Tuesday, May 13, 2008

Anti-virus not keeping up?

According to Panda Software there was a tenfold increase in the number of new malware strains detected in 2007 compared to 2006. More than 3,000 per day were detected in 2007. I don't have to tell you that with that many new malware strains, each day that your A/V software will, well, "strain" to keep up. The days where A/V signatures could be updated daily, or every couple of hours are simply gone, and even if you could update them every 5 minutes, the signatures simply aren't there to cover all of the new threats. Never mind the impossibility of updating signatures across thousands of systems on a network constantly. Some companies are working on behavioral based A/V like ISS. They take all of the common traits found in viruses and malware and try to stop the code based on behavior. In theory you would then only have to update the behavioral signature when a new malware strain does something you have not seen before. Almost all of the thousands of new malware strains a day do basically the same thing, but thanks to morphing and subtle differences, they are not always detected by traditional signatures. The behavioral model is not perfect either, since it suffers from false positives, just as IDS/IPS signatures do.

So what to do?
Defense in depth is called for here.

Systems need to be patched to minimize the attack surface
System administrators need to minimize the places users can get one of these files through the web, e-mail, IM, etc. by using content filtering.
Reduce or remove the number of local administrative users
Watch what is entering and leaving the network
Run IDS/IPS on endpoints as well as the network
Run A/V and update it often
Watch for registry changes
Run virtualization, so cleanup becomes much easier, and infections become temporary (hopefully)

No comments: