Sunday, April 08, 2007

More on Anti-virus and Anti-malware

So, when I posted this blurb on anti-virus missing malware, I didn't mean to whip people into a frenzy. I really didn't - I just wanted to express my genuine shock about how poorly the tools, built for blasting away the threats of the 90s, fare against the threats of 00's. In fact, I myself naively thought that a typical AV tool will catch 60-80% of serious in-the-wild malware today. Some of my readers were surprised by the numbers and some were not, stating that it matches their experience as well. Many probably choose to stick to "my anti-virus is fine, go away!" illusion.

It is also bizarre how some people chose to interpret my blog post as biased: "i saw where this was going early on (the original question was obviously loaded)." I would like to assure them that while I did state my initial question in a somewhat emotional manner, this was not due to any inherent bias I might have had, but due to my deep surprise.  I myself hate people saying things like "today was a hot day -> obviously global warming is here" :-), but in this case what matters is not "statistical significance", "sample selection bias" or "test-bed integrity", but the fact that if you deploy anti-virus on your systems and run it according to the "directions on the label", your system will soon "change hands" :-) This doesn't point to any global emerging trend, but just to a fact, observed by the author of the study (which, BTW, I just read, not conducted myself...)

I later learned that a major analyst firm, that will remain nameless for now, proclaimed in their recent piece:  "By 2009, anti-virus as we know it will be dead, succeeded by a new generation of protection technologies, and many of today's anti-virus vendors will be extinct."

Some folks have asked me a sensible question: what is the alternative? At this point in time, the alternative for most people is fairly unpleasant: you are going to get 0wned :-) Go update your incident response (IR) plans and sharpen your IR skills. Learn to detect 0wned systems.

Over the long term, I am willing to bet on some fancy "whitelisting" approach (e.g. this) or novel heuristics (e.g. here) or something else (e.g. here), which is still being forged in secret underground labs of some nameless security start-up :-)

Overall, it seems that "classic" (e.g. "blacklisting") anti-virus technology does indeed work as stated by its purveyors. It is just that modern malware no longer does ...

Labels: ,

Dr Anton Chuvakin