Study: Antivirus Software Catches About Half Of Malware, Misses 15 Percent Altogether

[Daniel ~]

Written by Daniel
Tuesday, 03 March 2009
Newly released data from Damballa finds nearly 5 percent of machines in enterprises are bot-infected

Mar 02, 2009 | 02:43 PM
By Kelly Jackson Higgins
DarkReading

About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware -- even within organizations running up-to-date antimalware tools, according to new data from Damballa. [Front page...]

[ThunderRd]

I'm going to get on my soapbox now

This merely firms my belief that anti-virus software is overrated. It can't keep in step with the number of malicious programs that are introduced each day, and isn't able to be proactive. It is only as effective as the last virus definitions it has.

Anyone serious about security should be using three things: HIPS-type behavioral software [which has the capability of being proactive; it doesn't need definitions], a firewall, and most importantly, good, safe surfing habits. How you get members of an organization to use the third thing is completely beyond me, though.

I haven't run resident anti-virus in over two years. I find them to be clunky, bloated, and only marginally effective - with the exception of my favorite, NOD. I do run on-demand scans regularly, and have not had a virus infection in any of my machines in all of that time. Remember that I run 2 Internet shops; that means that Joe Customer comes in and surfs where he wants. He plugs in his thumb drive [God knows where it's been]. He isn't employing safe surfing habits [for sure].

Here's why[unashamed plug for a great product here]:

SoftSphere Technologies, the official site of the DefenseWall HIPS - Host Intrusion Prevention System - Sandbox, Virtualization, Anti-Spyware, Anti-Rootkit, Anti-Malware, Anti-Keylogger

And their forums, where the developer himself is present daily:
Gladiator Security Forum -> SoftSphere Technologies Support Forums

I am fairly intimate with this software, I have been a beta-tester for some time now, and I can say that it does everything it says it can. It has a small footprint, and won't affect your normal operations. In fact, it requires very little setup and you will most likely forget it's there after a while. It only requires you to understand the trusted-untrusted rules model and how to use it. And the support is second to none on the forum, with most problems addressed in a matter of hours.

It's not free, but there is a fully functional trial on the website. Check it out, and ask me if you need more info.

[Áedán]

Here's a hint - it's called antivirus software. Not antimalware software..

However, I'm also aware that some organisations write code and send it to specific targets (like, execs of a company for instance). That code is unlikely to be detected by AV, as it's designed specifically to attack a limited number of people. However, it's still malware.

[ThunderRd]

Quote:

Originally Posted by Áedán

That code is unlikely to be detected by AV, as it's designed specifically to attack a limited number of people.

True; but its behaviors will be blocked by a good HIPS soft; and that in itself would save the day. Keep in mind that malware of any type is harmless in your filesystem unless it is actually executed; and that is the point of HIPS.

The HIPS would let you know that something wants to execute, and would ask you if it is OK. Of course, answering this question *correctly* requires a knowledge of your own system. Some HIPS, like Core Force and Neoava, are somewhat chatty, and require a fair amount of user interaction. DefenseWall is an example of a HIPS that doesn't need as much interaction, and is a good introduction to a layered security. It is different because of the basic trusted/untrusted model.

I don't pretend to be an expert here, and welcome any comments pro or con. I know only what I know, and I am *personally* convinced that we can be SAFER by using the above strategy, rather than blindly relying on commercial anti-virus programs.

[Áedán]

The biggest issue that I see is that HIPS, AV and other similar software are all sticking plasters to cover up problems within the OS security model and processor hardware.

Not all malware is designed to be written to disk - there's a number of examples that are designed to execute in the process space of whatever they've attacked. These don't write themselves to disk, and there's no clicking on them to start them. Javascript based malware served over SSL is an example - especially as it's designed to remain within the web browser, rather than affect other programs. That still gives it the capability of intercepting data entered into a web browser.