Whether you're calling it "Anti-Malware", or the traditional "Anti-Virus" name, it doesn't matter, the concept was OK back when humans could keep up with virus writers, at least reasonably, but now that time is over... by about 5 years.
Have you noticed how many new pieces of malware come out in a day? There have been a plethora of reports lately (like this one from Trend Micro) which are conclusive proof that current anti-malware solutions are miserably failing... but who's listening? Let's look at some of Trend Micro's metrics...
Wow. Just WOW.
Between October 2008 and June 2009, Trend Micro performed over 100 assessments on enterprises worldwide and discovered that:
- 100 percent of them were infected with active malware
- 50 percent had at least one data-stealing malware hidden in their networks
- 45 percent had multiple data-stealing malware infections
- 72 percent had at least 1 IRC bot
- 50 percent had 4 or more IRC bots
- 83 percent had at least 1 malware Web download
- 60 percent had more than 20 malware Web downloads
- 35 percent had at least 1 network worm
How do we justify what we spend on anti-malware defenses when we are still getting compromised, having our data stolen, and rooted over, and over, and over...???
I'll tell you how - the Kool-Aid that our management is drinking has gone to their heads. The sales and marketing campaigns that anti-malware companies have put behind these failed products is absolutely epic. The amounts of money spent on marketing failed products like "anti-virus", I'm willing to bet, is more than most companies spend on IT budgets in a single year! What does that all add up to? The current state of ignorant vulnerability. We as IT professionals buy into this technology because... why? Because there isn't anything better? Because it's what we've always done? Why aren't there better solutions?
While doing some research into malware recently I snagged a few pieces of code that were graciously given to me by "anonymous" (yes, the same person who posts comments here) ... which were hitting 0% detection rate -days, and some weeks after being deployed in the wild and racking up hundreds to thousands of infections. Sites such as VirusTotal and some of the other ones out there were (at best) detecting at ~5%... across all the major scan engines in existence.
Stop and think about this for a minute. The PCI-DSS requires that you have set up, and maintain a "vulnerability management program"... which effectively (by the document's current v1.2 standards) breaks down to "Requirement 5: Use and regularly update anti-virus software or programs". With metrics like near-zero detection rates, and Trend Micro's analysis of 100% of companies being compromised in some way... how do we justify this as even raising the bar? It's NOT raising any bars ladies and gentlemen, not at all.
The industry best-practices, and guidelines are where the rubber meets the road for IT Security... and that point happens to be failing miserably right now.
So let's put out some suggestions then, right? For the average enterprise... this should be a no-brainer checklist...
- Take away administrative rights from everyone except administrators*
- *Administrators should only log in using admin accounts to perform specific duties
- Always make sure you're patched... make that a #1 priority
- Limit your user's access to non-filtered content (I highly recommend a white-list approach)
- When-ever possible use a read-only virtual machine where an infection would not persist
What needs to be done is some vendor has to work directly with the OS manufacturer to effectively baseline processes, services, binaries and expecte behaviors. I realize this is a monumental undertaking but Microsoft and Apple (since we have to include them both here... both are equally vulnerable to user-ended attacks) have a duty to their customers to work to build a secure operating environment.
The most difficult part of this, of course, is all the add-ons that will inevitably happen along... messaging clients, gadgets and widgets, games end-user utilities and other toys that users simply can't help themselves but download and install. But there has to be an alternative to signatures.
Of course... every once in a while you read about something like this... and it just takes every security counter-measure from the OS level and up and throws it in the trash. C'est la vie.
If you'd like to read more on the topic... or simply want to read about the apathy that exists out there from these atrocious numbers, read George V. Hulme's (@GeorgeVHulme on Twitter) article "Uncomfortably Numb: Malware Counts".