Back to Top

Thursday, April 12, 2007

Active vs. Reactive protection

Hello all.

I want to bring to your attention the following article written by fellow blogger Kurt Wismer: defensive lines in end-point anti-malware security. I especially like it because it puts AV technology in place and creates a good foundation to start any meaningful debate.

Here are my opinions on the matter (in no particular order):

  • All the technologies enumerated in the post can be categorized either as active or as reactive. Content filtering is reactive (event with heuristics - see my point below) while application whitelisting is active. From a security standpoint active technologies are preferred over reactive ones, however they usually result in reduced usability (if you state to the user that s/he can use only a certain set of applications, there is a very big chance that s/he will be dissatisfied).
  • Heuristics isn't "magic which can catch unknown malware". It only means that software can catch a large category of malware generically (for example all the programs which try to access Device\PhysicalMemory directly to hide themselves). It catches unknown malware in the sense that the given sample was (possibly) never seen by a human analyst, but it is still based on known principles. Because of this, every heuristic solution can be defeated by (a) using unknown techniques (b) not using a given technique or (c) obfuscating the usage of the technique.
  • Given the above facts, the Consumer Reporst debate is meaningless - or meaningful in the restricted sense that it tries communicate the message which was always known in the AV industry: it is always possible to create undetectable malware (and malware authors can simply do this by iterative development - creating a variant and testing it against AV products, modifying it, testing it again and so on until they don't detect it). This is a fact which is often tried to be avoided by the marketing department of AV companies who would like to give the impression that you can buy total protection for your money.
  • This is also why you are better off choosing an AV vendor different from the big two: malware authors usually test their products against them and don't bother to try to avoid the detections of the smaller ones (because it doesn't make sense from a business stand point - if the client has a certain type of AV with a high probability it is enough to evade the detection of that product to infect a considerable amount of computers)
  • Given its reactive nature the two things you can test meaningfully when comparing AV solutions are (in this order): (a) reaction time and (b) the programs ability to clean up after the infection. The flow of events usually is as follows: malware gets developed -> it starts to spread -> it spreads to a statistically large enough user base for the AV company to get samples -> signatures are developed and distributed -> the infected machines are cleaned. Because of this it is very important to run all the programs with the lowest possible privilege so that they can't subvert the AV solution before it gets a signature.
  • Most AV products today try to offer additional features (like firewalls or network traffic filtering) to defend against attacks which are not part of the traditional file based security model (for example exploits which travel in the network and never touch the disk, or when they touched the disk it is already too late because the browser executed the code and they are in the browser cache). However these solutions are also signature based and reactive (which is not necessarily a bad thing, but one must keep it in mind when evaluating such a solution).

And finally: for static environments (like companies or home users with a limited set of needs) whitelisting is the way to go. Unfortunately this approach has not enough marketing money behind it and is to complicated for the home user to implement (if s/he would know what applications are safe / not safe we wouldn't have this problem in the first place). For home users managed security would be the way to go, but since there is no user awareness this too remains mostly reactive (in the sense that you call somebody after your computer breaks, not before to prevent it).


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.