I have always thought the idea of scanning for viruses to be flawed, well certainly as a security measure. Yet nearly all of you reading this article will be relying on just that technology to protect your networks, PCs and laptops.
The last twelve months have provided enough evidence to convince the most sceptical of analysts that the defences are broken and anti-virus scanning is just not up to the job. Slammer, Sobig, Blaster, Swen et al have all managed to wreak havoc with not only the humble home user but corporate users alike. Research carried out by Hewlett-Packard’s Matthew Williamson in their Bristol labs has confirmed my belief that the signature approach to virus detection is fundamentally flawed.
Williamson’s research first published in New Scientist (September 2003) found that even if a signature is available from the moment a virus is released, it cannot stop the virus spreading if it propagates fast enough. “These fast viruses are what we are getting at the moment”, Williamson says, adding that they are getting better at being quicker.
Government Health Warning
So why aren’t the anti-virus vendors issuing government style health warnings with their software to warn us that they might not be able to prevent virus infection? Why is it that nearly every article I read on the subject of virus defence always urges the reader to use anti-virus software? Keeping it up to date of course! It almost feels like a conspiracy to fleece the computer user out of more and more cash. Dear reader, the situation is even worse than you might be beginning to think. Having spoken to several organisations who, despite having the latest anti-virus updates deployed still became infected, it appears in certain circumstances some products just don’t work as advertised. One possible cause of this type of incident is when remote users connect to the network it seems possible that identified viruses can sometimes slip “under the wire” undetected.
There has been much debate within the anti-virus community over the past ten years about the effectiveness or otherwise of behaviour blocking techniques, as a generic protection against malicious code. The general conclusion is that behaviour blocking gives rise to too many false positives to be of use. However, I wish to contest that conclusion.
There are many forms of behaviour blocker, some go to extraordinary lengths of complexity to decide whether the code in question is malicious or not. They endeavour to analyse the suspect code and by deriving its programmed actions these are then compared against a rule based database to reach a conclusion. I favour a simplistic approach.
I have always maintained that your response to malicious code should be aimed at a more basic level. For all users you can make the case, there should be no reason why they should have the ability to download or copy new executable code onto their PCs. Why should this be the case? For three good reasons: firstly because of the threat of malware (all malicious code is executable by default). Secondly, because as an organisation you would want to control the use of program material used to that of properly licensed software. Thirdly so that you can properly test any new software to be run on your PCs and networks for its correct operation and that it does not conflict with any other currently installed program. Why do we continue to allow users this freedom? I think mainly because of the myth that without the ability to be able to introduce new executable code the PC and or its installed software will not function correctly. Well this myth is long out of date and needs revision. It is perfectly possible to control a network of PCs in this manner and in doing so drastically reduce the threat from malicious code without the overhead of having to keep this method of protection updated on a monthly, weekly, daily or even hourly basis. The “KISS” principle applies (Keep It Simple Stupid) to computer security just as any other.
New Improved Approach
Interested? Well I hope so, since we have many reported incidents of attacks where networks protected with this type of defence remain intact and “clean” whilst others under the same administration but without the benefit of this protection get infected with the latest virus or worm. Routine installation of new software or software updates can be performed by the administrator with the protection in place on a single PC or by means of a software distribution package to the entire network. I’m not suggesting for one moment that you throw away your anti-virus software, it is still useful and another level or layer of protection. What it does mean is that you will finally be using your anti-virus software in a way it was originally conceived it would be used (to detect a known virus that you have either isolated or trapped). AV software was never designed to be a security barrier, as you know it’s only as good as its last update and even then as you have learnt here that might not be enough.
There is a better way forward, security as always is never just one product or technology but layers of defence. I strongly advise you to look at other means of protection to use in conjunction with your anti-virus software if you want to remain virus free into the future.
Reflex Magnetics Ltd are exhibiting at Infosecurity Europe 2004 which is Europe’s number one IT Security Exhibition. Now in its 9th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004.