Current Filter: Security>>>>>Opinion>

   

Antivirus has been a central component of network and endpoint security for many years, and it's a central part of many IT budgets. But is it fit to defend against modern threats? With the network no longer a controlled, secure perimeter, can traditional endpoint technologies protect against targeted, aggressive malware that no longer fits established patterns?

We spoke to Melih Abdulhayoglu, CEO of Comodo Group, which he founded in 1998. He also works with The Scientific and Technological Research Council of Turkey, and initiated the Common Computing Security Standards Forum (CCSS). Here are his conclusions....

"Conventional antivirus scanners can't deal with a tidal wave of new malware each day. AV-Test Labs recently estimated that there are up to 55,000 new malware variants released into the wild each day. Other security firms claim that they identify as many as 200,000 new threats daily. Comodo's own network reports up to 300,000 malware variants every day. This makes it virtually impossible for the files of known viruses used by conventional scanners to be fully up to date.

"To make matters worse, hackers are increasingly using strategies developed originally by governments for espionage known as 'Advanced Persistent Threats'. APTs by nature are similar to conventional attacks, but generally harder to detect and prevent, because they use unknown zero-day exploits that have not yet been identified for inclusion in virus scanners or addressed in security patches.

FUNDAMENTALLY FLAWED
"The first antivirus software was created in 1987 to clean an existing infection. Remarkably, this is the approach used by most scanners to this day! You only remove infections that have already occurred. This is like focusing on stain removal, as opposed to stain prevention. If we examine this logically, this standard approach is fundamentally flawed.

"The scanner compares each file run to a signature file of known viruses, a so-called 'blacklist'. There are only three possibilities:

The file is Good: If the file is not infected you are okay, of course; The file is Bad: If the file has a known infection, it gets cleaned and you are still okay; The file is Unknown: If the file has an unknown infection, it does not get cleaned and your computer can be compromised.

"Clearly, relying on what we already know creates a huge gap that hackers can exploit. Security experts have understood this for some time and have long advocated a 'layered approach' to internet security. This means that the conventional approach of matching a file to a signature file, AKA a blacklist of known malware, is just one layer of protection.

"For example, if a malware file gets past the blacklist, it may still be identified as a threat using heuristic behaviour analysis. Regardless of what the blacklist says, if it acts like a threat, it might just be a threat.

"Virus makers are smart and there is a lot of money in it. Why rob banks when you can sit in an apartment in Eastern Europe and operate a botnet? They will always come up with ways not to be detected. In their own nefarious way, they are very professional in their development efforts. They test their malware against the major scanners and their heuristics patterns before releasing them.

"This is why the last layer of defence cannot be 'detection'; it must be 'containment'. This means that, if a file is not proven to be safe, it is not allowed access. The principal vehicle for this is a concept that’s called a 'sandbox': an operating environment where a program file can run isolated from the rest of the computer system. If the program turns out to be malicious, it will be unable to harm the system.

"It's not surprising that there have been increasing uses of sandboxing technology in recent years. The standalone Sandboxie is popular among tech gurus, because you can choose to run a program in a protected environment. Some major internet security systems provide a sandbox environment, but they also require detection and user interaction.

Page   1  2