Overhaul Anti-Virus Products NOW

It's been a few weeks since the below story appeared in SANS NewsBites, but I wanted to point it out to the community. The story, and subsequent NewsBites editor comments, speaks volumes to not only challenges with Anti-Virus that we're currently experiencing, but also to the attitude of the established Anti-Virus industry towards anyone not already part of their collective. I've lamented about the state of the anti-virus industry in the past, but this particular problem is the most dire for their industry - and the rest of us. The nature of the industry's rebuff of Ed Skoudis and Tom Liston (both highly-respected and recognized security professionals) that is discussed in the comments section below echoes of attitudes I've found amongst individual "antivirus researchers" with whom I've worked - some even as peers and coworkers. I think the root of the problem is Antivirus companies and contributors have developed their own self-serving, self-congratulating circle that espouses "group think" and rejects constructive criticism from anyone not a part of this clique. Further, they do not see themselves as security analysts and companies. Malware has become woven into the fabric of the security challenges facing entities in the 21st century and at this point the two can scarcely be separated in many cases. It's time these companies and contributors begin seeing themselves as part of the larger security industry, not simply a clique that sits at the "cool kids" table at lunch.

-- Overhaul AntiVirus Product Testing Now
(October 10, 2007)
Momentum is growing for an overhaul of the way anti-virus products are tested. Presently, tests focus on signature-based malware detection and have changed little over the last 10 years. However, anti-virus technology is changing to meet the demands created by new malware, and the organizations believe that tests need to be reformulated to reflect that change. The tests don't examine the effectiveness of behavioral anomaly malware detection, a technique that is proving valuable in catching malware that spreads quickly. Proposals for new testing methods and procedures will be presented in November at the Association of AntiVirus Asia Researchers 2007 Conference in Seoul, Korea.
[Editor's Note (Skoudis);: Given the change in threat, with new malware introduced every hour, this is a good development. My colleagues and I have been pushing for something like this for about 2 years now. I made a call very much like this at a talk during the Anti-Spyware Coalition meeting in February 2006. My colleague Tom Liston and I released a tool called Spycar a year and a half ago to test the behavior-based claims of anti-malware vendors, and discovered that most were either not doing any behavior-based detection at all or had severely broken behavior-based functionality. Many of the anti-malware vendors publicly scoffed at our testing, while a few said that our results were interesting. Just last month, my colleague Matt Carpenter and I tested a bunch of products again, and found that the behavior-based detection capabilities of all the major vendors were severely lacking. I'm hopeful that this new initiative will help improve the state of
behavior-based detection.
(Liston): Saying we were "skoffed at" is Ed's way of being polite. Essentially, they told us that we were amateurs who didn't know what we talking about, even _after_ we had discovered and disclosed serious flaws in the behavior-based detection offered by several major vendors. With increasing numbers of malware being released and the rise of targeted malcode attacks, behavior-based detection is going to become
anti-malware's front line defense. It's nice to finally see this reality being addressed by AV vendors' testing methods, and, of course, it's also nice to be vindicated.
(Northcutt): The anti-virus industry has served us well. Without them, computing might well have failed, but they are a tad stuck in their ways and malware grows ever more complex. I hope that projects like Spycar, which hold vendors responsible for something beyond signature detection, continue to prosper.]

1 comment:

Livingston said...

I saw this article which I'm sure you've already seen, but just in case... It's a little lighter on detail than you were, but it makes some nice points. For example, he points out that blacklisting (which signature-type detection effectively is) is doomed to fail just looking at issues of scale (even if viruses weren't adaptable as they are becoming). But my favorite point of the article is pointing out how many problems could be avoided if ...you could just, y'know, not run as an administrator,.. I think his take on this is a little simplistic, and would not completely prevent exploits. But he's right in that it would significantly narrow the field of that which is exploitable. And it kind of made me laugh and then say "duh" as I read it. It does annoy me that the Mac model for this type of security works so well, and the Windows model is, "here click this box, now you're an administrator, you won't have any more problems *cough*."