Thursday, January 19, 2006

Why relying on virus signatures simply doesn't work anymore?

As a fan of VirusTotal and Norman's Sandbox being always handy when making analyses or conclusions, and me looking for metrics and data to base my judgments on, besides experience, I feel their "Failures in Detection" of VT deserve more attention then they it's actually getting. 

With over 14, 000 files submitted on a weekly basis, where most of them are supposedly 0day malicious software, it's a great resource to consider. Using these scanners for the basis of its service (saw yours?!), it is still able to conclude the plain truth - signature based anti virus protection is having deep troubles as a concept these days. 

Moreover, vendors covering or enjoying monopolistic competition in specific geographical regions, without having the necessary AV expertise is something that is actually happening. So what made me an impression?

Failures in Detection (Last 7 days)

- 14, 016 failures that is, infected files not detected by at least one antivirus engine
- 372 samples detected by all vendors

What's important to note here is that, response time towards a new piece of malware in the wild is crucial as always. But that's great when it's actually achieved. The independent folks at Av-test.org, have featured a very nice Excel sheet on the "Reaction Times of the latest MS05-039-based Worm Attacks"(2005-08-22) so you can take a look for yourself. 

And as I've once mentioned my opinion on the growing possibility of 0day malware on demand, proactive measures would hopefully get the attention of vendors. Some folks are going as high as stating that AV scanners and AV defense as a concept will eventually end up as product line extension of a security appliance? Though, I feel you will never be able to license a core competency of a vendor that's been there before the concept of DDoS started getting public! And obviously, the number of signatures detected by them doesn't play a major role like it used years ago. Today's competitive factors have to do with, but not only of course :

Heuristic
Policy-Based Security
IPS (Intrusion Prevention Systems)
Behaviour Blockers
Protection against Buffer Overruns


I also advise you to go though a well written research on the topic of Proactive Antivirus protection, as it highlights the issues to keep in mind in respect to each of these. Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"? How sound is this and the other concepts in terms of usability and deployment on a large scale?

Signatures are always a necessary evil as I like to say, ensure that at least your anti virus software vendor is not a newly born company with a modest honeyfarm and starting to perceive itself as a vendor, vendor of what? Solutions or signatures?!

Don't get me wrong, my intention behind this post was to make you think, as a customer or decion-maker on the approaches your current vendor uses, and how to make better decisions. At the bottom line, it's still a vendor's sensor network or client side submissions, even exchange of data between them, that provides the fastest response to *known* malware!

Technorati tags :
,,,,,