BlueFort Security Ltd -

AV Signature as Standalone Defence - Failure No Matter Where You Put It

I have received a number of requests for more background on just how I arrived at my conclusion that it is game-over for traditional AV, so I thought I would share the numbers.

Everyone reading this should be familiar with the CSI/FBI Crime reports. They have been respected and widely read reports within the InfoSec community for more then a decade. I have been an avid reader of them since back in the late 1990s. One of the things I like about the reports is that they list what respondents are using for defense and also include data on the incidents they are reporting. I always found it intriguing that such a high percentage of respondents were using traditional AV, yet were still reporting issues with malware infections.

The Rise and Fall of Traditional AV Effectiveness

Traditional AV improved between 1997 and 2008

In my view, we saw some promise in traditional AV after 1997. At that time, almost everyone using it (90%) were still reporting malware infections (82%). Then the situation improved as we moved into 2008, when the respondents reporting malware infections had fallen to only 50%.  However, no matter how you look at it - it is tough to dismiss the fact that over 90% of organizations were using the technology; yet during its peak performance (2008), 50% were still infected with malware.

In 2007, with 98% of respondents reporting they were using AV, 50% still reported malware issues within their environments. Reading between the lines in the survey data - at its best, traditional AV only reached about 50% effectiveness. That by-and-of-itself was enough to convince me that AV was not the “Holy Grail” that vendors claimed it was in battling malware.

The numbers in 2009 showed that the number of organizations having malware issues jumped to 64% and in 2010 it climbed even higher to only 76%. Paying for those AV subscriptions and consuming all of the overhead in CPU cycles, the comparison of incoming packets to a growing mountain of AV signatures within the infrastructure resulted in 76% of AV users still reporting malware issues within their organizations in 2010. Not a great statistic.

Sorry AV Vendors, But the Cloud Will Not Solve Your Signature Issue

So with the writing on the wall that relying on traditional AV as a defense was a failure, vendors quickly pointed to the cloud as the solution.  Nearly every AV vendor today is hyping up their cloud-based AV product as the next generation in AV technology. While moving the signature DB to the cloud might improve the speed at which you can push out updates, it does not solve the underlying issue – you simply can not filter your way to a safe and secure Internet connection.  I publicly stated that it would only be a matter of time before the bag guys figured out a way to bypass the cloud database used by AV vendors…. unfortunately for users it was a very short time. Breaking news:

Chinese Trojan targets cloud-based AV technologies

The location of the database is not the issue rather it is the underlying methodology. The number of ways to obfuscate malware to alter the signature / hash is greater than our ability to create signatures and push them out for distribution to users … even when using the cloud to host the database.

It is an Arms Race That You Can’t Win

If you want to solve your malware issue, then stop relying on recognition of every possible awful thing that a hacker can send down your Internet connection as your first and often only layer of protection. It is simply bad math; you’re outnumbered, they have more resources. It is too easy to obfuscate the payload so that it will not match the vendors’ signature / hash. We need to change the underlying methodology from blocking all that is bad to only allowing what we know is good and trusted.

The only viable solution in this environment is the use of whitelisting / application control, which only allows code that is administratively permitted and proven to be trusted to execute within our environments. I don’t know what your thoughts are but in my opinion, it isn’t rocket science: AV cannot keep up with malware signatures no matter where they store the database. Whitelisting blocks malware without needing any malware signature. That’s better maths.

Originally posted here.