Detection vs Threat Prevention

Sorry, but the remarks here this thread are perforce a reason to return to Win 95 16-bit and Opera 8.54, with a load control for rundll.exe, rundll32.exe, and about 3 more exe's.

Dave
KEEP IT SIMPLE -- 16 BIT

 

I do agree with BluePoint's criticism of mainstream publications' coverage of security solutions.It's shameful the way products such as SandboxIE are virtually ignored when it provides far more preventive protection than any standard AV/AS solution.

 

@arran

Regarding the use of an AV, it is not a tool that has no worth. It is a tool that is incapable of keeping up with current threats, yes. But as an example, I know a young kid who downloads fixed executables for games so he does not have to use the cd. It is a good tool (the AV) for him to scan these files with. If the AV picks something up (Avira in this case) then he can submit it to an online multi-engine scan to be sure. At least he has some form of 'knowing' if the file might be infected before he executes it. A HIPS appraoch would not tell you before you even ran it that it was something bad, only after the fact. Since he will put these files (replace) into program files, they will be ran presumably with admin rights, or at least some games are. I don't know that this is a replacement for HIPS or restricted rights in this case, but the AV certainly gives a good pre-indicator.

I don't use an AV right now, and I don't think you should depend on them really, but I do think they can serve a valuable purpose in the correct setup.

Sul.

 

Important point, Sul. A mechanic chooses the correct tool for the job.

In certain cases, AV is not the correct tool. At the height of the surge PDF exploits earlier in the year, this was a frequent comment by those who were infected: "But my ________ AV was up to date."

Not much help since the PDF files/executable payload changed regularly. The same thing with the Storm e-cards in past years.

Of course you can argue that in these two cases, no extra tool is needed, since proper configuring of the browser takes care of PDF exploits, and firm policies about following links in emails takes care of the Storm stuff.

These types of preventative measures are not talked about much, if at all, in the mainstream security media. From a recent article posted in another forum:

SC Security Magazine for Security Professionals
Ealing Council facing £501,000 fine after its network was hit by a virus that crippled it for weeks
http://www.scmagazineuk.com/Ealing-...us-that-crippled-it-for-weeks/article/148144/

Why not suggest a company policy to completely disable autoplay/autorun on all workstations on the network? No extra tools needed.

----
rich

 

This sort of leads us into attack vectors. CD-ROMS, your NIC, your email client, your browsers and the list goes on and on are all attack vectors. I notice many people recommend guarding the various attack vectors. That's a bit like running around a leaky wooden ship trying to plug up holes. Once you plug up one attack vector next week it'll be something else, a never ending battle. I've never really seen the point in this method as it really turns into a "chasing your tail" type of situation. That's the exact situation av companies are in right now, which again, I think they are going down the wrong road here.

Instead of trying to protect the attack vectors to the front door of your house (the back yard, your driveway, your chimney etc) from various types of criminals, why not just lock the door front properly and forget the vectors? I've always had a good laugh when I see narrowly targeted products such as antikeylogger, antispyware, antirootkit. Really? Please tell me we're not in a state of having to run 5 products that in the end still may end up missing threats. We can do better than that, people just need to be open to change.

 

@Rmus

To true.

I have thought about this issue a lot. The best example I can give is a simple one. Put aside correctly configured systems and browsers for a moment and look instead at what a typical user might actually do. They will download a file and execute/view it. Business environments should/could lock this down, but for the average homeowner, they will at some point download a file.

The argument for or against the AV is a good one, with valid points on both sides. I myself tend to think they are more outdated today, but I must look at all sides. For the young kid I know, he can benefit from the AV. It is simple really, suppose he downloads a file, for whatever reason, that has an older variant of a virii. With an AV, it is highly probable to be found, saving the execution of the infected file.

While as you say the right tool for the right job, I do believe there are still applications for an AV. It is certainly not something I put much faith in for current issues, but for downloaded files it could be of use still.

Sul.

 

I just noticed this quote earlier in this thread from an AV company!

So they are telling there customer, if you really want to be secure we can't help you. Wow.

I'm quite sure the av companies are aware that they are in trouble. I've read many quotes like this from av companies themselves stating "we're working on things", "we realize traditional av is not capable of keeping up".

