Hide Your Users, Hide Your Endpoint ’Cause They’re Infecting Everybody Out There — Antivirus Protection is No Longer Enough

By: Soumitr Pandey

The Birth of the Antivirus Industry

A long, long time ago, in the mid-90s world of the “Hackers” movie, malware protection wasn’t standard practice, and virus code had little to nothing to do with bypassing security mitigations. Then the antivirus industry emerged. The industry had an easy job of identifying unique patterns in malware — and thanks to the small size of the internet — any subscriber to an anti-malware solution was more likely to receive the signatures before encountering the actual malware.

Keeping Up With The Threats

However, all of this changed when the black hats attacked. Suddenly, there were way more viruses out in the wild, and the white hats couldn’t keep up. The internet had also grown exponentially, and people encountered new malware pieces before security products had a chance to release signatures. This led to the birth of heuristics-based antimalware packages. These didn’t require unique code patterns; instead, they flagged potentially malicious software by the file structure itself and the data present in different sections of an executable file.

This wasn’t enough to deter the bad guys, since even heuristics-based malware detection was outclassed by the presence of strong encryption, resulting in malware files containing heavily randomized data. Black hats have full access to the same anti-malware software in popular use, and they can reliably write encryption software rendering the current generation of viruses completely undetectable by antivirus software. These crypts are so large in number that it is virtually impossible for an antivirus suite to keep up with them in terms of releasing signatures every time a virus pops up featuring a new encryption.

The next generation of malware protection software relies on data mining and machine learning to create an intelligent detection engine. These are, however, still in their infancy and subject to detection performance in real-world or targeted tests.

The Current State of Antivirus

Antivirus software is not enough in itself to protect the casual user, and certainly not even close to enough to protect corporate entities. The biggest weakness to security is lack of awareness. When it comes to secure environments, people should trust nothing and employ a healthy dose of paranoia — assume any executable is bad, all web pages’ host exploits, and all links are an attempted phish.

Endpoint security has evolved to prevent the execution of any code not explicitly run by the user, but this doesn’t mean that antivirus is useless. It’s still an amazingly useful tool for detecting and stopping known malware. It is, however, wholly unable to keep up with the latest and greatest malware. This is why proper endpoint protection almost always has behavior-based detection; it can detect the results of malware execution, such as finding rootkits on the system, suspicious background services, registry values, or even contacting known malicious hosts in case of malware that is based on a CnC server.

The best security practice would be to have a reputable antivirus software (pick one from AV-Comparatives test reports), block all JavaScript and browser plugins, and use a password manager with strong password database encryption.

This article was originally published in the 2015 Winter Issue of Zero Day Magazine. Subscribe to Zero Day Magazine now and read more articles about IT security. Zero Day Magazine is a digital publication, powered by Alert Logic. Zero Day Magazine provides a broader view of the current state of IT security, vulnerabilities, and cloud security trends. Every quarter we deliver news, analysis, and commentary on the security challenges that industries face. Read it now!

About the Author

SSoumitr is a computer science professional with a heart for security and breaking things. He graduated from Indian Institute of Technology Rookie, with a degree in Computer Science and certification in OSCP. Currently, he is a content troll responsible for making sure all packets crossing a network are good. During the weekend he enjoys climbing mountains and chasing white rabbits. He also enjoys making weak input sanitizers, disabling user access control and rolling his own crypto.