Federal agencies are big users of antivirus software, and regardless of their technical competence, government security professionals still find themselves victims of malware. Unfortunately, simply installing antivirus technology does not protect today’s endpoints.
In a 2014 Lastline Labs study on the effectiveness of antivirus scanners, much of the newly introduced malware went undetected by nearly half of the antivirus vendors. After two months, one third of the antivirus scanners still failed to detect many of the malware samples. The malware dubbed “least likely to be detected” went undetected by the majority of antivirus scanners for months or was never detected at all.
For those malware samples that initially eluded all of the scanners, the average time for at least one of the samples to achieve detection was two days. None of the antivirus caught every new malware sample.
Some significant drawbacks to antivirus software include:
- Antivirus software can impair endpoints.
- An incorrect decision may lead to a security breach when inexperienced users don’t understanding the prompts.
- False positives can be as destructive as false negatives. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives.
- Antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.
No matter how useful antivirus software can be, its drawbacks are causing information security professionals to take a second look at antivirus protection – and the alternatives.
Several years ago, the Milnsbridge Corporation sponsored case studies focused on a new approach, called CloudAV that moves antivirus functionality into the network cloud and off personal computers. The study focused on virtualizing the detection functionality with multiple antivirus engines, significantly increasing overall protection.
Traditional antivirus software that resides on most PCs checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved.
Some of the drawbacks deal with speed in handling the volume of data. While CloudAV stores previously screened data, processing time is an issue. There is also the concern of the cloud provider’s level of security in and of itself. Regardless, several CloudAV providers are available in today’s market.
Many of the existing operating systems come with antivirus software built in. Others may use application whitelistings (AWL) – as opposed to blacklisting – as an integral part of the OS.
Most people in the IT field are familiar with blacklisting because it is the technology used in almost every antivirus product in existence. It simply checks every new file on a system to see if it contains malware. If malware is detected, it is blocked from executing and carrying out any damage.
AWL is just the opposite. It will deny the execution of any application not previously and explicitly identified as “not malicious.” AWL offers more security primarily because it denies malicious code that has never been seen before (zero-day issues) and code that blacklists won’t recognize immediately. Security professionals must keep in mind that there is considerable expense in the AWL game, not only with the initial purchase but with the internal man-hours required to make changes and test new patches and application updates on the servers. Additionally, AWL will not permit IT managers to use their systems the way they like because it blocks non-malicious code such as new applications. Therefore, most users have traded security (whitelisting) for ease-of-use (blacklisting).
Another reason information security professionals are taking a second look at antivirus protection is the “cost vs. rewards” to their respective organizations. The advent of malware insurance has offset the cost incurred by damages from malware; however, there are also losses to one’s reputation and possibly even regulatory fines to consider. Couple this with the premise that no antivirus technology will guarantee 100 percent security, and government security professionals find themselves in a conundrum when faced with the task of providing cost-effective advice to senior executives.
So, what is an agency to do? While the drawbacks of using antivirus are all valid, many agree that the technology should still be used as part of a “security-in-depth” approach. Maintaining an arsenal of sophisticated security tools that protect the enterprise network from the “outside-inward” is still the preferred, balanced approach to security. Equally important, antivirus technology must be complemented with a good security education and awareness program along with other information security policies and procedures.