With the emergence of new sophisticated blended threats, Anti-virus vendors are feeling the heat and finding significantly tough to ensure maximum security to its product design. This article attempts to find out the capability and strength of today’s AV solutions and looks into the future of AV solutions.

As the quantity and quality of the ever evolving malware are increasing at an exponential rate, the question about the ability of the current antivirus software to fend off new viruses and worms is also increasing simultaneously. From a general eagerness to create new worms and viruses, it has shifted to a financially motivated crime and not surprisingly, the so called unethical hackers have joined the dark force quite expectedly. Increasingly, hackers are using "special mutating technology" that allows them to inject random "junk" into Trojan program code before compiling and compressing it to create separate variants, each of which requires a separate signature to block it. Modern malware programs are designed to split themselves into several co-dependent components once they are installed on a system, to make them harder to locate and remove. Each fragment or component keeps track of the others, and when an attempt is made to delete one component, the remaining fragment instantly respawns or reinstalls it.

Current Antivirus Solutions—Redefined?

According to Symantec’s latest Internet Security Threat Report, over 60% of malicious code signatures were created in 2008, and more than 245 million attempted attacks were blocked each month, worldwide. The report also found that worms and viruses attacked India more often than any other country in the region. So, clearly situation demands a continuous evolution and redesigning of the antivirus solutios.

The Antivirus solutions have been re-designed and re-engineered towards the more comprehensive Security suites that include firewalls, content filter, phishing and spam protection, as well as other protection tools. Today’s versatile e-threats landscape steered security companies to create new and robust platforms, which no longer only defend systems against classic viruses, but also provide highly customizable modules for privacy and sensitive data protection, parental and applications control, network management, data backup and encryption.

Symantec is redefining the approach to viruses and worms by using heuristic file protection and behaviour monitoring, in addition to signature-based protection. These enable the security product to spot new virus variants, based on the characteristics of the file, and by detecting suspicious behaviour in running applications.

K7 Computing also believes that in the early days, the problem was really because of viruses (replicating code) trying to propagate across systems and networks, but in recent times the focus is more on trying to prevent the loss of user information such as credit card details and so on. For this reason, the technology has expanded from purely looking for viruses to looking for all types of malicious software (malware), and often products include complementary technologies such as personal firewalls and anti-spam to ensure that a system can be comprehensively protected from attacks.

According to Trend Micro, Anti virus companies are looking at providing both signature and behavioral based protection mechanism as anti virus signatures are no longer that effective. However, for some existing known threats signatures still remains the most effective tool for the accurate detection. That is why the use of both signature and behavioral is important. However, it is expected that with the increase in multi-staged attacks it is also expected that both the security vendors as well as the cyber criminals are going to focus more on Malware.

Antivirus—or antimalware products had to respond to the ever increasing number of new threats and their complexity. Not only the existing technologies have been improved significantly over time but also new methods, especially focused on web threats and behavior monitoring are being introduced. In general, security solutions are extended by additional protection layers and complex back-end systems to help cope with the new threats, felt by AVG experts.

In order to protect customers from such blended threats and tomorrow's emerging threats, Antivirus solutions too have evolved by innovating new technologies. Today antivirus protection does not only simply scan and clean but it includes proactive technologies that automatically analyze application behaviors and network communications to detect and actively block attacks. Customers are provided integrated antivirus, antispyware, firewall, host- and network-based intrusion prevention solutions into a single solution that is easy to install and easy to manage.

In this sphere besides having Heuristic, Quick Heal also has DNA Scan technology which is designed and developed by them to counter the unknown threats. This technology employs deep code inspection and has been a great success in countering new and unknown viruses.

Signature-based Antivirus—Dead?

Karel Obluk, CTO, AVG Technologies

Many experts believe that signature-based antivirus products can be easily circumvented and some experts also believe that signature-based antivirus is dead. But what does industry believe?

Signature-based solution is a very simple term for very complex technology. With the exception of only a few (primarily open-source) vendors, signature-based detection engines have evolved over the years into very complex solutions that use also emulation, generic detection, cryptographic methods etc. It is generally accepted that in the long term, signature-based solutions are not sufficient if used stand-alone. However, according to Karel Obluk, CTO, AVG Technologies, for small businesses and consumers, signature-based detection remains the one most efficient and reliable detection technique. To provide really complex and reliable protection, it is now often accompanied by other layers, such as behavior-based modules, web-threat protection etc.