 

I see the problem stemmed from people buying a boat with holes in it, putting it in the water, filling it up with gas, and using it. They see the holes and the water coming in. They have only today to use the boat. They put corks and rags into the boat. The boat wants to sink. They pull the boat out of the water. They go to work on Monday. They casually look at some ways to fix the boat. Fortunately, they think, there are LOTS of ways they find to plug the holes. But since they dont' have the proper tools nor the inclination to learn how to do some minor carpentry or fiberglass work, they go buy/get some 'hole sealing goop'. They spend 5 minutes patching the holes, and then the next weekend they head out agian. This time they get a long way from the dock before the 'goop' let go, and now they need the Coast Guard (aka geeksquad LOL) to help them out. Or perhaps they just cruise around the shoreline not far away from land and are happy.

Then there are those that actually buy some tools, learn some carpentry, learn how to apply fibreglass, and patch thier holes for real, learning things in the process. Thier boats do not sink, the leaks do not reappear. They may get a new leak from time to time, but are well versed in how to repair them. They go to Cancun, enjoy some fishing and margaritas, while thier friend is paying of the Coast Guard, only to have some 'better goop' applied by the Coast Guard instead of actual repairs.

The largest user base of computers, the largest group to be likely compromised, are those that don't know what they are doing, what thier risks are and they don't really have much desire to learn, as they have baseball/nascar to watch on the tele.

Sul.

 

Why not combine av with AE technology into one product that's simple enough for everyone to use? I'll even go so far as to say that If everyone on the planet were running a solution with AE combined with AV we'd eliminate 95% of the malware problem overnight. Maybe that would eliminate someone's revenue stream. I'm biased of course but there's solid evidence behind this type of technology.

 

Very good analogy and I agree. People are willing to spend about 5 minutes learning, after that you've lost their attention span if they don't have an interest in it. Anything used as a solution needs to be extremely simple or they'll run into one of two situations: disabling the product or unable to configure the product properly.

 

You are correct, of course, and I gave an example above where the IT was not able for various reasons, to lock the front door properly. It wasn't because solutions weren't available. Rather, it was resistance at the management level.

Attack vectors, however, are useful in thinking through how exploits work. There are only two, from my point of view:

1) Remote Code execution

2) Social engineering

White Listing takes care of the first. The second is more problematical, especially at the corporate level, where the only solution is to restrict installation of programs to the System Administrator. This policy would have prevented that IT's users from installing those rogue products.

----
rich

 

Are you seeing problems with AE solutions preventing remote code execution? I know a few of them struggle with blocking scripts properly but other than that?

 

Never. I have tested every URL that I can find with a web based exploit, and it's never failed.

In addition:

• Non-white listed Executables cannot run from USB or CDR or email attachment
  
  
• Non-white listed executables cannot extract from a ZIP file
  
  
• Non-white listed executables cannot be downloaded from the internet onto the workstation.
  

I mention these because in home situations (my area of involvement) the parents can control what gets installed on the family computer.

By the way, one needs to define White Listing, since there many uses of this term. For me, a White List contains all of the executables currently installed on the workstation. No other executable can install/run without permission from the user. That is, the protection is Default-Deny.

----
rich

 

The in-the-cloud “reputation analysis” of today’s new anti-malware products handle this polymorphic case, by warning the user that a specific file is rare and therefore likely to be untrustworthy at a point-in-time.

I certainly agree.

For this solution to be effective, it seems to be necessary to first have confidence that the workstation is free of malware. And, to accomplish that objective, you’re back in the realm of using anti-malware products to verify the current state of the machine.

Second, who is the arbitrator of deciding whether new executables are to be trusted? Most casual users are unable to make an informed and wise decision in these matters, I believe.

 

Interesting, that would be my findings as well through extensive threat testing. In the end, threats generally need to execute code which ends up being denied neutering the threat.

That would be the proper definition in my opinion. Many of the av companies have blurred the definition of whitelisting into meaning "we don't scan files we know are safe/trusted" in order to speed up their scanning times. That is most certainly not whitelisting and again, I think they are doing a disservice leading people to believe they are utilizing whitelisting. I've had several people tell me this or that av company "already" uses whitelisting, they don't according to the proper definition.

