The art of disrespecting AV (and other old-school controls)
December 3, 2013 in Compromise Detection, Forensic Analysis, Malware Analysis, Preaching
Update
Thanks to Kurt Wismer for pointing out a mistake re: false vs. true negatives; I have corrected it below
Old post
Every once in a while I hear peopleĀ whining commenting about antivirus solutions:
- “It’s outdated”.
- “It’s a resource hog”.
- “Let’s get rid of it”.
- “It didn’t detect the malware XYZ.”
I sometimes do it too, but… I would never ever remove AV from the company environment. It’s easy to say AV is no longer necessary, or ‘doesn’t work’ . It’s also very tempting to apply one’s localized context of their (often smaller) environment to pretty much every possible situation, but… it just doesn’t work this way.
Let the preaching begin.
What is an antivirus and its role in your environment?
Putting sales BS away, one can say that:
The antivirus’ role in your environment is to:
- detect known malware using specific patterns/signatures, algorithms, etc.
- detect unknown malware using heuristics (wildcard/regular expressions, behavioral analysis, file reputation, etc.)
and block/remove it
The ‘known malware’ is an easy bit. You know it, you block it (or kill it).
The ‘unknown malware’ bit is often the major reason for whining, but we should all know that AV is not a ‘cure it all’ solution and there is no algorithm in the world that will allow to detect every single malware. Nearly 30 years ago Fred Cohen prove that detection of viruses is undecidable. The proof will probably make you scratch your head a little, but the beauty here is in its simplicity.
To catch up with the reality, we can expand our definition and say:
The antivirus’ role in your environment is to:
- detect known malware using specific patterns/signatures, algorithms, etc.
- detect unknown malware using heuristics (wildcard/regular expressions, behavioral analysis, file reputation, etc.) with the highest possible rate, but with NO expectation of detecting every single malware out there
and block/remove it
Statement like this is far more realistic – people who support this are at least aware of AV weaknesses.
Still, such statement omits one yet very important bit.
The antivirus role in your environment is also NOT to detect non-malicious files.
Ever heard of False Positives?
The availability heuristic makes a lot of people talking critically about AV to focus on the following:
- False Negatives (malware is missed)
- False Positives (good file is incorrectly detected as malware).
followed by the obvious:
- True Positives (malware is detected)
What about True Negatives?
The number of these is tremendous. The thing is, they are NOT reported.
You probably chuckle now. How can we even take it into consideration? After all, we are not paying AV for NOT detecting stuff!
You see, with a decent AV on your system every single operation you do one way or another triggers a background AV check. And it is a far more complex task NOT to trigger on stuff, than to trigger on a very specific pattern. This is especially true for heuristic detections. And this is not to justify AV missing stuff by saying ‘but it’s not detecting the good stuff’. It is just a picture is not full without this bit. If it doesn’t make sense – think of all the posters in Las Vegas showing the casino winners. And then try imagining what would happen if they put the posters of all the losers as well. This is an error of availability at work.
So far we have got:
The antivirus role in your environment is to:
- detect known malware using specific patterns/signatures, algorithms, etc.
- detect unknown malware using heuristics (wildcard/regular expressions, behavioral analysis, file reputation, etc.) with the highest possible rate, but with NO expectation of detecting every single malware out there
and block/remove it. The antivirus role in your environment is also NOT to detect non-malicious files.
I guess that’s it.
On a high-level, AV is just one of available security controls that is imperfect by its nature. Interestingly, individual malware detection kinda lost its ‘whoaw’ impact over the years. Malware detections are quoted in groups of hundreds, thousands, and more – and reported in ‘spikes’ on monthly basis. So, right there, in front of our very own eyes we have a proof of AV actually working, and working very well, yet a few missed detections occupy our mind enough to dismiss the benefits of using it. It is true that even a single malware NOT detected can be a game over, but the alternative cost of NOT having AV installed means the chances for game over increase dramatically as its multiplied by hundreds, thousands detection for your average mid-size to large company.
Let’s say it one more time: any single piece of malware that AV detects makes your company more secure.
And about all these neglected hundreds, thousands and more detection reported on monthly basis?
Don’t just stare at the charts. Use it.
In my recent post I mentioned SCCM. AV logs from across the whole company are very useful in finding patterns of malicious campaigns, characteristic patterns, and so on and so forth. The infamous ‘invoice’, ‘fedex’, ‘ups’, campaigns often end up with malware being deployed in a very similar fashion. With such internal intel that can be very quickly pulled from any enterprise-level AV product, it’s very easy to combine it with SCCM and other controls to form a solid detection ‘umbrella’.
The list below shows a few things you can do with AV logs alone:
- run statistics – pick up systems that are infected over and over again, investigate
- find systems with detections coming from removable devices – block access to removable devices for repeating ‘offenders’
- find systems with recurring detections – request rebuild/forensics if you see malware being picked up on the same system many times; AV may be struggling to remove it
- find systems infected with a highly sophisticated malware (ZeroAccess, rootkits, etc.) – request rebuild/forensics
- find file names / patterns of detected malware – use it in SCCM queries
- eyeball the ‘detected & removed’ alerts – most of people ignore the ‘detected & removed’ – once in a while you will find hacking tools, password/information stealers, etc. – these systems are the ones you should be looking at; there may be something juicy stolen from these systems; request credentials changes; these systems may be also compromised by other malware
- correlate alerts looking at the host names and cross-reference them with a list of important systems – domain controllers, web servers, systems that belong to C-level guys, admins, etc. – anything that processes sensitive data / is a part of a highly critical infrastructure is of an interest
- cherry-pick systems, fetch samples from Quarantine, run them via sandboxes
The list can go and on.
I would argue that lots of conversations about threat intel, security analytics, clustering, etc. often miss the basic fact that the ‘old-school’ enterprise products provide both data and tools to run lots of correlations and they do it ‘natively’ without any need for BIG DATA solutions or external input.
You heard it right. You can do IR work w/o buying new security controls!
In fact, if you have an AV, proxy/firewall and DNS logs as well as SCCM access you have at your hands most of the data needed to discover a compromise, or a malicious infection. SCCM and AV helps with host analysis, proxy/firewall and DNS with network analysis.The early daily stats can be done with Excel, grep and a bit of scripting. This can be always automated later.
Preaching ends here 