Bogdan Dumitru, CTO, BiDefender

Bogdan Dumitru, CTO, BiDefender, believes that the signatures are indeed easily circumvented, but this does not mean the technology is dead. It will be around for some time and the role of signatures might change (for example, in case of white listing) but they are not likely to disappear any time soon. On the other hand, it is also true that you can no longer rely exclusively on signatures. For instance, BitDefender has already implemented B-HAVE as a significant component of its antimalware solutions. B-HAVE is a dynamic heuristic scanner designed to augment the current security technology and provide proactive protection, while also overcoming the architectural limitations inherent in many other dynamic solutions. Proactive detection is hard to achieve only with generic signatures, so other technologies are needed to complement the current signatures.

Andrew Lee, CTO, K7 Computing

Andrew Lee, CTO, K7 Computing, also feels that though the idea of unique identification of individual viruses identified by a single signature has long passed away—indeed, the idea of generic or heuristic detection has been around for at least 15 years—the fact is that every anti-malware product on the market uses some form of signature detection. The reason for this is that once something is known, you can detect it far more efficiently (and therefore minimize performance impact) using a signature based approach. Of course, there is always the argument that something new can’t always be detected, but that’s true of any system. None currently has 100% guaranteed detection of new threats even with the most advanced heuristic products. Partly this is due to the fact that the malware authors have access to anti-malware products. However, this is not the same as saying that signature based antivirus is dead. It’s simply the best solution that we have available, and when new threats appear, most anti-virus companies are able to react very fast and ensure that the majority of people will be protected quickly. As the threats evolve, so do the products, it’s not a ‘game’ that will necessarily ever end, until the fundamental properties of the operating environment change to include full integrity checking on every byte of code passed, a destination we are many years away from.

It's true that traditional signature-based virus detection is obsolete—after all, it's been dead since viruses stopped having signatures back in the early 90s. But the debate around anti-virus stems from the fact that the ever-growing number of malware variants has now caused a shift in the IT security industry, from reactive to proactive detection techniques. Traditional malware detection requires time and manpower, and is insufficient given that many cybercriminals now simply look to write as many different malware variants as possible to try and evade defences.

Graham Cluely, Senior Technology Consultant, Sophos Plc

To counter this type of activity, vendors introduced proactive technology in conjunction with basic anti-virus products—as a key component of the corporate IT security strategy. According to Graham Cluely, Senior Technology Consultant, Sophos Plc, a good analytical, proactive tool has the ability to analyze the behaviour of all applications, rather than searching only for recognized malware. Able to identify malicious activity and block code before it executes, this technology is an indication of just how much the concept of anti-virus has developed. To sum-up—to rely SOLELY on signature-based anti-virus would be a mistake, it plays an important part in the defence—but most anti-virus products do much more than that today.

Sanjay Katkar, CTO & Technical Director, Quick Heal Technologies

Sanjay Katkar, CTO & Technical Director, Quick Heal Technologies, believes that signature based anti-virus is still there and it is at the core of all different protections available today. It is true that only signature based protection is not enough but as I had mentioned in my reply to first question just as threats have evolved the antivirus products too have evolved over the period and now includes multiple technologies to tackle current threats. Lots of innovation has happened and anti-virus softwares are protecting users’ computers against these floods of malwares by implementing multiple protection mechanism. Scanning itself has evolved to such an extent that the scanners are even able to detect the newer variants of thousands of malwares in generic form without any updates. At the same time signature-based scanning is still at the core of the antivirus product and this will remain so for long time ahead.

Antivirus Solutions—As Backdoor?

