McAfee debacle shows why malware defense must evolve
- 28 April, 2010 10:15
- Comments 2
Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.
The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.
According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.
A Symantec spokesperson stated "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week."
Andrew Brandt, lead threat research analyst at Webroot, told me "Being even more proactive, and building signatures based on what you think the malware authors might do with their creations, can also lead to situations where you create more false positives. The key is to be alert and responsive to malware (which is in a constant state of rapid evolution), to build signatures as quickly as possible, and then do thorough testing before releasing them to the wide world. After all, scientists need a sample of the new flu virus strains before they can make a vaccine. The analogy applies here, too."
Fair enough. Or, maybe there are simply too many "flu strains" for the reactionary model of developing a vaccine after the fact to be effective. Perhaps it's time for anti-malware vendors to evolve and adapt new models that can work more efficiently to provide the same level of protection with less effort on their part, and less room for error with impact such as with the McAfee incident.
There are a couple of approaches. One is to stick with the signature-based model, but apply it in the cloud rather than implementing it on an individual system basis. This is the direction Webroot is headed. Brandt explained "Putting the definitions into the cloud, instead of letting them reside on the endpoint has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set."
Symantec is working on a different approach. Gerry Egan, director of Symantec Security Response, described it "Symantec's Reputation-Based Security breaks at a fundamental level with the idea that a malicious file has to actually be captured and analyzed in order to protect against it. Instead, Reputation-Based Security works in a way similar to how Google ranks Web pages. Google's PageRank algorithm relies on what might be called the wisdom of the crowds to determine a specific Web page's value."
Egan continued "In its most basic form, it essentially looks at how many other Web pages link to a page and each link is considered a "vote" for that page. However, it looks at more than the sheer volume of votes, or links pointing to a page; it also analyzes how popular the page is that casts the vote. All this information is computed to give a Web page a ranking on Google."
There are other potential benefits to a reputation-based approach as well. There is no need to intercept a sample of malware first in order to defend against it, a lower risk of false positives, and less impact on the speed and performance of the PC. It can also be custom-tailored by IT administrators to implement and enforce policies.
The signature-based model has been the default anti-malware defense for 20 years. It has served us well, and performed admirably in most cases. However, the malware developers are too numerous and agile for such a cumbersome defense to remain effective much longer.
As the threat landscape evolves, so must our defense system improvise, adapt, and overcome.
Tony Bradley is co-author of Unified Communications for Dummies. He tweets as @Tony_BradleyPCW. You can follow him on his Facebook page, or contact him by email at tony_bradley@pcworld.com.
Recommended
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Recovering from the Flawed McAfee Update - PCWorld Business Center
- Symantec's Internet Security Threat Report XV
- Antivirus & Anti Spyware Security Software for Home & Business : Webroot
- Windows XP Still Less Secure than Win 7 and Vista - PCWorld Business Center
- Cloud-Based Management and Security with Windows Intune - PCWorld Business Center
- Viruses - Spyware - Internet Protection - Latest New Computer Viruses : Security Response
- Social Networking Exposes Business Networks to Risk - PCWorld Business Center
- Unified Communications for Dummies
- @Tony_BradleyPCW
- Incompatible Browser : Facebook
- tony_bradley@pcworld.com
-
Santos migrates to Windows 7 before XP support ends
-
Australia remains black spot for Vodafone
-
WikiLeaks Party closer to registering
-
AusCERT 2013: NBN users need security professionals’ help, says Google
-
WikiLeaks Party closer to registering
Comments
Marcus J
1
Great article. Very useful in highlighting the limitations of a signature file based approach to detecting malware. To rely upon recognition of signatures, the infectious file must have done some destructive work.
Even when McAfee, et al, very creatively generate new strains of signatures, there are the limitations of trying to predictive. To predict what the armies of rogue coders might do is rather like trying to predict evolution.
The article does not broach an interesting alternative: behavior-based detection models. Trying to recognize the behaviors that signal an active, infectious attack do not have to be so predictive. These can be broader in their detection by nature. They can alert the affected prior to destructive work is done by the malware.
PWW
2
Interesting article, and certainly the correct subject to discuss. Although from a process point of view, there's a couple of flaws in some of the opinions offered IMHO.
Firstly, to base signatures in the cloud would have turned this situation into an absolute catastrophe, as the entire user base would have received the false positive at the same time. The reason why all of McAfee's users weren't smashed here, was because signatures weren't updated immediately on release. The cloud based idea as an alternative also highlights a mis-understanding of what happened in the real world. The machines entered a reboot cycle, so rolling back the signature in the cloud wouldn't have helped.
A couple of other points... My company has been using McAfee for ever, and we always follow an N-1 strategy to signatures, it's a risk decision we have made, and we weren't hit. McAfee also has had reputation based hashing in Artemis for a long time, so this thought ain't new, Symantec, but it's definitely a great idea!
One final thought, and this is where I think the flaw in the argument is... There'll be perennial arguments about Blacklisting Vs. Behavioral Vs. Reputation, and all of these are flawed in one way or another. Has anyone ever thought that the only absolute is a whitelist? Ironically, we're working with McAfee now, to test such a solution. So far so good! There's still a lot of testing to go, and technologically it's perfect, we just need to make sure it doesn't have a negative impact on business, because it takes all control from users. But if it's mission critical, then I don't want them to have control anyway!