Modern HIPS; perspectives

Without commenting on anything in particular, I would simply like to point out the complete absurdity of claiming that antivirus scanners are inadequate, and pointing to how many viruses that antivirus software detect to back up that claim.

 

They are inadequate against modern 0-day malware, made to bypass heuristics and signature scanners by its nature.

 

I have to concur that's a very true statement. But its impact is also much less than seems to be implied, for a variety of reasons.

 

Yes, indeed, but its number will be growing rapidly- malware is too profitable business...

 

I agree with Ilya, but what doesnt make sense is the fact is that as it grows, it doesnt seem to be impacted the average user. So that goes against the thread about a AV not being adequate anymore, and also the one about how long since anyone has been infected.

Or am I just missing the B in ABC.

 

Exactly.

It's less about the number of malware than their mechanisms of infection and propagation. That may evolve, but of course that's an unpredictable factor. For now, though, just because your antivirus doesn't detect X number of trojans and you don't use a HIPS doesn't necessarily mean you'll be a victim.

And for what it's worth, the major antivirus vendors are keeping pace reasonably well. It's always exciting to keep up the technological developments in that area; it's become much more interesting that watching HIPS, actually.

 

I'd love to know what the AV vendors are really thinking about this....whether there comes a point where if the rate of malware growth continues, their capability to respond diminishes proportionately. Continuing to sell AVs for $20 a year may not be a sustainable long term business model if they have to employ double the number of virus analysts every few years. Consolidation and specialism within the industry may be the first indicator - some AV vendors may throw in the towel, merge with others, or elect to specialise in protecting a particular market segment...unless they can find an alternative approach.

This reminds me a bit of the evolution of DDOS where it's got to the point where there's maybe only one company that can fend off the largest of attacks. As the size of the botnets grew, most solutions failed to respond.

Will be interesting to see how this develops over the next few years.

 

I think if you are as computer savvy as Easter or a few others in this forum yes forget AntiVirus & Antispyware applications otherwise use them. Its simple if you or your wife say yes all of the time to prompts then use AntiVirus at least.

 

Automated analysis.

I once thought antivirus companies analyzed hundreds of malware daily by hand, too...

 

Yes, but there is a limitation of this technique- packed malware. Especially, if VM is used.

 

But doesn't Easter use HIPS to back up HIPS, virtualization apps to virtualize other virtual apps, plus a battery of other security apps...all on the same machine??

Ilya, you mention your friend runs as admin. that's part of the problem, of course; the malware has a free-for-all in that account.

As for using HIPS, I've been a huge advocate of them for some time now, using SSM until very recently. But all the time using one, it and my antivirus for that matter have never had to ward off malware, so I'm left reassessing why I need all of this security. I have paired down to just my firewall and antivirus. If I one day see a need to use a HIPS, then I will go back to using one.

 

Are you referring to anti-VM Themida packers, or just packed malware in general?

PC Tools claims to have solved the former problem - how much of it is true remains to be seen. Generally, though, it's often a trivial process to determine if a file is malicious or not, and from that point onwards naming the malware, extracting the signatures and checking for FPs should be automated. Their biggest problem, I think, remains in actually getting the samples in the first place.

But that's why it's so interesting to observe developments in scanner technology, and try to figure out what's behind, say, BitDefender's MemScan routimes. Since (unlike HIPS) the ideal antivirus product goes all the way and requires as little user intervention/judgement as possible, their technological requirements are correspondingly much higher as well. They've got some real ingenious guys in the field, to say the least.

 

I'm fully aware that the AV companies rely on automated analysis, but you seem to be convinced that this is a long term sustainable solution. My betting is that automated analysis will only last for so long. If the AV companies can come up with alternatives that work then great, but it looks very much like the AV vendors and malware authors are in an ever-increasing arms race. Who's going to win? Who knows - but the fact that AV vendors are turning to behavioural type solutions suggests that they know that in the medium/long term the game is up on pure signature based scanning.

 

Well, it's worked relatively well for the last twenty-something years.

I know popular sentiment holds that signature scanning is going down the drain, but then again...

Just because they're embracing behavior blocking doesn't mean (or even imply) that signature scanning is dead; it may very well be just the simple fact that these two technologies are complimentary, and back each other where one fails.