A spate of bugs has popped up recently in quite a few of the major anti-virus brands, some are old bugs which have just been made public and some are apparently new bugs—just discovered. Nothing too serious it seems (no remote takeover vulnerabilities) mostly just crashes and annoyances. Included are Symantec’s Norton Anti-virus, Kaspersky Anti-Virus 6.0, F-Prot, IBM Proventia and Clam Antivirus. Once an occasional inconvenience, serious security bugs and vulnerabilities in anti-virus and security suite products are growing into hardy perennials. Once, running Windows anti-virus was like driving down a dual carriageway. These days, it’s more like an unpaved road.

The Kaspersky bug had the potential to result in serious annoyance. The other bugs are less serious and individually don’t amount to much, but collectively, they’re enough to make you reach for an Ubuntu installation CD or start looking on eBay for a Mac. First up, let’s consider a misfiring definition update for Kaspersky Anti-Virus 6.0 for Windows Workstations, which sent users into pop-up hell. It was issued on 31 March, and it wasn’t resolved until 2 April. A flaw in F-Prot involving the scanning of Zip files allegedly creates a possible method to circumvent anti-virus protection. Security researcher Thierry Zoller, who discovered the vulnerability, went public with the flaw on 2 April after F-Prot failed to act for a reported four years.

Zoller also published two other advisories in mid April’09, each covering problems with enterprise products and scanning archived files. Malicious RAR archives might make their way past IBM Proventia email security appliances, according to Zoller. He published a limited details advisory after not hearing from IBM for a month. IBM is reportedly investigating the issue. Clam AntiVirus, the open source anti-virus toolkit for UNIX, which is used to scan email on mail gateways for Windows viruses, also had a problem with RAR files. That problem was plugged late last month but only publicized by Zoller with an advisory in April’09.

In December, 2008, iViZ, an information security company, announced the discovery of new classes of vulnerabilities in many popular commercial and open source antivirus software. These vulnerabilities can potentially allow attackers to break into systems using such antivirus software. An attacker first crafts an email with malicious payload and sends it to the target user. When the email is scanned by the vulnerable antivirus software it can either crash the antivirus software or execute arbitrary code resulting in complete security bypass and remote system compromise.

Using variety of file fuzzing techniques the company discovered abnormal behavior in several security tools when handling complex or unusual executable header data especially in the case of executables packed with 3rd party packers like UPX, FSG etc. In such events, multiple bugs were found in antivirus software while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers. The affected antivirus software vendors were informed of this anomalous behavior. The affected software include many popular commercial and open source antivirus software such as AVG, F-Prot, Sophos, ClamAV, BitDefender & Avast.

Govind Rammurthy, CEO and MD, MicroWorld

Partially agreeing to this point, Govind Rammurthy, CEO and MD, MicroWorld, said, “An antivirus solution should not be 100% signature based. Antivirus solution using heuristic scanning will have huge number of false positives, hence an antivirus solution should be both signature based and also should use heuristic scanning coupled with firewall and endpoint security.”

According to Bogdan Dumitru, except for rogue antivirus utilities, legitimate anti-malware solutions are extremely well designed pieces of software with multiple layers of protection. While it is true that malware creators are attempting to exploit any design flaws they can in antivirus products, there is no general algorithm to allow the exploit affect other security suites than the one it has been designed for. This process is known in the security world as vendor-targeted attack—once the company discovers such an incident, a security update is immediately delivered via automatic update. More than that, this type of attack is not specific to anti-malware software. They also affect other systems and components of the operating system. Such security incidents are extremely rare (most of them are proof-of-concept attacks) and they are highly unlikely to occur in the real life scenario.

Vishal Dhupar, MD, Symantec India

Vishal Dhupar, MD, Symantec India, does not agree that antivirus solutions can be used by hackers to enter and access user’s sensitive data. According to him, what hackers normally do is to target anti-virus programs as well as processes and shut these down or disable the services so that the programme will not recognize any attack. After the attack is done, they turn it on to avoid detection that anti-virus was turned-off. To tackle this Symantec has a feature called ‘Tamper Protection’ which detects any modification to antivirus processes as well as programs and blocks these changes.

But Amit Nath, country manager, Trend Micro, India, feels that there are few open-source and commercial antivirus software which have created such problems in the past. These software could not provide the desirable result while handling complex executable header data. This allows the cyber criminals to access the system using the software. That is why it is important to opt for the right kind of solutions from companies, which are extremely strong in R&D.

