It’s not about the definitions

Blogs
(Image: Stockfresh)

29 November 2016

Paul HearnsThere is a story about today that antivirus applications don’t work.

Darren Bilby, security engineering manager, infrastructure protection, Google, said the basic mode of operation of antivirus where events or code is detected and compared against a blacklist or definition to decide whether it is malicious is outdated and ineffective.

“All of the major vendors in the space, the kind that Bilby condemns as compliance-requirement, box ticking applications, rely less and less on the old style definition comparison”

Limitations
Bilby argues that with this approach, ‘you do not know what you do not know’ so a new threat, or sufficiently evolved threat, is to all intents and purposes, immune as it is not recognised by the app. He does concede that some of the better antivirus products feature heuristic detection, which looks for suspicious code and lets you isolate it and submit it for testing, which is often how unknown or undiscovered viruses are captured.

Bilby says that the complexity of applications, their distribution and their sheer number has made it night on impossible, when combined with the proliferation of threats, to keep.

He advocates a move from blacklisting to whitelisting, hardware security keys and dynamic access rights to get beyond the old methodologies and provide protections that measure up to the current wave of threats.

Now while this makes sense, it is a little disingenuous too.

I am not aware of any decent commercial-grade antivirus that does not contain a blended detection and mitigation capability that leverages not only the measures mentioned above, but also some kind of adaptive scanning, as well as the likes of behavioural analysis.

The combination of all of these measures usually result in a far more effective protection system that identifies threats and anomalous activity earlier.

Major vendors
All of the major vendors in the space, the kind that Bilby condemns as compliance-requirement, box ticking applications, rely less and less on the old style definition comparison. Those that still leverage them generally do so with some kind of modified ability to extrapolate and adapt to variations, mutations and multiple configurations to identify new threats.

The truth is that as inventive as the black hats are in coming up with new threats, the vast majority of them are lazy, time poor operators who will use modular builds and old code to try to get something together quickly to meet a need. That means that definitions can still play a role as they can serve as a root from which branches and family trees can stem, but still providing a vital link to its origins.

As such, it may not be entirely accurate to say that this approach is dead. It is not really. That approach alone, unmodified by adaptive scanning, behavioural analysis and even artificial intelligence-driven services, is dead, but so few use it in that manner anymore that is something of a moot point.

He would, wouldn’t he
So while I agree that new approaches are needed to remain effective, and must be developed constantly, to say the AV is dead is a bit of an attention grabber, especially from a source that provides just such a system as the fomenter advocates.

In the future, the volume, variety and velocity of malware and viruses will grow to such an extent that the signature or definition approach will become increasingly unwieldy and will be less and less a part of security applications. But as most vendors have copped on to this and have developed their products to have capabilities far beyond it, it is a bit alarmist to say AV is dead.

 

 

Read More:


Back to Top ↑

TechCentral.ie