Analysis: anti-virus strategies under the microscope

When viruses only travelled from computer to computer via floppy disks, protecting PCs from malware was pretty straightforward: samples would be caught “in the wild”, a signature taken, the anti-virus software updated once a month - if at all - via a mailed-out disk and that would pretty much be the end of it.

Furthermore, all the anti-virus software needed to check was executables.

With just the one “attack vector” mode of infection and limited ability to do much more than self-replicate, most people didn’t bother with anti-virus software.

Today, though, when every PC is internet-connected and the “payload” could be embedded in web-page code the user does not even know is being downloaded and executed, the threats have both multiplied and become stealthier.

But more and more specialists are suggesting that anti-virus software is struggling to keep up; indeed, that it is failing in its primary task of protecting PC users, despite innovations such as “heuristic detection”, for example, which looks for potentially malicious patterns in code.

“I think that anti-virus software has become more sophisticated, but most of the detection still relies on known patterns. Vendors have become better at creating their patterns, but it is still inadequate considering the current rate of malware generation,” says Imperva chief technology officer Amichai Shulman.

The challenges are manifold: it’s not just the number and power of third-party applications that can run files that may not be as safe as the user anticipates, such as Adobe Acrobat or Oracle Java, but the way in which the virus writers have remained one step ahead of the software vendors.

For example, when a supposedly state-inspired malware attack on Iran’s Natanz uranium enrichment facility was launched more than six years ago, it was years before the attack was uncovered - despite the fact that it had leaked into the wider world via its USB stick propagation.

Mikko Hypponen, chief security officer of Finnish anti-virus software vendor F-Secure, even wrote a mea culpa published in the magazine Wired, entitled “Why anti-virus companies like mine failed to catch Flame and Stuxnet”. In it, he explained how the malware code had been written to look more like a business database application than a harmful piece of code.

He wrote: “The truth is, consumer-grade anti-virus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and email worms. But targeted attacks like these go to great lengths to avoid anti-virus products on purpose. And the zero-day exploits used in these attacks are unknown to anti-virus companies by definition.”

In other words, if malware writers try hard enough, they can always evade detection. Crucially, if the attackers just target a specific organisation, such as a bank, government department or technology company, their attack may lie undiscovered for years - anti-virus software vendors’ detection signatures are only written after a virus has propagated in the wild or been uploaded to a hackers’ forum.

Protection money

That point was brought home in a study by Technion, the Israel Institute of Technology, for Imperva. It sought to test a number of the best-known anti-virus software vendors ability to detect newly created viruses and concluded the initial detection rate was little better than five per cent.

That may be fine for consumer PC protection, but for protecting sensitive corporate or government data assets that might be specifically targeted by attackers - for espionage or profit - the protection that model affords is less certain.

But according to Imperva’s Shulman, organisations are spending inordinate amounts of money on anti-virus software - as much as one-third of all security spending, or $7.4bn (£4.6bn) out of total annual spending on anti-virus software of $17.7bn (£11bn), according to analysts Gartner.

“There are many additional security ‘layers’ that are required in order to mitigate the threat today. Those layers don’t get enough attention and funding because so much of the security budget is going on solutions like anti-virus, or their deployment and management costs,” says Shulman.

In other words, organisations are focusing so much attention and resources on conventional anti-virus software that they are neglecting other defences and not adapting to the changing nature of the threats they face.

Anti-virus software, though, remains an appealing investment because of the very public nature of a virus outbreak at any organisation.

@GraemeBurton