Amit Nath, country manager, Trend Micro, India

On the other side, Andrew Lee is not sure that using antivirus as a backdoor is at all common. In fact, according to him, looking at the record of security software compared to—say—browser software, no. of exploits against the anti-virus is very few. What is true is that once a user gets infected, the malicious software installed will try to prevent the user installing any anti-virus product to detect or remove the product. This has led to some companies, like K7 introducing pre-scan mechanisms that use a protected version of the anti-virus scanner to clean up the system before the product is installed.

Graham Cluely does not agree to this point. According to him, though bugs have been found in security products from time-to-time, but, they are normally proof-of-concept rather than widely exploited in the wild by hackers. Hackers have typically exploited vulnerabilities in web browsers, PDF readers, Adobe Flash etc. Even Karel Obluk denies this fact and says that he is not aware of any real antivirus solution being used as a backdoor or allowing the bad guys to get access to users' sensitive data. He says that 'rogue anti-spyware products', which are malicious programs, attempt to trick users into installing them and as a result, the machines become infected.

Commenting on this point, Sanjay Katkar, says that in current environment nothing can be called as completely safe. Hackers today use several ways to enter the system, whereas, earlier it used to be only OS vulnerabilities. Now lots of other third party application vulnerabilities are also being exploited. As such antivirus solutions too can also be targeted and misused. At the same time you will not find too many examples of such use of antivirus solution as a backdoor just because antivirus solutions are being developed by security professionals who are aware of such situations and hence make it difficult for hackers to break it. On the other hand antivirus solutions are the most updated application in users PC. Any vulnerability in antivirus solutions will be patched immediately and automatically giving fewer windows for the hackers. But at the same time we cannot completely rule out that antivirus solutions cannot be misused by hackers to achieve their goal. I will not leave the onus on users for not following right procedure as lots of things are technically complex and it’s the job of antivirus vendors to do these things automatically and wherever it is not possible to automate at least warn/alert the users accordingly.

Bikas Barai, CEO, iViz

Bikas Barai, CEO, iViz, clearly says that in the world of security, it is natural to have vulnerabilities and un-natural to be 100 percent secure. Vulnerabilities may occur in any kind of software including antivirus, operating system, browsers or others. Hence anti-virus too are susceptible to attacks and in past at iViZ, our vulnerability research team has discovered multiple new vulnerabilities in several popular antivirus. However vulnerabilities and its discovery is like a continuously moving target. Every day new vulnerabilities or attacks get discovered. It is like a cat and mouse game and the vendors always need to strive to stay ahead of attackers. It is true for all software including antivirus.

He also says that it is more important that vendors educate the users regarding the reality in stead of claiming that they are 100 percent secure. The product vendors should conduct more in-depth testing especially by third parties, adopt secure product development lifecycle and develop a strong security response mechanism. Vulnerabilities are here to stay and hence it is more important to focus on how one deal with them.

Next Generation Solutions—What Can We Expect?

We are now reaching an inflection point where there is more malicious code written than ‘good’ software. It is therefore more effective and economical to create analyze ‘goodware’ rather than malware. At this point, given the sophistication of the threats, a new, hybrid approach to virus detection and protection is necessary.

Symantec is taking a three-pronged approach to tackle this. Firstly, Symantec is continuing to blacklist high-prevalence malware programs. Secondly, company is building a massive whitelist to identify popular, legitimate programs and allow them to run unhindered. And finally, company will deploy a novel reputation-based software rating system that can accurately categorize less popular legitimate and malicious files in the “long tail”. According to Govind Rammurthy, CEO and MD, MicroWorld, Multi-level protection and whitelisting are some of the technologies that the vendors are looking to incorporate into the future antivirus solutions.

One of the challenges of building blacklists and whitelists is dealing with the “long tail” of software applications. A “long-tail” software application is one that’s used by just a handful of users and therefore unlikely to be discovered and added to a whitelist (if legitimate) or a virus signature database (if malicious). Supplementing the classic whitelist approach with reputation-based security techniques, where every application is assigned a reputation value, can significantly increase the strength in protection and at the same time address the technology challenges.

