News has emerged of a new botnet set up that is trying to be indestuctible thanks to hiding in the MBR. According to the BBC article 'Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.' then goes on to say The virus installs itself in a Windows system file known as the master boot record. This file holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by standard anti-virus programs.
Excuse me? MBR viruses are not exactly a new thing. They existed back in Novell days and it was a pain because you'd have to shutdown netware to get to the DOS area to fix the damn thing. To me, this is yet again pointing out the flaw of AV software. It's being lazy and not doing it's job properly.
AV Software is basically arse about face. It scans for things that SHOULD NOT be there whereas it should be scanning for things that SHOULD BE there and considering everything else a threat. It really shouldn't be too much difficulty to have a database of common windows files and the most popular applications/games/utilities in use today along with MD5 hashes and scan against those to ensure the integrity of the system.
Both Vista and Win7 go some way to doing this with things like UAC but UAC needs to be a little more friendly and more granular to configure. If UAC could be configured to stop things editing start up locations without user consent and from modifying key system attributes then Anti-Virus software could start it's very welcome decline into obscurity.
Thursday, June 30, 2011
Tuesday, June 07, 2011
The issue with antivirus software
I hate anti-virus software. I really do hate the stuff. This is not a mere dislike but an actual hatred.
The reason for this is quite simple. In IT security terms any security you deploy needs to do it's job with minimal fuss. Too much fuss and the security system outweighs its usefulness and after many tussles with anti-virus software I have come to the conclusion that AV software is a waste of time.
AV software is still far too reactive. It absolutely must have the latest definition files to have any hope of finding anything bad trying to infect the machine and even with all the heuristics switched on they don't seem to have much luck.
As an example, I do all my web browsing in a sandbox thanks to a nice tool called Sandboxie. This tool allows for a sandbox to be created which will contain any downloads, requested or otherwise, in the sandbox. This means that if a virus gets onto the machine it'll be contained and this exact scenario happened to me not too long ago thanks to a mistyped URL. Examining the contents of the sandbox I saw a very suspicious file which I submitted to VirusTotal. The results from that site are below.
Only four anti-virus programs all with the latest definitions actually spotted a harmful file. The others would have quite happily allowed the application to run and wreck havoc. Not good at all.
It is my belief that the best security is no longer in anti-virus software but in applications which prevent suspicious activity just like the UAC tools Microsoft are now introducing but this technology needs to go further and it should be possible to have as part of the boot process a system which scans active files to ensure that no changes have happened since the last boot and if required revert or delete those files.
Along with these systems I firmly believe that production computers, that is, office computers with email and corporate applications need to be locked down much tighter. Server hardening and desktop hardening need to move forward and better security is needed for portable devices so that they can only work on specific systems. The whole desktop security culture needs a huge revamp and anti-virus software needs to be consigned to the same bin as the floppy disk.
The reason for this is quite simple. In IT security terms any security you deploy needs to do it's job with minimal fuss. Too much fuss and the security system outweighs its usefulness and after many tussles with anti-virus software I have come to the conclusion that AV software is a waste of time.
AV software is still far too reactive. It absolutely must have the latest definition files to have any hope of finding anything bad trying to infect the machine and even with all the heuristics switched on they don't seem to have much luck.
As an example, I do all my web browsing in a sandbox thanks to a nice tool called Sandboxie. This tool allows for a sandbox to be created which will contain any downloads, requested or otherwise, in the sandbox. This means that if a virus gets onto the machine it'll be contained and this exact scenario happened to me not too long ago thanks to a mistyped URL. Examining the contents of the sandbox I saw a very suspicious file which I submitted to VirusTotal. The results from that site are below.
Only four anti-virus programs all with the latest definitions actually spotted a harmful file. The others would have quite happily allowed the application to run and wreck havoc. Not good at all.
It is my belief that the best security is no longer in anti-virus software but in applications which prevent suspicious activity just like the UAC tools Microsoft are now introducing but this technology needs to go further and it should be possible to have as part of the boot process a system which scans active files to ensure that no changes have happened since the last boot and if required revert or delete those files.
Along with these systems I firmly believe that production computers, that is, office computers with email and corporate applications need to be locked down much tighter. Server hardening and desktop hardening need to move forward and better security is needed for portable devices so that they can only work on specific systems. The whole desktop security culture needs a huge revamp and anti-virus software needs to be consigned to the same bin as the floppy disk.
Subscribe to:
Posts (Atom)