The Death of Endpoint Anti Virus?

Back when the earth was still cooling, I worked at Microsoft. In the very earliest days of Hyper-V, when Virtual PC was still a brand, I received training from one of the specialists there. I recall him speaking about ‘enlightened’ operating systems. Those which knew they were being virtualized. Another thing he said which stuck with me, was “heaven help us when the malware authors realize this is possible.”

Even in the very earliest days of sandboxing, it was clear what he meant and it turned out to be the most prophetic thing that anyone has ever said to me. Polymorphic malware which detects the presence of debuggers and virtualization technologies seem to be a virtually de facto standard today - at least, among sophisticated authors who want a real chance of their malware running unmolested in the “real” world.

This made me turn my attention to the notion of situational awareness among the bad guys. Recognized as a strategic non-negotiable by the police, military, air traffic control and fire fighters; situational awareness is now given maximum priority by attackers. Proactive reconnaissance on the target landscape before even attempting an inroad to a target system is absolutely the order of the day.

This means that the typical components of production infrastructures are held in hacker’s laboratories and tested 24/7. They’re exploring zero-day vulnerabilities, documenting the quirks of the file system, understanding the logging mechanisms and yes, mapping protection mechanisms inbuilt to the operating systems. Once you can frustrate the native security mechanisms of the target OS, you have a hall pass. More than that you have a hall pass for a building where the monitors are tied up in the basement.

Given how comprehensively criminals now understand operating systems and how corporations customize them, it makes no sense to me to rely solely on native security mechanisms. It absolutely contradicts the (sound) principles of Defense in Depth. Once an attacker has tested and fingerprinted the antivirus solution that the operating system ships with, he can very easily circumvent and frustrate it. He has effectively dealt with two layers of the landscape, but with one set of tests.

The economics of compromising such an ecosystem are again on the side of the attacker.

When I hear about organizations discussing the possibility of removing third party solutions in favor of native antivirus, a conversation about Defense in Depth is often all it takes to make them reconsider.

However, I could also mention the fact that the best modern antivirus solutions are ‘microscopic’ Defense in Depth ecosystems of their own. They include Intrusion Protection Systems that detect irregular patterns of behavior, protecting against threats like WannaCry before they even reach the OS. They include precision crafted mechanisms that detect thousands of nasties per signature, and when you’re dealing with over a million new malware variants a day, this is a very good thing.

Real Defense in Depth

The top malware solutions understand how applications should behave, and when malicious entities are attempting to masquerade as trusted components. They protect the protection mechanisms like the AV solution itself, the Security Manager in Java and the Structured Exception Handlers in Windows. They prohibit applications from captaining running processes and seeking to get under the radar. They even prevent applications like Acrobat Reader spinning up executable content or running PowerShell scripts. With additional controls, they can even enforce the use of specific USB keys and blacklist particular applications known not to be needed on the system for optimal operation.

Leveraging machine learning, having acknowledged its value in keeping up with such rapidly proliferating threats, optimum AV software runs malware samples against decision trees. These trees have successfully categorized over a hundred million good and bad pieces of code. It also refreshes the algorithms every three weeks to account for new methods used by attackers and novel methods used to trick the existing logic.

The very best AV solutions can detect and analyze packed or encrypted malware. They supply specific conditions to convince even ‘enlightened’ malware that it is safe to decrypt payload before executing it under a million-watt spotlight.

Even taking advantage of the ubiquity of reliable connections to the cloud, quality AV solutions can leverage vast intelligence sources online. Comprising the knowledge and intelligence of hundreds of man-years of research as well as telemetry from hundreds of millions of endpoints, this offers the highest visibility to machines which otherwise could never host such vast databases.

The most cutting-edge solutions also leverage advanced detection, by placing deceptive capabilities on the endpoints. This means that the most sophisticated malware or human attacker that has got that far then has to navigate a dense mesh of fake information before they can move to the next stage of their campaign.

When I speak to customers about Defense in Depth, I suggest to them that a native AV solution represents the same defense layer as the system it protects. The very best third-party AV solutions offer at least NINE separate layers, all independent and each needing to be breached before the next needs to be tackled. This is what best of breed means to me, from an endpoint perspective.

Anyone seriously considering natively protecting their desktop estate should consider this. Attackers understand ingress vectors better than 99% of even the most skilled IT teams. The more pitfalls, pressure sensors and tripwires you can put in their way, and the more intelligence underpinning them, the better.