Don’t let antivirus be your permeable safety blanket.

Gary Glover, Director of Security Assessments
By: Gary Glover
Antivirus is the safety blanket computer users and businesses have used for decades. They trust it. They swear by it. Gartner estimated corporations spent a whopping $3.4 billion on antivirus products in 2012. Consumers spent $5 billion.

But antivirus isn’t as effective as it used to be in the 1980’s and 1990’s.

According to AV-Test.org, 220,000 malicious programs are found every day. The problem is, antivirus software can only detect about 60% of these threats. Even the company that invented antivirus (Symantec) has come out to say ‘it’s dead.’

(Before I go any further, note that I will no longer be using the word ‘virus’. Spyware, adware, worms, Trojans, and viruses all have different functions, but they’re all unwanted malware doing questionable things. So, virus = malware and antivirus = antimalware. Ok?)
What antivirus should I use
Don't let antivirus be your permeable safety blanket.

SEE ALSO: Ditch Typical Anti Virus for True PCI Requirement 5 Compliance 

Antimalware is a reactive technology

Anti-malware is signature-based. It’s not artificial intelligence. That means anti-malware software only flags malware that is known to be malware.

Let me explain how it works. The anti-malware company creates signatures for each type of malware on their radar. The company pushes new malware signatures out to your program in every update (which is why it’s so important to regularly update your anti-malware software.) When the anti-malware program on your computer finds something that matches a signature, the software quarantines it. Sounds great, right?

Here are a few problems with signature-based software.
  • New malware is created every day. If malware stays under the radar and the company doesn’t know about it, your anti-malware program won’t catch it.
  • Existing malware is modified into new strains every day. Even if the original malware is picked up by signature-based software, if the new strain is different enough, the software may not recognize it.
  • Some malware programs are programmed to modify themselves every time they are installed, or every day, or every time your computer shuts down. Ultimately, these strains of malware can slip past anti-malware software every single time.
Basically, anti-malware software is reactive technology, rather than preventative. It’s playing catch-up with attackers. It’s never ahead of malware.
Tweet: Antivirus is reactive technology. It’s playing catch-up with hackers. http://bit.ly/1xLqQzt #PCITweet
Does it surprise you that 31% of all computers in the world are infected with malware?

That being said, every business and every person should still install, update, and run anti-malware on systems regularly. Besides being a PCI DSS requirement (PCI DSS Requirement 5), anti-malware is a critical layer in your whole security strategy. Just because it isn’t cutting edge technology doesn’t mean it won’t find lots of old malware still floating around out there.

Another important layer: file integrity monitoring

File integrity monitoring software (FIM) is another crucial layer in your security system that works well with anti-malware programs. It’s also another PCI DSS requirement (PCI DSS Requirement 11.5.)

When you run anti-malware and FIM in conjunction, it is much more effective than either system separately. FIM shows you the changes occurring in your system. For example, you can see that yesterday at 2 p.m. a file was added in an odd file while no one was doing an update of your system. Chances are, it’s malware that was added when you visited an infected website and it wasn’t detected by anti-malware. After doing a little detective work following that track in the sand, it’s easy to wipe that piece of malware clean off your system.

The distinct difference between anti-malware and FIM is, if anti-malware finds something, you can be 99% sure it’s a piece of malware. If FIM finds something, it may be tipping you off to a problem that anti-malware hasn’t created a signature for yet, or it may have just found a false positive.

Companies out there are working on developing new anti-malware strategies that are more effective for today’s malware. One of these companies is Cylance. Rather than creating another signature-based malware finder, they're thinking about it a different way by combining elements from both antimalware and FIM software.


Recommendation

As a QSA and security professional I recommend to keep using anti-malware software. Make sure it’s updated. But also be sure to incorporate file integrity monitoring software into your malware discovery strategy. The first time you find malware that slipped past all your other defenses, you’ll realize its true value.

Need help setting up your antimalware/file integrity monitoring strategy? Schedule a free consultation today.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.


Wednesday, January 7, 2015