Besides, how many vendors are turning to behavior blocking, exactly, or even making it a major part of the solution? Kaspersky is probably the vendor who's employed behavior blocking in the form of the PDM for the longest time, but even then the PDM leaves a lot to be desired, with fixes/improvements to obvious vulnerabilities not coming, while the v8 beta boasts mainly of improvements to the scanner. My guess is that they're far from being jaded with their signature scanning technology.

 

I'd certainly agree with you that signature scanning isn't dead. The question in my mind is when does it start becoming less effective as a standalone solution and what does this do to the AV business model....and hence where does HIPS come into this. Sunbelt blogged about the growth of malware recently and said:

"Like most companies, we’re processing gigabytes of malware daily. Our automated systems like our Sandbox help; but in the end, manpower plays a key role in being ahead of the game. There’s the HUMINT aspect, like hunting down new malware and tracking IPs and locations of the bad guys; but also reverse engineering and specialized code and signatures created for difficult malware. And, there's difficult coding needed to deal with rootkits and the like.

It’s why being a security company (especially in AV or antispyware) these days is a whole new game. No longer can a company compete with a few folks in the lab and a group of good programmers. They're out there: Little companies with small teams working an antispyware or antivirus product, but it’s hopeless. A small platoon won’t win this war. You need a brigade."


I still believe a HIPS for the masses is going to be needed.

 

Personally, I find it pointless to worry about such things. If one is ever needed (which I severely doubt), then I'll use one.

By the way, I'd just like to add that the number of malware is pretty much irrelevent to this issue, reasons for which are stated in an earlier post above.

 

No, it is not. Full admin rights allow her to work and install new games for her children.

 

Mostly, I referrer to VMProtect- VM-based executable protector with highly-complex algos. I never hear it have been broken.

 

That's not true, the number of malware is completely relevant to the future of AVs versus HIPS. The more malware the more demands it places on the virus analysts, regardless of whether or not the end user ultimately gets infected. That is reflected in the rate at which AV vendors are adding signatures - they are completely incapable of determining which ones really do pose a risk of infection, so they add everything. Unless of course they don't have the resource to add everything, which means they get classed as a 'poorly' performing AV in comparative tests.

If it gets to the point where there are far more piece of malware to be blacklisted each year than items that could be whitelisted then you'd have to question the business model of the AV vendors regardless of their technical capability to keep adding signatures via automated methods. And in those circumstances, in any industry, someone always appears with some disruptive technology that undermines the existing players.

 

That's not true. The number of malware in circulation with the effective means to infect and propagate matters. It also depends on the area and period of circulation. The rest do not matter.

I run across a number of samples every day that are undetected by the antivirus solution I use, sometimes 2-3 a day, sometimes in the high twenties or thirties, but I remain safe from them and uninfected. Why is that? Think about it.

You really need a better understanding of what you're talking about. ESET and Frisk, for example, are two vendors I know of that exercise selective inclusion of malware into their signature databases. DrWeb does as well to some extent, I believe, which they highlighted when they announced their decision to not participate in AV-C this year. While I'm unsure of whatever mechanisms they have in place of this selection takes place, they're obviously neither "incapable" nor "completely".

No single AV has the resources to add everything. Again, AV performance is obviously a field you don't pay much attention to, save for picking up the popular hearsay myths every now and then. Some top-performing AVs score mediocrely at tests, and run-of-the-mill ones garner stellar results. Why? I don't know, but these days I tend to take AV-Comparatives results with a grain of salt.

Well, personally, I'd prefer to deal with that fact if and when it arrives, instead of because I was told to by some quack soothsayer.

 

Well I'm not going to participate in this thread anymore given that you're resorting to pompous personal insults (and don't pretend it was directed at me). Goodbye.

 

Well, it would help if you desisted from acting in that very manner. Arguments based on "ifs" and "what abouts" don't make for much anyway, so goodbye.

 

well as always, I for one take heed and listen to all of solcrofts comments. You can learn alot if you keep your mind open and not partial or bias.

 

Well that's fine, but the OP discussed the future and trends and that requires a degree of speculation which is what I was attempting. And this really is my last post.

 

I'd guess that she is a victim of social engineering (phony attachments/links, rogue codecs/apps, etc) and malware installed throu ad networks. I would also investigate the sources of the software she installs.

I agree. As I've said in another thread, it's really incredible that the viruslabs can "keep pace" with the malware business with such disadvantages.

I tend to agree here too. What's the point on getting/analyzing a Nuwar sample when its lifetime has already passed and a new sample (delivered through server-side polymorphism) has taken its place?
Perhaps herd intelligence is the "magic" solution?