Do not go on the Internet unprotected. If you do, you’ll regret it. Advice like that is common everyday fare. What follows is not:

“What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.”

That’s from “Why antivirus companies like mine failed to catch Flame and Stuxnet,” a recent post by Mikko Hypponen, Founder and Chief Research Officer of F-Secure — a significant player when it comes to protecting digital equipment.

Statements like that aren’t normal for Mikko (his TED talk); the well-regarded computer-security guru is typically upbeat about things digital. I contacted Mikko asking if he had any further thoughts:

“Regular antivirus works fine for the regular malware out there. It doesn’t work well against government-funded super-malware. How likely is it you may be targeted by super-malware? I guess it depends on what you’re doing.

Bullet-proof vests and helmets work fine against a street robber who is out to get anyone he can find. They don’t work well against a government assassin who is out to get you and only you. How likely is it that are you may be targeted by a government assassin? I guess that also depends on what you’re doing.”

Mikko is referring to the new family of stealthy malware (military malware and super-malware are names I’ve found) that include Stuxnet, DuQu, and Flame. In gathering facts for this article, I found this was not the first time people questioned traditional antivirus programs.

I’d like to introduce Paul Schmehl, Senior Information Security Analyst at the University of Texas-Dallas. Paul, a fine writer, penned “Past its Prime: Is Antivirus Scanning Obsolete?” for SecurityFocus. The lead paragraph:

“The title and topic of this article is clearly controversial. It is guaranteed to get a strong reaction from the antivirus industry, which is firmly convinced it sees clear sailing ahead. So, is antivirus scanning obsolete? In a word, yes, but don’t throw out your scanner.”

It seems Mikko is not alone and not the first. Paul wrote that 10 years ago.

The final person I’d like to introduce is Bruce Schneier. Bruce is highly regarded when it comes to any kind of security. To see what I mean, check out Bruce’s new book, Liars and Outliers. In 2009, Information Security Magazine carried “Is Antivirus Dead?“, a point/counterpoint discussion between Bruce and Marcus Ranum. Bruce had this to say:

“Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won’t protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.”

To be fair, all three feel antivirus applications have their place, but the methodology signature-based antivirus programs subscribe to appears less than adequate.

Playing catch-up

During our phone conversation, Paul likened the problem facing traditional antivirus programs to the “Whac-A-Mole” game, where a pretend mole pops up and the contestant tries to smack the poor critter before it disappears. Paul explains the similarity:

“Anti-virus scanning is based on Newton’s law; for every action there is an equal and opposite reaction. Each time a new virus, or a new viral approach is discovered, anti-virus scanners must be updated.”

Paul continues:

“It isn’t hard to see there is a point of diminishing returns, where updating is no longer feasible because testing takes too long. At that point, customers begin to look for other solutions to overcome malicious threats.”

Any hope?

Bruce and Paul have ideas as to what can be done to improve the situation. I’ll start with Paul. Back in 2002, he was excited about something called Behavioral Blocking. I’ll let him explain:

“The solution is to run unproven programs in a protected, virtual environment. This will allow the program to perform all functions it normally would, both during installation and after it is running normally. Each action the program takes can be compared against a set of rules, and rated as to its likelihood of being malicious or not.

Programs that rate above a certain number or perform certain actions would be automatically deleted. Those in a lower range would be quarantined so that security administrators could examine them more closely. The rest would simply be passed back to the network intact.”

Paul feels this approach has some merit. Unfortunately, behavioral blocking has not gathered momentum with other security experts, but a process called Whitelisting has. According to Bruce:

“Security would be improved if people used whitelisting programs such as Bit9 Parity and Savant Protection — and I personally recommend Malwarebytes’ Anti-Malware.”

Even with their optimism, both caution that whitelisting has issues:

  • It is not user-friendly.
  • Administrative overhead from change requests and software additions.
  • No way to handle malware that attaches to data files.
  • It is not difficult to rename files.

Besides behavioral blocking and whitelisting, there are startup companies chipping away at the problem — CrowdStrike and Shape Security for example. Both make interesting claims, have received significant funding, but neither company will release information about their technology.

Update: I just received an email from Mikko, he felt it important to clarify the following:
“One point about Whitelisting: Practically every Windows whitelisting app allows executing unknown executables if they are signed by Microsoft (otherwise Windows patching would fail). That’s fine — except Flame was signed by Microsoft.”

Final thoughts

Unless I missed something, I do not see any effective technical solutions at this time. I asked Paul and he agreed. Paul added that working for a teaching institution, it was only natural for his department to focus on educating students and faculty about computer security. I asked Paul if they noticed any improvements. Paul enthusiastically replied, “Better than they had hoped.”

As I hung up the phone, I remembered an article by TechRepublic writer, Chad Perrin, “Teach a man to fish.”