 

"Sometimes" would be my response to that, I'm still easily able to evade cloud based heuristics solutions fairly easily. They are getting better, but they'll never achieve near 100% prevention so why bother investing time in them? Just my op.

Correct, which is why I feel most AE solutions are missing a key element, an AV engine. I wouldn't recommend anyone run just an AE solution. I believe the solution is AE combined with AV (which is how BluePoint works).

The arbitrator is a tough one, another arena I feel the whitelisting/AE companys have gone astray. They are attempting to maintain massive known good lists. Good luck with that, there are far far more good applications then bad. As far as how we handle that situation is we'll never put ourselves in the position of determining what's good and bad on an automatic type of basis. This leads to the potential for accidental allowances as well as the possibility of a vendor being paid to whitelist an app. By not trying to be the arbitrator we keep ourselves clear of those type of issues. We auto allow Microsoft's os files and signatures/certificates as we have no choice. Everything else is up to the user. In order to assist the user we have a notification system that attempts to determine file risk based upon many factors which allows the end user to make an informed decision BEFORE allowing execution, when in doubt, deny it. Our AE is also backed up by strong AV, you won't be given an option when attempting to execute in the wild viruses. Either way, it's quite capable of preventing silent infections which are becoming far far too common.

 

This is certainly true.

Not necessary, since in setting up a system with that type of security, I start with a clean system with just the Operating System.

You have to start trusting at some point. Either you trust your scanner, or you trust your source of the software. Both are recommended.

I've always advocated checking around the internet for users' opinions before installing something. For example, this simple policy would prevent people from installing rogue security products, for a quick search for any of them would reveal their true nature.

I don't see this as a problem at all, but I'm speaking for myself and others I'm in contact with.

----
rich

 

Software anti-malware solutions will only be as good/strong as the host. Any software anti-malware will inherit the weaknesses of the host OS. You are trying to build a tower upon a failed foundation, the tower will collapse upon its own weight no matter what materials you use and how well you engineer the tower. That is why a 100% solution will never exist on a security-faulty OS. Holes have been found on "great" software like Sandboxie, Deep Freeze, VM Ware, Virtual Box, Avira, McAfee, AVG, etc. they all lay over and depend on the Microsoft OS. Now, I don't want to just provide problems but a solution would be to get rid of the Personal computer and get back to mainframe/thin client setup and control the problem in that manner. This is what Google seems to be betting on and they are not alone. So leave the PC for geeks like us and all other cattle to get into thin clients.

 

I'm hoping you realize all os's have been found to be vulnerable many many times over, not just Microsoft's...

 

I think we're potentially headed there, even if we started today I think it's 5-10 years away easily for mainstream adoption.

It still won't solve the problem, terminal servers are used in this way. The problem is, once the terminal server ends up infected then everyone is affected by the system problems that result.. Many company's struggle with that very issue today, I've locked down quite a few of them with our enterprise product.

 

To clarify, “reputation analysis” is used by heuristics, but is not itself a heuristic. While no one technique is perfect, a file’s reputation (e.g., its prevalence, age, source) can be a highly useful indication of its trustworthiness and, in most circumstances, should alert the user to potentially unsafe software -- even if the user is the very first person to download it.

I see your intention, but I view the problem differently. When an application is whitelisted, it is deemed “safe” -- independently of the machine on which it is installed. The definition shouldn’t be machine specific, in my opinion.

For an interesting analysis of the role of whitelisting, blacklisting and how “reputation” fits between the two, view the video located at The New Model of Consumer Protection: Quorum.

 

Reputation\Quorum is again a step in the right direction, however I've already tested it out and it does not alert to everything that is new. It alerts if an item is new AND appears suspicious from my lab experience with it. My own opinion here (I'm biased of course!), I think they are shooting all around a security model that is much more effective. Relying on reputation, behavior etc just isn't going to cut it, malware writers will simply change things around until it's missed (I've tinkered with it enough to know it wouldn't be all that difficult).

I am however very happy they are moving in that direction

 

I see your point, and I have no quarrel with your use of the term.

I'm considering abandoning that term (since it's such a loaded one with various meanings) for the following description:

The purpose of the AE program is not to decide whether or not a file is safe. That has to be done by other means.

The sole purpose of the AE program is to control what is permitted to run/install. That's all I want it to do.

----
rich