Is there hope for antivirus programs?

Antivirus software is getting a bad rap right now. Justified or not, we need to step back and figure out how to fix it.

Antivirus software is getting a bad rap right now. Justified or not, we need to step back and figure out how to fix it.


To start, let's define antivirus protection. Simply put, it's software that prevents malware from infecting computers. If that's agreeable to you, I then have to ask why computers protected by antivirus apps are still getting infected.

To explore this further, I enlisted the help of Rick Moy, president of NSS Labs, a company with the following charter:

"NSS Labs performs expert, independent security-product evaluations to assist end-user organizations in selecting the right security products for their environment."

I initially learned about NSS Labs while doing research for a piece about browsers and their ability to fend off malware. Since that article, Rick and I have had several interesting conversations about the current malware versus antivirus software climate, something NSS Labs is very interested in. With that in mind, I asked Rick several questions about the seemingly epic battle:

TechRepublic: You mentioned there are two classes of malware threats, user attacks and machine attacks. Could you explain what you meant? Moy: Taking a high view, malware can be defined by the way it executes:
  • Attack on the User: Users are tricked into downloading and executing software containing malware such as fake AV, video codecs, and pirated software. In this case, the user is the vulnerable or weak link.
  • Attack on the computer: Attackers exploit vulnerabilities in computer software without the user's knowledge. For example, visiting a malicious Web site with a vulnerable browser usually leads to exploitation and the installation of malware. All without any user interaction.

The first threat is solved by a combination of user education and reputation systems (like those provided in Internet Explorer 8, Firefox, or Chrome) that warn people, the software they are about to download is infected. Some AV products have this as well.

The second is solved by Host Intrusion Prevention Systems (HIPS), not traditional AV. They do this by operating in memory and inspecting data as it streams onto a computer. HIPS also inspect processes before allowing them to run. This once-stand-alone technology is increasingly being integrated into endpoint security products.

TechRepublic: During our talks, you mentioned that antivirus software usually has three components, each focusing on a different aspect of malware. I found that interesting and would appreciate you elaborating on that. Moy: Operation Aurora is a great example. It consists of all three stages; vulnerabilities, exploits, and malicious payloads. This distinction is often confused in discussions, but critical to understanding how to effectively block attacks.
  • Vulnerability: Is a bug in software code that allows a product to be exploited, e.g., a buffer overflow.
  • Exploit: Is a specially crafted code sequence that can leverage vulnerabilities within an application. Some examples would be heap sprays and buffer overflow attacks. An exploit can be hiding in an infected Web site (client-side attack) where it ambushes visiting computers or be launched from another computer (remote attack).
  • Payload: Is malicious content that gets delivered once the vulnerable application has been exploited. Payloads are the actions performed on the compromised target computer, such as command execution, writing a downloader or Trojan to disk, or returning a reverse shell.

The following graph shows the relative volume of attack components at each stage.

Rather than chasing malware payloads, endpoint security products should focus more on vulnerability protection. That's because the number of vulnerabilities is far less, therefore more manageable.

TechRepublic: According to antivirus software companies, their products will protect against malware. You feel that users are being somewhat misled by those claims. Could you please explain? Moy: During the end of 2009, we surveyed 500 visitors to our Web site and found that 46% expected their antimalware product to stop 100% of the threats. Major security vendors estimate 30+% of machines they scan have some form of malware. The statistics show that malware is far from under control. TechRepublic: It only takes one time of having a protected computer become infected for people to realize something is not quite right. What do you think the problem is? Moy: We are fighting an asymmetric battle right now; the bad guys have more power than the good guys. As defenders, we need to watch and guard ALL possible avenues of attack. As attackers, cybercriminals only need to find ONE to exploit our systems. They are motivated and disciplined, testing their malware creations until they get an effective strain, i.e., evade the most antivirus products and infect the most machines.

Going forward, software developers must write more secure code, in order to reduce the number of vulnerabilities. Users must educate themselves and patch frequently.

TechRepublic: I have been a strong advocate of: If you keep the operating system and application software up-to-date, there is no problem. You gave an example of why that's not always true. Could you share it? Moy: While it's important to apply the latest software patches, this will not guarantee your safety. Patches are only written to address known issues. Cybercriminals are constantly developing and using new attacks that have yet to be discovered by the security community, so called zero-day attacks.

Zero-day exploits give attackers a window of opportunity. That is, until analysts can figure out what's going on and push out a signature file and or patch. It's during that time frame when behavioral protection may help.

TechRepublic: You seem optimistic that antivirus applications can be improved to where they will be effective. What will it take? Moy: There are clearly areas where antivirus products can improve. In our recent study of the Operation Aurora attack, we found six out of seven products were not stopping exploit variants. And, they had mixed results in detecting the malicious payloads.

Security products should evolve to provide more vulnerability-based protection. Reputation services are also key technologies for reducing end-user exposure, but not all vendors use them. Finally, security vendors should embrace more real-world testing and third-party services to drive innovation and quality.

TechRepublic: You mentioned that NSS Labs uses a different methodology when testing security products. Could you tell us about that and why you feel it is a better way? Moy: Given the speed with which new threats arrive and spread through the Internet, legacy testing techniques are no longer a relevant measure of a product's capabilities. Thus, NSS Labs has developed a unique "Live in-the-cloud" testing framework that emulates the experience of average users.

Client machines visit malicious Web sites using their Web browsers and attempt to download malware. Files not blocked are then executed dynamically. This new test methodology focuses on threats currently active on the Internet and is the best predictor of protection offered by a product.

Recurring testing introduces malware into the test harness within a few hours of discovery, as malicious URLs are visited every few hours. This enables us to measure how long it takes a vendor to add protection, since few sites are stopped on the first visit. These metrics help show the significant differences in effectiveness among products.

TechRepublic: With that unique approach do you feel that you can be of service to antivirus software developers? Moy: Absolutely. Our engineers take a hacker's approach to testing - with the gloves off. Without such an approach, testers merely validate what a product can do. It's important to find what a product can NOT do, before the bad guys do. We have already helped many of the world's best known security companies improve their products. Final thoughts

Three comments by Rick, really stood out:

  • Defenders need to protect all possible avenues of attack, the bad guys only need one to exploit.
  • Endpoint security products should focus more on vulnerability protection.
  • Test security products in a way that emulates the experience of average users.

To me, these three simple statements clarify the problem and what needs to be done. What do you think?

I would like to thank Rick Moy of NSS Labs for sharing his insight about a subject near and dear to all of us.