of the evaluation process by customers. And sure enough, in these deployments we routinely see it catching malware or unwanted software that other AV programs miss.

So yes, it is time for a new approach to protection against viruses and malware. The old AV vendors have lost their edge, and we think the guys at Webroot have got the right idea.

For more information about Webroot from Cerberus Networks or to try the software for free for 30 days click on the links below.