The Antivirus-Virus Conundrum

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware.

  • Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch diagrams on the slides you will easily understand that there’s a whole lot of obfuscation going on – and this is only at the packer level before the malware starts its work.
  • Filters (and the security admins connected to them) are faced with a multitude of data formats. Even the „well-known“ office documents (of all flavours) and the wide-spread PDF can be turned into a can of worms by malicious hackers. While your firewall adopts the default deny policy, every e-mail/web/whatever filter is expected to use the default accept policy against digital invaders. This is bound to fail (true, vendors of filter systems will claim the opposite), and it’s not news to anyone ever deployed filter systems.
  • Tell anyone that there are firewalls and malware filters deployed and watch their security awareness drop to the boiling point of helium. This does not only affect non-technical minds, even people who should know about the dangers „out there“ tend to forget their wariness. Failure’s everywhere, especially when there’s no maintenance. Just as in the analog world your filters may get clogged or useless if you don’t control what they do (or update the signatures/software).
  • Filter systems use signatures of known malware coupled with heuristics. Some throw some statistics into the mix. Let’s take a look at the word heuristics. If you look this up on Wikipedia you get among other information the following sentence: Heuristic methods are used to speed up the process of finding a good enough solution, where an exhaustive search is impractical. So it’s spelt out in clear: There’s no way you can do an exhaustive search for malware. You would have to set up a copy of your system and a known clean reference system, introduce the file you want to check into the test system, compare the behaviour of both systems and deduce the deviation you are looking for. As soon as you need performance or introduce other constraints you will always end up with a trade-off. There’s also no surprise there. Bruce Schneier has written whole books about these trade-offs and what they mean for security.

I referred to the analogue world. Let’s return to biology and imagine what your built-in anti-virus system is capable of. Your immune system can deal with a lot of malware. Yet you avoid stretching it to its limit, maybe by hygiene, maybe by not taking a bath in raw sewage. Most people even keep security-aware after getting updates (vaccination) and do not eat that extra spoon of germs. The same is true in the digital world, at least in theory. I have yet to see the network where every employee or end-user needs all data formats known to mankind, including white noise, passed unfiltered through port 80 (HTTP) or other tunnelling protocols. When it comes to e-mails, there are similar constraints. There are certain document and data formats we can handle, we can’t deal with the rest. So why bother?

Getting rid of malware and controlling digital infections takes a lot more than selecting and deploying the right combination of filters. Make sure you know what your minimal requirements are and treat every file with respect – and take care of the lost security awareness caused by the deployment of filter systems.

Tags: , , , ,

Comments are closed.