Some view the white lists as the next phase. White listing is an easy to implement technology in a controlled environment (such as business tiers with strict rules), but getting it to work for the vast majority of users is going to be the real challenge. BitDefender believes that white listing will be only a complementary solution to antivirus technologies for most users. According to Trend Micro, It is expected that Anti Virus will endure as a component of a layered defense strategy and will be embedded in the network. The centralization of anti-virus technology will certainly provide efficiency boost.

Venu Palakriti, Sales Director, F-Secure, India & SAARC Region

As consumer computing is moving to the cloud, so will be antivirus, believed by Venu Palakriti, Sales Director, F-Secure, India & SAARC Region. He believes that consumers today have their videos on YouTube, photos on flickr, contacts on Facebook and so on. Antivirus would be moving towards the same direction, I foresee.

There is already a lot of focus on technologies such as white-listing and integrity. Andrew Lee would expect to see a lot more focus in those areas, as the huge volumes of new malware requires it. He thinks that we will also see a lot more integrated suites looking at wider areas than purely securing the files on the system. Karel Obluk feels that complex back-end systems (often referred to as 'in-the-cloud') should be used to further improve protection and help with detection of some of the more complex modern threats.
IT security threats have mushroomed in recent years and the trend shows no sign of slowing. Whereas traditional AV no longer provides an adequate level of protection on its own, a more diverse approach to IT security and control—namely a new breed of integrated solutions—is helping businesses to achieve a higher overall standard of network defence. Combined with comprehensive technologies such as NAC and application control, AV will continue to provide robust protection that companies cannot afford to operate without.

Gone are the days when simple AV protection was enough to defend corporate IT networks. In today's cyber climate, and across sprawling networks, organizations need to be aware of malware of all kinds, including viruses, spyware and Trojan horses, as well as worms and spam. Not only are cybercriminals directly attacking desktop computers and other endpoints, they are also infecting bona fide webpages. Anyone surfing the internet could unwittingly download software code that will attempt to steal passwords and other critical information, simply by clicking on an infected weblink or pop-up.

Riyaz Sayyed, GM, ESS Software Distribution and Consulting (P) Ltd

In order to beat the cyber crooks, organizations must expand their IT security remit to defend all potential avenues of attack. Consolidated solutions which defend against data leaks, deny network access to machines that aren't patched or have out-of-date AV, and restrict which applications users can install and use, help businesses ensure total protection by taking back full control of their networks. According to Riyaz Sayyed, GM, ESS Software Distribution and Consulting (P) Ltd, “definitely we will see new developments in areas such as protection from malwares, phishing attacks, botnets, root kits for the protection at kernel level threats, protection against key loggers etc.”

Experts like Sanjay Katkar believe that the next phase of development in antivirus solutions would be to include multiple technologies and increase the protection umbrella by increasing protection layers. All these in a single solution can be installed and managed easily. At the same time AV vendors are also researching on making the antivirus solutions lighter and still effective as the flood of malwares have put lots of pressure on resource utilization by antivirus solutions at all levels. Company like F-Secure offers their solutions through ISP companiess like AIRTEL, TATA, SIFY and Reliance under Security as a service, which have been the most successful strategy for this company.

Conclusion

Although traditional AV remains a fundamental facet of IT security, today's evolving threat landscape requires a multi-tiered approach to defending the network. Implementing multi-directional attack, hackers have made AV vendors’ job really tough. Therefore, experts believe that combining conventional AV with other technologies, like anti-spammimg, anti-phising, anti-rootkit, Network Access Control (NAC) and application control etc., vendors will be able to offer organizations a more comprehensive solution specifically designed to protect their IT infrastructures from a ton of threat scenarios.

In the long run, those vendors who stick solely with AV products may find themselves between a rock and a hard place. Looking to the future, many pure AV vendors may find themselves outfoxed by the selection of consolidated solutions on the market, leaving them struggling in the shadows of their larger counterparts. It seems likely that many of these may then become subsequently absorbed into the wider IT security package as an essential benchmark.

Cover Page Caption: Anti-virus Solutions – Are They Trustworthy?

Some currently available solutions:

—By: ‘InfoSecurity’ Bureau.